Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1Ta6ojwHc6.exe

Overview

General Information

Sample name:1Ta6ojwHc6.exe
renamed because original name is a hash value
Original sample name:3c85ad90afa66cd4c5d1cccf63adc862.exe
Analysis ID:1586932
MD5:3c85ad90afa66cd4c5d1cccf63adc862
SHA1:ed3e4c1e2c9d3d588c48a855cad21dfe0a556930
SHA256:00564ed0e7500f4ed88ae136b1c140425556bf536c6bd8c6c74b7d9665d6fe20
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
AI detected suspicious sample
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1Ta6ojwHc6.exe (PID: 2000 cmdline: "C:\Users\user\Desktop\1Ta6ojwHc6.exe" MD5: 3C85AD90AFA66CD4C5D1CCCF63ADC862)
    • wscript.exe (PID: 5808 cmdline: "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 3424 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • blockwin.exe (PID: 6520 cmdline: "C:\Hypercontainer\blockwin.exe" MD5: 3E2CA8A03A09E9232A24945D78E87398)
          • schtasks.exe (PID: 6728 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1848 cmdline: schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6460 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5740 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7060 cmdline: schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3292 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2072 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 764 cmdline: schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2464 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5508 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 11 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3924 cmdline: schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2364 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4324 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6108 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5824 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1708 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7112 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6768 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2284 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5460 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2464 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5064 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6692 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2300 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4072 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2072 cmdline: schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5600 cmdline: schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2072 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • DwPKagqBqZ.exe (PID: 1784 cmdline: C:\Hypercontainer\DwPKagqBqZ.exe MD5: 3E2CA8A03A09E9232A24945D78E87398)
  • DwPKagqBqZ.exe (PID: 2108 cmdline: C:\Hypercontainer\DwPKagqBqZ.exe MD5: 3E2CA8A03A09E9232A24945D78E87398)
  • wininit.exe (PID: 6448 cmdline: C:\Users\Default\wininit.exe MD5: 3E2CA8A03A09E9232A24945D78E87398)
  • wininit.exe (PID: 1276 cmdline: C:\Users\Default\wininit.exe MD5: 3E2CA8A03A09E9232A24945D78E87398)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"H\":\"^\",\"W\":\"$\",\"n\":\")\",\"R\":\"`\",\"h\":\",\",\"S\":\"!\",\"U\":\"&\",\"k\":\"#\",\"6\":\"(\",\"C\":\"<\",\"T\":\"~\",\"M\":\"%\",\"B\":\"|\",\"J\":\".\",\"i\":\" \",\"L\":\"_\",\"4\":\"*\",\"I\":\">\",\"P\":\"@\",\"X\":\"-\",\"G\":\";\"}", "PCRT": "{\"l\":\",\",\"Q\":\"$\",\"N\":\"@\",\"Z\":\"`\",\"B\":\"-\",\"q\":\">\",\"S\":\"&\",\"s\":\"#\",\"n\":\"*\",\"U\":\"!\",\"F\":\"<\",\"M\":\"~\",\"a\":\"^\",\"y\":\"%\",\"k\":\";\",\"E\":\"|\",\"1\":\")\",\"r\":\"(\",\"v\":\" \",\"0\":\"_\",\"V\":\".\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ceeiDTwwN45ZwZVx9f8M", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000002.2317735342.0000000003691000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000005.00000002.2213231030.00000000037BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      0000001E.00000002.2317453208.00000000026D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        0000001E.00000002.2317453208.00000000026EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          0000001B.00000002.2295439565.0000000002921000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 9 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Default\wininit.exe, CommandLine: C:\Users\Default\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\wininit.exe, NewProcessName: C:\Users\Default\wininit.exe, OriginalFileName: C:\Users\Default\wininit.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\wininit.exe, ProcessId: 6448, ProcessName: wininit.exe
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Hypercontainer\blockwin.exe, ProcessId: 6520, TargetFilename: C:\Users\Default\wininit.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Default\wininit.exe, CommandLine: C:\Users\Default\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\wininit.exe, NewProcessName: C:\Users\Default\wininit.exe, OriginalFileName: C:\Users\Default\wininit.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\wininit.exe, ProcessId: 6448, ProcessName: wininit.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\1Ta6ojwHc6.exe", ParentImage: C:\Users\user\Desktop\1Ta6ojwHc6.exe, ParentProcessId: 2000, ParentProcessName: 1Ta6ojwHc6.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" , ProcessId: 5808, ProcessName: wscript.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Users\Default\wininit.exe, CommandLine: C:\Users\Default\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\wininit.exe, NewProcessName: C:\Users\Default\wininit.exe, OriginalFileName: C:\Users\Default\wininit.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\wininit.exe, ProcessId: 6448, ProcessName: wininit.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f, CommandLine: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Hypercontainer\blockwin.exe", ParentImage: C:\Hypercontainer\blockwin.exe, ParentProcessId: 6520, ParentProcessName: blockwin.exe, ProcessCommandLine: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f, ProcessId: 6728, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 1Ta6ojwHc6.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Hypercontainer\DwPKagqBqZ.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\Default\wininit.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Hypercontainer\blockwin.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Hypercontainer\DwPKagqBqZ.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Hypercontainer\DwPKagqBqZ.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Windows Defender\en-GB\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Users\user\AppData\Local\Temp\lpQRQ7w2Wz.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\Hypercontainer\DwPKagqBqZ.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000005.00000002.2217147666.000000001330D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"H\":\"^\",\"W\":\"$\",\"n\":\")\",\"R\":\"`\",\"h\":\",\",\"S\":\"!\",\"U\":\"&\",\"k\":\"#\",\"6\":\"(\",\"C\":\"<\",\"T\":\"~\",\"M\":\"%\",\"B\":\"|\",\"J\":\".\",\"i\":\" \",\"L\":\"_\",\"4\":\"*\",\"I\":\">\",\"P\":\"@\",\"X\":\"-\",\"G\":\";\"}", "PCRT": "{\"l\":\",\",\"Q\":\"$\",\"N\":\"@\",\"Z\":\"`\",\"B\":\"-\",\"q\":\">\",\"S\":\"&\",\"s\":\"#\",\"n\":\"*\",\"U\":\"!\",\"F\":\"<\",\"M\":\"~\",\"a\":\"^\",\"y\":\"%\",\"k\":\";\",\"E\":\"|\",\"1\":\")\",\"r\":\"(\",\"v\":\" \",\"0\":\"_\",\"V\":\".\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ceeiDTwwN45ZwZVx9f8M", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}
            Multi AV Scanner detection for dropped file
            Source: C:\Hypercontainer\DwPKagqBqZ.exeReversingLabs: Detection: 73%
            Source: C:\Hypercontainer\blockwin.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\AutoIt3\AutoItX\DwPKagqBqZ.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Windows Defender\en-GB\conhost.exeReversingLabs: Detection: 73%
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeReversingLabs: Detection: 73%
            Source: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeReversingLabs: Detection: 73%
            Source: C:\Users\Default\wininit.exeReversingLabs: Detection: 73%
            Source: C:\Users\Public\Documents\DwPKagqBqZ.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Contacts\WmiPrvSE.exeReversingLabs: Detection: 73%
            Source: C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exeReversingLabs: Detection: 73%
            Multi AV Scanner detection for submitted file
            Source: 1Ta6ojwHc6.exeReversingLabs: Detection: 73%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for dropped file
            Source: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeJoe Sandbox ML: detected
            Source: C:\Hypercontainer\DwPKagqBqZ.exeJoe Sandbox ML: detected
            Source: C:\Users\Default\wininit.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exeJoe Sandbox ML: detected
            Source: C:\Hypercontainer\blockwin.exeJoe Sandbox ML: detected
            Source: C:\Hypercontainer\DwPKagqBqZ.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeJoe Sandbox ML: detected
            Source: C:\Hypercontainer\DwPKagqBqZ.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Windows Defender\en-GB\conhost.exeJoe Sandbox ML: detected
            Source: C:\Hypercontainer\DwPKagqBqZ.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 1Ta6ojwHc6.exeJoe Sandbox ML: detected
            Source: 1Ta6ojwHc6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\7a0fd90576e088Jump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\24dbde2999530eJump to behavior
            Source: 1Ta6ojwHc6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1Ta6ojwHc6.exe
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00ECA5F4
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00EDB8E0
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EEAAA8 FindFirstFileExA,0_2_00EEAAA8
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: global trafficTCP traffic: 192.168.2.5:55675 -> 162.159.36.2:53
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
            Source: blockwin.exe, 00000005.00000002.2213231030.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: DwPKagqBqZ.exe, 0000001E.00000002.2317453208.00000000026E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00EC718C
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Windows\Resources\Ease of Access Themes\94117282a3b79cJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC857B0_2_00EC857B
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED70BF0_2_00ED70BF
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC407E0_2_00EC407E
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EED00E0_2_00EED00E
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EF11940_2_00EF1194
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE02F60_2_00EE02F6
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECE2A00_2_00ECE2A0
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC32810_2_00EC3281
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED66460_2_00ED6646
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC27E80_2_00EC27E8
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED37C10_2_00ED37C1
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE473A0_2_00EE473A
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE070E0_2_00EE070E
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECE8A00_2_00ECE8A0
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECF9680_2_00ECF968
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE49690_2_00EE4969
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED6A7B0_2_00ED6A7B
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED3A3C0_2_00ED3A3C
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EECB600_2_00EECB60
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE0B430_2_00EE0B43
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED5C770_2_00ED5C77
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDFDFA0_2_00EDFDFA
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED3D6D0_2_00ED3D6D
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECED140_2_00ECED14
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECDE6C0_2_00ECDE6C
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECBE130_2_00ECBE13
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE0F780_2_00EE0F78
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC5F3C0_2_00EC5F3C
            Source: C:\Hypercontainer\blockwin.exeCode function: 5_2_00007FF848E735EA5_2_00007FF848E735EA
            Source: C:\Hypercontainer\DwPKagqBqZ.exeCode function: 27_2_00007FF848E635EA27_2_00007FF848E635EA
            Source: C:\Hypercontainer\DwPKagqBqZ.exeCode function: 30_2_00007FF848E735EA30_2_00007FF848E735EA
            Source: C:\Users\Default\wininit.exeCode function: 32_2_00007FF848E735EA32_2_00007FF848E735EA
            Source: C:\Users\Default\wininit.exeCode function: 33_2_00007FF848E635EA33_2_00007FF848E635EA
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: String function: 00EDE28C appears 35 times
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: String function: 00EDE360 appears 52 times
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: String function: 00EDED00 appears 31 times
            Source: blockwin.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: winlogon.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DwPKagqBqZ.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: WmiPrvSE.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DwPKagqBqZ.exe0.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DwPKagqBqZ.exe1.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DwPKagqBqZ.exe2.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: conhost.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: explorer.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: wininit.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: WmiPrvSE.exe0.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: 1Ta6ojwHc6.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs 1Ta6ojwHc6.exe
            Source: 1Ta6ojwHc6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@39/28@1/0
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EC6EC9 GetLastError,FormatMessageW,0_2_00EC6EC9
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ED9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00ED9E1C
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files (x86)\windows defender\en-GB\conhost.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Default\wininit.exeJump to behavior
            Source: C:\Users\Default\wininit.exeMutant created: NULL
            Source: C:\Hypercontainer\blockwin.exeMutant created: \Sessions\1\BaseNamedObjects\Local\404cb19fe7e32054f2c9f183ed965d792d791755
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\user\AppData\Local\Temp\PEDYWrhiYKJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" "
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCommand line argument: sfxname0_2_00EDD5D4
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCommand line argument: sfxstime0_2_00EDD5D4
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCommand line argument: STARTDLG0_2_00EDD5D4
            Source: 1Ta6ojwHc6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1Ta6ojwHc6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1Ta6ojwHc6.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeFile read: C:\Users\user\Desktop\1Ta6ojwHc6.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\1Ta6ojwHc6.exe "C:\Users\user\Desktop\1Ta6ojwHc6.exe"
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Hypercontainer\blockwin.exe "C:\Hypercontainer\blockwin.exe"
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 11 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Hypercontainer\DwPKagqBqZ.exe C:\Hypercontainer\DwPKagqBqZ.exe
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Hypercontainer\DwPKagqBqZ.exe C:\Hypercontainer\DwPKagqBqZ.exe
            Source: unknownProcess created: C:\Users\Default\wininit.exe C:\Users\Default\wininit.exe
            Source: unknownProcess created: C:\Users\Default\wininit.exe C:\Users\Default\wininit.exe
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /f
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Hypercontainer\blockwin.exe "C:\Hypercontainer\blockwin.exe"Jump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: version.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: slc.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: version.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: mscoree.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: kernel.appcore.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: version.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: uxtheme.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: windows.storage.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: wldp.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: profapi.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: cryptsp.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: rsaenh.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: cryptbase.dll
            Source: C:\Hypercontainer\DwPKagqBqZ.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\Default\wininit.exeSection loaded: mscoree.dll
            Source: C:\Users\Default\wininit.exeSection loaded: apphelp.dll
            Source: C:\Users\Default\wininit.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\Default\wininit.exeSection loaded: version.dll
            Source: C:\Users\Default\wininit.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: uxtheme.dll
            Source: C:\Users\Default\wininit.exeSection loaded: windows.storage.dll
            Source: C:\Users\Default\wininit.exeSection loaded: wldp.dll
            Source: C:\Users\Default\wininit.exeSection loaded: profapi.dll
            Source: C:\Users\Default\wininit.exeSection loaded: cryptsp.dll
            Source: C:\Users\Default\wininit.exeSection loaded: rsaenh.dll
            Source: C:\Users\Default\wininit.exeSection loaded: cryptbase.dll
            Source: C:\Users\Default\wininit.exeSection loaded: sspicli.dll
            Source: C:\Users\Default\wininit.exeSection loaded: mscoree.dll
            Source: C:\Users\Default\wininit.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\Default\wininit.exeSection loaded: version.dll
            Source: C:\Users\Default\wininit.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\wininit.exeSection loaded: uxtheme.dll
            Source: C:\Users\Default\wininit.exeSection loaded: windows.storage.dll
            Source: C:\Users\Default\wininit.exeSection loaded: wldp.dll
            Source: C:\Users\Default\wininit.exeSection loaded: profapi.dll
            Source: C:\Users\Default\wininit.exeSection loaded: cryptsp.dll
            Source: C:\Users\Default\wininit.exeSection loaded: rsaenh.dll
            Source: C:\Users\Default\wininit.exeSection loaded: cryptbase.dll
            Source: C:\Users\Default\wininit.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\7a0fd90576e088Jump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeJump to behavior
            Source: C:\Hypercontainer\blockwin.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\24dbde2999530eJump to behavior
            Source: 1Ta6ojwHc6.exeStatic file information: File size 4389494 > 1048576
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 1Ta6ojwHc6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: 1Ta6ojwHc6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1Ta6ojwHc6.exe
            Source: 1Ta6ojwHc6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 1Ta6ojwHc6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 1Ta6ojwHc6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 1Ta6ojwHc6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 1Ta6ojwHc6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeFile created: C:\Hypercontainer\__tmp_rar_sfx_access_check_6831984Jump to behavior
            Source: 1Ta6ojwHc6.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDE28C push eax; ret 0_2_00EDE2AA
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDED46 push ecx; ret 0_2_00EDED59
            Source: C:\Hypercontainer\blockwin.exeCode function: 5_2_00007FF848E77F34 push edx; iretd 5_2_00007FF848E77F3B
            Source: C:\Hypercontainer\blockwin.exeCode function: 5_2_00007FF848E700BD pushad ; iretd 5_2_00007FF848E700C1
            Source: C:\Hypercontainer\DwPKagqBqZ.exeCode function: 27_2_00007FF848E67F34 push edx; iretd 27_2_00007FF848E67F3B
            Source: C:\Hypercontainer\DwPKagqBqZ.exeCode function: 27_2_00007FF848E600BD pushad ; iretd 27_2_00007FF848E600C1
            Source: C:\Hypercontainer\DwPKagqBqZ.exeCode function: 30_2_00007FF848E700BD pushad ; iretd 30_2_00007FF848E700C1
            Source: C:\Users\Default\wininit.exeCode function: 32_2_00007FF848E700BD pushad ; iretd 32_2_00007FF848E700C1
            Source: C:\Users\Default\wininit.exeCode function: 33_2_00007FF848E600BD pushad ; iretd 33_2_00007FF848E600C1

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Hypercontainer\blockwin.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops PE files with benign system names
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Default\wininit.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeJump to dropped file
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeFile created: C:\Hypercontainer\blockwin.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Default\wininit.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Hypercontainer\DwPKagqBqZ.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\user\Contacts\WmiPrvSE.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files (x86)\Windows Defender\en-GB\conhost.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Public\Documents\DwPKagqBqZ.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files (x86)\AutoIt3\AutoItX\DwPKagqBqZ.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Default\wininit.exeJump to dropped file
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the user root directory
            Source: C:\Hypercontainer\blockwin.exeFile created: C:\Users\Default\wininit.exeJump to dropped file
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Hypercontainer\blockwin.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\wininit.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Hypercontainer\blockwin.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
            Source: C:\Hypercontainer\blockwin.exeMemory allocated: 1B300000 memory reserve | memory write watchJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeMemory allocated: 1A920000 memory reserve | memory write watchJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeMemory allocated: D30000 memory reserve | memory write watch
            Source: C:\Hypercontainer\DwPKagqBqZ.exeMemory allocated: 1A6D0000 memory reserve | memory write watch
            Source: C:\Users\Default\wininit.exeMemory allocated: 2B80000 memory reserve | memory write watch
            Source: C:\Users\Default\wininit.exeMemory allocated: 1AE00000 memory reserve | memory write watch
            Source: C:\Users\Default\wininit.exeMemory allocated: 1760000 memory reserve | memory write watch
            Source: C:\Users\Default\wininit.exeMemory allocated: 1B690000 memory reserve | memory write watch
            Source: C:\Hypercontainer\blockwin.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Default\wininit.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Default\wininit.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Hypercontainer\blockwin.exeWindow / User API: threadDelayed 911Jump to behavior
            Source: C:\Hypercontainer\blockwin.exeWindow / User API: threadDelayed 1297Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeWindow / User API: threadDelayed 366Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeWindow / User API: threadDelayed 368
            Source: C:\Users\Default\wininit.exeWindow / User API: threadDelayed 358
            Source: C:\Users\Default\wininit.exeWindow / User API: threadDelayed 366
            Source: C:\Hypercontainer\blockwin.exe TID: 6220Thread sleep count: 911 > 30Jump to behavior
            Source: C:\Hypercontainer\blockwin.exe TID: 6508Thread sleep count: 1297 > 30Jump to behavior
            Source: C:\Hypercontainer\blockwin.exe TID: 1520Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exe TID: 1708Thread sleep count: 366 > 30Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exe TID: 6692Thread sleep count: 368 > 30
            Source: C:\Hypercontainer\DwPKagqBqZ.exe TID: 3440Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\Default\wininit.exe TID: 3628Thread sleep count: 358 > 30
            Source: C:\Users\Default\wininit.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\Default\wininit.exe TID: 5248Thread sleep count: 366 > 30
            Source: C:\Users\Default\wininit.exe TID: 4696Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Hypercontainer\blockwin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\Default\wininit.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\Default\wininit.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00ECA5F4
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00EDB8E0
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EEAAA8 FindFirstFileExA,0_2_00EEAAA8
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDDD72 VirtualQuery,GetSystemInfo,0_2_00EDDD72
            Source: C:\Hypercontainer\blockwin.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Default\wininit.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Default\wininit.exeThread delayed: delay time: 922337203685477
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Hypercontainer\blockwin.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: blockwin.exe, 00000005.00000002.2295886616.000000001D24C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
            Source: 1Ta6ojwHc6.exe, 00000000.00000003.2040982976.0000000003703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
            Source: wscript.exe, 00000002.00000003.2127851166.00000000033AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 1Ta6ojwHc6.exe, 00000000.00000003.2040982976.0000000003703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: wscript.exe, 00000002.00000002.2129210492.00000000033EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&
            Source: wscript.exe, 00000002.00000002.2129210492.00000000033EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!!\!
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeAPI call chain: ExitProcess graph end nodegraph_0-24418
            Source: C:\Hypercontainer\blockwin.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EE866F
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE753D mov eax, dword ptr fs:[00000030h]0_2_00EE753D
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EEB710 GetProcessHeap,0_2_00EEB710
            Source: C:\Hypercontainer\blockwin.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeProcess token adjusted: Debug
            Source: C:\Users\Default\wininit.exeProcess token adjusted: Debug
            Source: C:\Users\Default\wininit.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDF063 SetUnhandledExceptionFilter,0_2_00EDF063
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00EDF22B
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EE866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EE866F
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EDEF05
            Source: C:\Hypercontainer\blockwin.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Hypercontainer\blockwin.exe "C:\Hypercontainer\blockwin.exe"Jump to behavior
            Source: C:\Hypercontainer\blockwin.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDED5B cpuid 0_2_00EDED5B
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00EDA63C
            Source: C:\Hypercontainer\blockwin.exeQueries volume information: C:\Hypercontainer\blockwin.exe VolumeInformationJump to behavior
            Source: C:\Hypercontainer\blockwin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Hypercontainer\blockwin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeQueries volume information: C:\Hypercontainer\DwPKagqBqZ.exe VolumeInformationJump to behavior
            Source: C:\Hypercontainer\DwPKagqBqZ.exeQueries volume information: C:\Hypercontainer\DwPKagqBqZ.exe VolumeInformation
            Source: C:\Users\Default\wininit.exeQueries volume information: C:\Users\Default\wininit.exe VolumeInformation
            Source: C:\Users\Default\wininit.exeQueries volume information: C:\Users\Default\wininit.exe VolumeInformation
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00EDD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00EDD5D4
            Source: C:\Users\user\Desktop\1Ta6ojwHc6.exeCode function: 0_2_00ECACF5 GetVersionExW,0_2_00ECACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disable UAC(promptonsecuredesktop)
            Source: C:\Hypercontainer\blockwin.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
            Disables UAC (registry)
            Source: C:\Hypercontainer\blockwin.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000021.00000002.2317735342.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2213231030.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.2317453208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.2317453208.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.2295439565.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.2320365641.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.2320365641.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2213231030.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2217147666.000000001330D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blockwin.exe PID: 6520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DwPKagqBqZ.exe PID: 1784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DwPKagqBqZ.exe PID: 2108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 6448, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 1276, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000021.00000002.2317735342.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2213231030.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.2317453208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.2317453208.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.2295439565.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.2320365641.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.2320365641.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2213231030.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2217147666.000000001330D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blockwin.exe PID: 6520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DwPKagqBqZ.exe PID: 1784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DwPKagqBqZ.exe PID: 2108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 6448, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 1276, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		233
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory131
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Bypass User Account Control            		11
            Process Injection            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync57
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Bypass User Account Control            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586932 Sample: 1Ta6ojwHc6.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 51 bg.microsoft.map.fastly.net 2->51 53 15.164.165.52.in-addr.arpa 2->53 55 Found malware configuration 2->55 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 10 other signatures 2->61 10 1Ta6ojwHc6.exe 3 6 2->10         started        13 DwPKagqBqZ.exe 3 2->13         started        16 wininit.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 47 C:\Hypercontainer\blockwin.exe, PE32 10->47 dropped 49 C:\...\vn0WDvdQhnymz38qOIXaYP3Vb.vbe, data 10->49 dropped 20 wscript.exe 1 10->20         started        73 Antivirus detection for dropped file 13->73 75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 signatures6 process7 signatures8 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->63 23 cmd.exe 1 20->23         started        process9 process10 25 blockwin.exe 4 26 23->25         started        29 conhost.exe 23->29         started        file11 39 C:\Windows\Resources\...\DwPKagqBqZ.exe, PE32 25->39 dropped 41 C:\Users\user\Contacts\WmiPrvSE.exe, PE32 25->41 dropped 43 C:\Users\Public\Documents\DwPKagqBqZ.exe, PE32 25->43 dropped 45 8 other malicious files 25->45 dropped 65 Antivirus detection for dropped file 25->65 67 Multi AV Scanner detection for dropped file 25->67 69 Machine Learning detection for dropped file 25->69 71 6 other signatures 25->71 31 schtasks.exe 25->31         started        33 schtasks.exe 25->33         started        35 schtasks.exe 25->35         started        37 25 other processes 25->37 signatures12 process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1Ta6ojwHc6.exe74%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            1Ta6ojwHc6.exe100%AviraVBS/Runner.VPG
            1Ta6ojwHc6.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
            C:\Hypercontainer\DwPKagqBqZ.exe100%AviraHEUR/AGEN.1323984
            C:\Users\Default\wininit.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exe100%AviraHEUR/AGEN.1323984
            C:\Hypercontainer\blockwin.exe100%AviraHEUR/AGEN.1323984
            C:\Hypercontainer\DwPKagqBqZ.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
            C:\Hypercontainer\DwPKagqBqZ.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Windows Defender\en-GB\conhost.exe100%AviraHEUR/AGEN.1323984
            C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe100%AviraVBS/Runner.VPG
            C:\Users\user\AppData\Local\Temp\lpQRQ7w2Wz.bat100%AviraBAT/Delbat.C
            C:\Hypercontainer\DwPKagqBqZ.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe100%Joe Sandbox ML
            C:\Hypercontainer\DwPKagqBqZ.exe100%Joe Sandbox ML
            C:\Users\Default\wininit.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exe100%Joe Sandbox ML
            C:\Hypercontainer\blockwin.exe100%Joe Sandbox ML
            C:\Hypercontainer\DwPKagqBqZ.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe100%Joe Sandbox ML
            C:\Hypercontainer\DwPKagqBqZ.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Windows Defender\en-GB\conhost.exe100%Joe Sandbox ML
            C:\Hypercontainer\DwPKagqBqZ.exe100%Joe Sandbox ML
            C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe100%Joe Sandbox ML
            C:\Hypercontainer\DwPKagqBqZ.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Hypercontainer\blockwin.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\AutoIt3\AutoItX\DwPKagqBqZ.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Windows Defender\en-GB\conhost.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Default\wininit.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Public\Documents\DwPKagqBqZ.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\user\Contacts\WmiPrvSE.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		high
              15.164.165.52.in-addr.arpa
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.w3.DwPKagqBqZ.exe, 0000001E.00000002.2317453208.00000000026E8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameblockwin.exe, 00000005.00000002.2213231030.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1586932
                    Start date and time:2025-01-09 19:11:10 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 3s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:43
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:1Ta6ojwHc6.exe
                    renamed because original name is a hash value
                    Original Sample Name:3c85ad90afa66cd4c5d1cccf63adc862.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@39/28@1/0
                    EGA Information:
                    • Successful, ratio: 16.7%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 40.69.42.241, 20.242.39.171, 52.165.164.15, 20.109.210.53, 23.56.254.164, 13.107.253.45
                    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target DwPKagqBqZ.exe, PID 1784 because it is empty
                    • Execution Graph export aborted for target DwPKagqBqZ.exe, PID 2108 because it is empty
                    • Execution Graph export aborted for target blockwin.exe, PID 6520 because it is empty
                    • Execution Graph export aborted for target wininit.exe, PID 1276 because it is empty
                    • Execution Graph export aborted for target wininit.exe, PID 6448 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: 1Ta6ojwHc6.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:12:15Task SchedulerRun new task: conhost path: "C:\Program Files (x86)\windows defender\en-GB\conhost.exe"
                    19:12:15Task SchedulerRun new task: conhostc path: "C:\Program Files (x86)\windows defender\en-GB\conhost.exe"
                    19:12:15Task SchedulerRun new task: DwPKagqBqZ path: "C:\Hypercontainer\DwPKagqBqZ.exe"
                    19:12:15Task SchedulerRun new task: DwPKagqBqZD path: "C:\Hypercontainer\DwPKagqBqZ.exe"
                    19:12:15Task SchedulerRun new task: wininit path: "C:\Users\Default\wininit.exe"
                    19:12:15Task SchedulerRun new task: wininitw path: "C:\Users\Default\wininit.exe"
                    19:12:17Task SchedulerRun new task: explorer path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe"
                    19:12:18Task SchedulerRun new task: explorere path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe"
                    19:12:18Task SchedulerRun new task: winlogon path: "C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe"
                    19:12:18Task SchedulerRun new task: winlogonw path: "C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe"
                    19:12:18Task SchedulerRun new task: WmiPrvSE path: "C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe"
                    19:12:18Task SchedulerRun new task: WmiPrvSEW path: "C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe"

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    bg.microsoft.map.fastly.netNuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    new.batGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zipGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                    • 199.232.210.172
                    bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                    • 199.232.210.172
                    GT98765009064.xlsxGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    SmartDeploy.exeGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    82eqjqLrzE.exeGet hashmaliciousAsyncRATBrowse
                    • 199.232.214.172
                    EEdSGSana5.exeGet hashmaliciousAsyncRATBrowse
                    • 199.232.210.172

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Hypercontainer\94117282a3b79c

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (813), with no line terminators
                    Category:dropped
                    Size (bytes):813
                    Entropy (8bit):5.889632322787568
                    Encrypted:false
                    SSDEEP:12:2B9qVD01WGCfWmvHkBlz9Cck1g7J0YG4E0J5+qNrJceuO98wQuFhnmC/1QdWqlVI:2vuAcEDzockORFjvBuO97QuLOdWetU
                    MD5:D76E62791009477F6C66DE082927A2DD
                    SHA1:098E439C85B9927F00190BB2DF6C252AABE6EA90
                    SHA-256:D0FF5DA9B4C7ADD5DF8132F69A9C1D602C2285E73A2ED43CB6AE5364D00D86A9
                    SHA-512:034E698FDD1E52B15FBF41918979AE593BD4B3AA8081FA7504C1825CACBAEE41B73F206B4A7283F8C73014E658804FA3BE535519B96AC1B95AE412772F7D232D
                    Malicious:false
                    Preview:K3eA7nNNBjbEGev2KSdterwJ41osIfID7iw20pLdgnBH4Mfjoiysg3TcGUFF8fFfaYHis3BeHAM1qoPrWFDjqahDOTwfkGeBifqgF70vgUkgqcwbFXt3bfyA0DTYHg4BfLSK8slYOSDWzBWwhUZMXljDqqqCncn9ajAfJldXvUoJbcKyqh0wHro4lPeRBjvvoE5QB1m51BaC6alOf1WGl12s5F44HLVMj3eXg4xz555FRl8KnPwKNpKxLNV56rxpqNdC6OrlDhKq6xbTHtQ1ZL93tqLTi22NHPYDH5OZiKGped1YvBxNb5QeOjTPDXCKo7iqYXLMf1TOETZPzwhgFpwM83zhl8VKH5Bg5K9X0lrjmBa4KEaQ0fF9LWseinkgfIGJS2UoxKqe7Mj6d4XhhEUmzBViceyMAKDd4QlSuvdqzlB9wvBoQD8byeTRgvMSVddwIGCMSExvlowOAWwrdK67Lmpa7Uv9jLVVIO0qtyVLQMzKsFQK8eyKgflgamP8TxMaTaFvfF8pzur9xfr2DkAEXKymnUPHjX2cAZ0R9fo3gIUvyms54W4sxHDIldILz0Gc2P8Xoa3i6HiO0DxBlTNMdJo3WspfXdDqB23jnVRddVwqjySipGkfn49tkEB5uXLdD1M7JOXQCtsHX8UhaG0Q2hCH3J8jTVsGKTnrlUYbsUd4L1Wmudfng4kfzEEAPy6qAm7DUn5FsYhiEH6BxWy00FjPtH1hQYM4Yw4i4SRHha5IXBbsICM29Gz5DsUNvYyTMnKRNXHfErSaJb1rqJYNMT4S79fM8EVJlm5u1Jeu5

                    C:\Hypercontainer\DwPKagqBqZ.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Hypercontainer\blockwin.exe

                    Download File
                    Process:C:\Users\user\Desktop\1Ta6ojwHc6.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Hypercontainer\n880E6sbFEumx9tx.bat

                    Download File
                    Process:C:\Users\user\Desktop\1Ta6ojwHc6.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):32
                    Entropy (8bit):4.226409765557392
                    Encrypted:false
                    SSDEEP:3:I5TEM0XtOl:IvT
                    MD5:1FE47A1F963B69D57E6EA01CD6153758
                    SHA1:2F4FA015C8558811C0928F9DC4E919609A3364C3
                    SHA-256:2974AC71A1C7925397CA4BBAD37392F1FDDE5DBDFAD8F7F96ACB85A1877CAA13
                    SHA-512:69318CBCE7B6B65F29AA6835079ACA0222806D28DC053D4BDC5148FF48CB5D16315726C77DBDECE621B15E7FF2B61D80182CECBBCCAA1080F2353D053A2D0970
                    Malicious:false
                    Preview:"C:\Hypercontainer\blockwin.exe"

                    C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe

                    Download File
                    Process:C:\Users\user\Desktop\1Ta6ojwHc6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):207
                    Entropy (8bit):5.661851103802725
                    Encrypted:false
                    SSDEEP:6:GLwqK+NkLzWbHhE18nZNDd3RL1wQJRLu8QLkEs:GiMCzWLy14d3XBJlMQ7
                    MD5:8B836240F8332ED3AEA9A1A7F923A808
                    SHA1:036CD5A0AB5DDAE9D53F66111E408CA315308505
                    SHA-256:007155D2A8AF49EF8544C930D7E3B860EF796F788544AA118ED61C0EF80AE579
                    SHA-512:67A96622F17C0A0146F71F22A3EC4A2851398CBCC2D8883EB5B0B4546AC4CBB2894FD1ACF303AEDF0A9932E7A6AA3AE0E45491EE5AAAC0DF6D7B0196EB49747F
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:#@~^tgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJCza+MmW.Ymrx.D&xR%T3+/4w3Es6,Da 4mYr~~!S~6ls/.0jkAAA==^#~@.

                    C:\Program Files (x86)\AutoIt3\AutoItX\94117282a3b79c

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (904), with no line terminators
                    Category:dropped
                    Size (bytes):904
                    Entropy (8bit):5.900319852623131
                    Encrypted:false
                    SSDEEP:24:hovGXzJW+XaLW1K3EhP2E4BKLuEzGVggvzR2Re8Mo/klMjCJn:wOzJW+Xaiw3Ehr4BKLQRv92ReBoclMjK
                    MD5:E1E32FB8FE4AE67439DCB981C5169E10
                    SHA1:A7F7E19D4EE44BFADCF4CCB14944F459DC764E5E
                    SHA-256:8230E86651A1DA271306214682AF65D2C21874542D386DDA409207BEA363B7A1
                    SHA-512:1CBE3D0932E1122CD13FCCDC748984FF5B21AEEFE3B4A4C015467036948F840670903F8D91963D3C503DA6EAE8328F69B99760FE229AD9B9A3408CDE9290284D
                    Malicious:false
                    Preview:f5LTfcBIMaFTJS3QIY5UK8WvZm2ZY5HJICWWV4K6gsomhgmvzLnlOPthia42kluRT5LG6h5NN9xcTuO2AGjNSf53Tzy5ARW58XTlVfzSQZXPbRNyMB2dBh8xARwGtAN5m2e6amheQR72HqcCm9s8Z33aYflDtsjQLbmixQXkdYMtjGqTzuetROgt8Di5AevisrqpD3PVmIfBqJ0SzRO8Oz8753ktscj9moB2ZAQ6fIGItfCyMQFtQwT2sttJTfnKjfYBI82yARdFtzNa0vhcWzt0UIKpQHn9f6jOGBqOXRs8TOJ2gTSh8Kxtwiq9yNh3odjwQ9UzFTFFHvgG9RJ7yFBUJzbhUqaJtyTzoWmh9dcpFrmBBjAgEkFjcOnahwfY25VTbrcmpl7UnWPbNaguq3FJsuXZtL9N8DwJWTjUHX1cmv6F9LNGQur90LkrUD2dluWjkFF41LmTBmh7xRai737NWwSKs19EeX01YWf3GTPEHY7Oom3CmUfsxJNxw4L9Miznvqjawgboo2F7yEgG86bJ2IDOJrGMHP1jjTc7DcQF30E4EP9sXFBPGpvnmUREaPhYAfYeliCfpVQBEIK4sYyBNmc3izUtLMpnTp3i1eGzCgjvZuieJWWCbfLYDe6wNTTdqmsZOmCOR88rCreyQ0jyznMxdffXhUltMFFwBJPhTIucgeVV9IfXtenCa45tGpq7XPe6mswGkCer2tR9JJXZyO9rbCVHOgaobxFR9YtRVYwrA6Kqn5j7SRIJQwfjWp2Dl0QFoA9vZGDabRrf2pdS7cVJp6AN3K4qfsGJpEBn6yiMOsr8E9rrLkGIfHas9w1OLW4tLi0xn0WJ4J46OCI4dNf5m7oioToJ6TA1x8xgI3EUO7OVMde6o7v818GN4SITMMMl

                    C:\Program Files (x86)\AutoIt3\AutoItX\DwPKagqBqZ.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\cc11b995f2a76d

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (543), with no line terminators
                    Category:dropped
                    Size (bytes):543
                    Entropy (8bit):5.876113861127112
                    Encrypted:false
                    SSDEEP:12:H49CtSdb8D05HByuNQkeVZAbgd7xgMTP0:H49CYwD0lWkoZAbgdHD0
                    MD5:ABD45C773563C681721D61E556EE2602
                    SHA1:0307110CB8F713E427E40DB765280C8B05B296E4
                    SHA-256:C8A74EA2C3CCBB64E38E635265F818325954B2B2DA6B4E32CFE623CCBA722027
                    SHA-512:56064069DC82F0EFA80060EE38C6E1B319B2483B0132C78C2F630C1CD65E4BCD80DA5C05AD949D2BF66475CE8CCA0CD1ED2B75D51F47CF37764BAD51755F51A7
                    Malicious:false
                    Preview:ciTAYx44MW2cs3cyfzV8XBgljgrVerrLrm5Vchb4K7eksEYvB6sQ0aJbCsa2GiaeorvF8HW8XaxZh62eH5Uh9bUQceTtGjylh95BTTx4jt3Zmt4F05uKO2fMWfmdyn1ymM2hA1LyIZ7Pi4nskN3LznXodsoxqTF62Exa1WE9t5Cy5Pob233ktq89zODRMYIzTAXdHM1OJ3b3litOEM4wafMMGxlnSwwVwNe42LTpCpb0OFYQezN9dWYyxKXUlO5WGGHYDyV22OtvEW8BZUIcix1ayqGsy9EytEtH7AMqeVGPmnuaMV4QFdyTPqjXrnE3K5B9n0DZIc8NqmxL5pfcFxsQPZ2Ray81RNErluxWSfInelmn3YcCHlxXMvuN7w8TeG5dhGjL2JJjoFvoxOXCW5tpZrezAjYggzJYpJFxyRJ8bNsHAFatY66iWPD0luKSunDz5W8oJkOFwvOM9Wz4JpIk3lBZFPLEG1NyK3MnGwkxs0wlB11O5PJFec6UVji3YK94iZBFKLyWFU2CzaXOY6I0sHTs61R

                    C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\winlogon.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Windows Defender\en-GB\088424020bedd6

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (542), with no line terminators
                    Category:dropped
                    Size (bytes):542
                    Entropy (8bit):5.874370818446617
                    Encrypted:false
                    SSDEEP:12:9vZRW0CcIrqOl6uyHOVXaRFuXXvLjiY+V3Gh:jRW0Jmt8uPKYiO
                    MD5:B7C569D823894DBC64C7EBB81AD91774
                    SHA1:19360DF1929A28441BCE73E4E7CB34AB784B420B
                    SHA-256:F96FD6DB9E785D8E90EEAE446C056933CD66D76CC85818B24482A893F119492D
                    SHA-512:4AD00863FAB7CF5A5296A66EDF7ED4EC927449E4C61372507B903A866B0A9ED5A5785478B56C1066CCBA4A661CBF002C6CED4AE1BC0F7FFE3D3FCA397B1B7049
                    Malicious:false
                    Preview:mAkH2s2UO25hAWIzhfHzgonSefnehN3VUgtIAfDC9zQ2AKx5pkOGtyB7WSmWEXwA9jMdn9zCcEzqYvSUssz79wmgfvwr3q7lCP3a7TRpuLoo8UjlARoWizBM7p82NHJvHNoI21WZaJMxI7iLLKrlCkCNOqdRUZbnC3hupatI4O5YmNEAHwqCZhsgLb4LYEEBsjuOZxfvbiqypnkAmcJitYNeKBjOghuzK4qDczkUQ4l1141h04i54gSTVQEYORP3y0nu7ghw2zRyxWnPJCXl9z5nmWrMvLG9prCAQHjUWvCFOdf9myPM3n495AHkyUBrtSIGTn9CcDONwzZJ0sk664FBwDEQ99fCuVW6UZq8zMt0YrMGk8tGtFvyMHTQisDchMdbddybClHtKOnF08qAPYSpjhtNFZZGJRSMNvmHJSEI7Bo7dOZkCCMJ3y15tkVmLAk26a1FVi17UKri2vt1AzEGEJSZ3rYi6c66avBCWUOeLPztGTC71emW6dywIcLoKSA1OuHHtqepkk5yUiSkoarc0kA66P

                    C:\Program Files (x86)\Windows Defender\en-GB\conhost.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files\Microsoft\OneDrive\ListSync\settings\7a0fd90576e088

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (925), with no line terminators
                    Category:dropped
                    Size (bytes):925
                    Entropy (8bit):5.906259470107146
                    Encrypted:false
                    SSDEEP:24:CHgZs7QDh7F2egRRjkqprPnCabjMTFbe1qFf+2AjLTHo:GgZPd7wLPpbCnTFzFfjAjfo
                    MD5:961CCEF9D91F9281D8500C9C8277CDB3
                    SHA1:00A61C787535D4D0164B14B95C636D33928CE428
                    SHA-256:695C15F30238C020DE76620B32F14A21B7DE9E506EBA15FB6F4D41982CAFE7A6
                    SHA-512:4365DB5A9F0C0E7B75C0528AC9027B50F5CE7A20BA295861E24FFD71E43020EBAC1B9A430F6A864BB5D0DABEE8030F2C04ABB85D88A375A079E9AC7BBA8C5019
                    Malicious:false
                    Preview:OK96vWi9cjJkAukiBouKKewkgAQCjWD6ZsMhc4ynY7wUvijjSq51lAutYZZuFfZFgMLRiDFHzGwNrby8brt3bMVY8cICeEh2hryiWSBPkyBeOhC6kbTYwgnT1xTF4Dnui3q9mQlIpeTnK0JaaMcDvJGADfqj95UhKR5V1CTUzKsSNAJAo2pskj9Zwp6HjCJuJvc35xiY2HNlayxDWp4GQm6lSfiLFLuxA8IbiPF0URzcVX9823v3HDegz0kZPWSqXakcpWeGkDw8xdP4gjTMZ1p7dmlrpql78IF5xgTfYpTEQftVlq2pCFRfvm8Cuxb3bzAoYUH9Qyyuhkq73QF8y6431jJKhQvkOambfE7Qj2YORg8K6AJdrcFf5HwyK6bACNfH8OcySzZ5hplUl9NhGR3wUHgYRJFmaYMEB0MriVL2CK7PfcNLs43uUsw1sEgJtxeJdhTuxg8vGAtKKQ2z633gfbuSDU9eyBIPpyw8IcYM6IoT9mrbLqNz38nBxArcge6F1deVe4qdfqkWxaTbniSHyTVrKvKHv6qbLjbfHV6QAtUNXROWrPy8LyQiHxLttjsiAIKN9xTSlCHE8IT3gyZfIrQXS2XUJNhbAwMPGAX46fWJrMj9dRM5JNZS2x5Ga8IYeqDM6ExgbfjmVGqGTY12AmSxW3XSEQe7W8oAIXCYeqennw7vHzxBHQX2YQ0CrebKBmPXcp86VdXUIoJj6lLPdczGkwl1gAq9PTlBgjTb11qo3DutGQFFTLqjwJwpDGZUwXEyDHCWStYmvLNhC2vQ4kqDnBPXxnXubV2f85q8OsxjxDxl6OnLVIaLqBLB2pjpWnKaTrjGLwCMxHPjOobj9LZS5rz7upGiJINK3XROpgAjGNXjvmxONApKN1em2mWgqdCp3Fq0WM3cL0MrTPLI21VJd

                    C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files\Windows Photo Viewer\en-GB\24dbde2999530e

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):183
                    Entropy (8bit):5.634278326158999
                    Encrypted:false
                    SSDEEP:3:aUpI0krorXlIAdMN4UXdIntuXi8gS/Vcg4UbUqNLQ/flU6oiNVXlRXBwIUbH:aV0iofdMN4UtIntuYWVdZN0lR3zjo
                    MD5:A13DC78DC6136666062DF355E9806D2C
                    SHA1:AFB9922382917D3C7B3355C5EAD42DC969211AFB
                    SHA-256:1A20A31B627373F73EBDDFE7BBE8A610395E906249B67A2C5FB3F5875FC66BE2
                    SHA-512:8DED647AE74A80F3C8BCA8603DF5472A9C16B872E5FF0A2C58EE6D537392CFEEBA8451C85090C19100A087AF09E694D1D129564EB5943FAF8E132FE74955686D
                    Malicious:false
                    Preview:rotSVLzrf9hCAy1jm0vuIBunNJUNrCLM0qRbel66eerNDGCUZp94xXCp4GEM1l9cxUMUhZEA4yQnThjHH9yCDQYcnlhYhuE3fPZs3rw9k9A9HZWXg7E1w7Yh6tq62qdJtWIEH0NZNzbEPZUOPJ1kpMGh02wJA0H4g1PvQRQqtpo7fURgZcqsy3e

                    C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\Default\56085415360792

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (739), with no line terminators
                    Category:dropped
                    Size (bytes):739
                    Entropy (8bit):5.880502385571942
                    Encrypted:false
                    SSDEEP:12:GwHSMHCSUdWNWal75vFS/+23kkspCA3y7VcbHvOjTHEJcX2OZkmI3/BM:GMnHCSpNWal752G0FFkJe+mIvG
                    MD5:ACEA85EF18D48CDA61462F187E95EF01
                    SHA1:A18BFDA1E1FD2A3A4E5CCF305F20C50B2A471D81
                    SHA-256:5043BBEC35C76836F028F3E444FC53C32DEC3BA5B65E0D08B26364EB3CFEAA2C
                    SHA-512:35998C85CFB7898C57C86AD173B80CE8CB274969EC4E485A70DA7BE5F1AF215F5BEAFC071E1833256214187EF9F72B1C0F12CDEE6FE6B4ED4B49E1A060F163EA
                    Malicious:false
                    Preview:fZNOJUHHu11BegcHEbT0CWpM83Fb5uY85DHQX7ll9ElIlcCfuKsWqrqIuAPQPpLAd2GaYLtGzs08vgkg1jruBBSOX9gXsVWU2kptWlGjblg80sWNZsYp8b8bj2DZpWYeVgGK11JPdHTafUYomS796qWbmNJeir4EMCmTlLWiiIM0Hh6PdYwWYYhpKpinrprwNONcrEDa6ZaxdfTFR4AJ4hqyf6J6ns03bam2TehZVVZ87tMoVcWxpi1qiZ6v5GxNjhWC3bwwXkxjHr0wtekLVDN2j5U3hvePiMZaWJu4qjaEuSi1jKBafl2gTdd7G2PlGiA5RaZktqewmJIQXcUWtDt6T3G2pxxyUy8LRmjIvbrzHG3KVNkoh21CzElXUg462qbxL69u3LlSW3zNA5hcMJQb75VNBLyOhu6aoF9YNzuWRjq5OXXY9btta90PkvtrWXvl7Yj46IOWY4KYPa8nxaOFBNAoPtxcGD93xE80ydc0NWUgzbAKxG36IqktY4pMUwQV4QkKbIyU8X1o3ezxtnoAJCvHdPb3xQfaG9li00spRi8uy603F1crHPL2fdrMq4hr1bh33Q7349slEATgZix6xyT0ysDXJg8WBQ2XY6Az4jxHhkxfJKxIHk4DHrFKNjuXBWjxH6Hch8BNALTO4hN8t0PaVzPr10lUzZGLAAXNCUkIjrC6X1PpVvoKGIbSrZlrWqXlEIN4KA6YPG1owSUAk69Eu5E1iFg

                    C:\Users\Default\wininit.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\Public\Documents\94117282a3b79c

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (348), with no line terminators
                    Category:dropped
                    Size (bytes):348
                    Entropy (8bit):5.839121478873467
                    Encrypted:false
                    SSDEEP:6:8uPNT5zS2U0gdVWz2A8Nez1UKVNqSj51hQWdqh7Z8PhiHQ2PdL9QarYuY+LT/N:vdgWzzz15NqSj51hJdUldLya++LbN
                    MD5:CD346D6A70800F09982E7D2E55C24135
                    SHA1:934B7039C09848A21DC966DD8CBC0C0719B21A68
                    SHA-256:97F7896E4D2DFAFD27D9719D9E4D1EF5613A2E46A6412C22E13D181D570C281A
                    SHA-512:58C6D281B7D3F10AB784410EC33B322012DDB8FFB56B8B5BD6C8BD0208577936731BB1EDA121F8C4FA83E9FDB8AC3A9AA4DFF971664D30E39141C8A33056367F
                    Malicious:false
                    Preview:JMVEjQiJbJZyttsmJ3oMhdLwn3F2dyomBmLz2CCMTn0wZ73hwFTTZCxqBjbpKppmfxxHh3tH1c34mZXq9iGYfUM8yfyTlXCn7OQlKw92VMc7J3DmLuqliQHLkyTCFafdZP6YIvgMjOCT2Oz5cLH1qaEqGFAVd7w5q8h36odaOdCUOyTW9Xk3Sox8KPRDuKtlbHm3r58xsrmNYucSvoWFX3mCLisrXZpDua3GLZoDZwKlBkkaw8RFynOiejsIMRZTBjc71WHW9SpksBAl8S4YHkOGMUmmrg0IW1jbHmia15Ff7nzciHK3WBLbVWvgtfodbhN0bjeVtdgLesIifJDkW6vVqIGu

                    C:\Users\Public\Documents\DwPKagqBqZ.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DwPKagqBqZ.exe.log

                    Download File
                    Process:C:\Hypercontainer\DwPKagqBqZ.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1281
                    Entropy (8bit):5.370111951859942
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockwin.exe.log

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1915
                    Entropy (8bit):5.363869398054153
                    Encrypted:false
                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
                    MD5:5D3E8414C47C0F4A064FA0043789EC3E
                    SHA1:CF7FC44D13EA93E644AC81C5FE61D6C8EDFA41B0
                    SHA-256:4FDFF52E159C9D420E13E429CCD2B40025A0110AD84DC357BE17E21654BEEBC7
                    SHA-512:74D567BBBA09EDF55D2422653F6647DCFBA8EF6CA0D4DBEBD91E3CA9B3A278C99FA52832EDF823F293C416053727D0CF15F878EC1278E62524DA1513DA4AC6AF
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

                    Download File
                    Process:C:\Users\Default\wininit.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1281
                    Entropy (8bit):5.370111951859942
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Temp\PEDYWrhiYK

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):25
                    Entropy (8bit):4.403856189774723
                    Encrypted:false
                    SSDEEP:3:4pzD7ZnVk:CBn6
                    MD5:EF52B723A51628EEA868EC62793E2406
                    SHA1:DA09A20A422E01F9A5CB95ECD902A3F908D7E1A2
                    SHA-256:7DF9D2E0592FE7FAB3E85DAA67AACFCBF29C3F0B847CAF7434BDD244F9315C05
                    SHA-512:B2FCEEAA4117677C772C7F6C46CFD50129BA9F95FEC6647836836C0947A84A547913F0F63227652441A6D22E4B5C4BB8A93E0D18562263445F6CDE8B5000485B
                    Malicious:false
                    Preview:j773L0AiICflPuiJZFnWseqDA

                    C:\Users\user\AppData\Local\Temp\lpQRQ7w2Wz.bat

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):232
                    Entropy (8bit):5.075821284788639
                    Encrypted:false
                    SSDEEP:6:hITg3Nou11r+DED+4ThG5D/bKOZG1923fcrkj:OTg9YDED+/XQy
                    MD5:E63A17839D20FB8DDF54B1CC0752ECF1
                    SHA1:837B6809E10552EDD4DB84E9D5713F7B0EBE7CBB
                    SHA-256:82F220E7DE8AC031F6AF6FFB93DEB58CC698786D327ED1F46D411B5A0420EA73
                    SHA-512:4524FC6A9A5EAB6EF79A0E209C18CB63A135B253BB340BDD079946C661BEA30C3AF3D7BB9853A32E51E4A26EC28A3A98E87F7122CA49C9AAA0813B89E7E679CB
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\lpQRQ7w2Wz.bat"

                    C:\Users\user\Contacts\24dbde2999530e

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (490), with no line terminators
                    Category:dropped
                    Size (bytes):490
                    Entropy (8bit):5.850866763036776
                    Encrypted:false
                    SSDEEP:12:6EJ21UtJb7YHJZWsbARIooTJ6SEIadkVFyWS:TJ21eJ3QJosshotr2kVAx
                    MD5:CD8053C18776706EBA72EACADD499AB2
                    SHA1:5F0D6454E97CA227FA4B6F8616E5ACA21F75168A
                    SHA-256:9EEF92107CD84EFEB7E453CF15DFAFB812D373AFF7155DBE526096EDAA13D311
                    SHA-512:5CFA9DBD78EBD7F4F27CB8D79A7E5A0B5AEFFDC0211676063F3E09A959DEE596902393C492C7E4B979778F820EEA1201C9976ABF11B6B0429A3A3F0FA761695F
                    Malicious:false
                    Preview:2nLspp661BGM8XpxSnaNnyI2M1Jo7q00Sr7ifkjgM59TDQDiVFXtm70EfSgyfR9LLP4RZGRrD4Bryyz5xkT1TGOU13DNEvA56yIyWwIOyppr5IQqdlB48H1EAjZgCDnS4Gv9qBiAcEDoagYsmWuduF6z6DxxWmLuBXxzXQAcDAc3DNoeKr3qTKhzJ5CmNun02TmCtjVWWSZtmCvtZTmpsfa108qbNXOSXmBtllulVhTBuyMGJTN4H7HW3uMu23I8DHW9BCIyiBTKMYHBvjR4KTKZep00YAsbYU7mbMFHLZWGn7JemK9TmNyu77eVLRZhS2v1aekieJtu6EvhfVNOBZzLgNpert639yxvLSDHkayceDx2L70zDLg3CkVNzF0uN0vIQ9WNRFnlkWrcZwSu3G0yR3sk60SejEOnSpmLknh7h5Sp32yCxG1H960WQwQbxJBgIDKtKGKPj2RWlDqECPrcMHoWzP4yXGKX3wh0sE

                    C:\Users\user\Contacts\WmiPrvSE.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Windows\Resources\Ease of Access Themes\94117282a3b79c

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:ASCII text, with very long lines (513), with no line terminators
                    Category:dropped
                    Size (bytes):513
                    Entropy (8bit):5.869960869305533
                    Encrypted:false
                    SSDEEP:12:JiYv9LBYfRZ5F/WCa/7FbCxBkqMLNYtXUQsNBzEw/C:JiYv9On5F/6huxoLNYJU19X6
                    MD5:D4C794E6FEA876E1290CD0EA54A8DC1A
                    SHA1:F52A9DE673CC752EA8455520050E0BBB4E8F85DD
                    SHA-256:ECCF1C270B878AEEC12030C85F503CEDC279FF34773298B5B38F0AAF21CD897F
                    SHA-512:F4F525D5672495BD95BE7A85C0B3CCB64BFF471CE5F6A3EF5F50EE2765F09F7B0FA00E2F7703A29EF1910E8D30834E1642D5DA826A92FE3514A0CE19F99E9379
                    Malicious:false
                    Preview:UyQ59QxfYFlGZrS0IDVVEeUpVU9UUaFWQaoQeAElvjHgHwWKBltLR8b0ekjpRcK8AO09DCVH8ukeXxij7zStq3ER9yw4bZTSZIg26XH9PlMhY6cqCArcJbSGKj9PQbqjaSFORpmkrTdEqh3DVF1ar1I70ZsXX2sx4nGG1OZWXHu07NZmq63KkQ1jJHY17PMzkpJDbwLGqeDkGS9m9Gqb8iNowg6t0hZH45PREWK3uxeFMQc1Iv20iu0CceQ50cQJF5qLCrim5xrLEIbgDFkEoiiJENzjGOCRgUARkQyaNP4vDp8UCu1v1MegWgHz28fquaotHK5xQK1ZoxGYPfhWXRZU0e5DJ9iPtNAnAOM2yEerUF2iZskXbJTdAU2nP1oRllpaxdYASphTxr9vmWoaYLyj4gmqWjm6aMFtZbu6UkEvm9pSUGA2NN2axFfQ0rntCk3kmQWKlrFyGC741TVPiutMTo5U6eFm6UtBGFqEu0RfHETvHkZgWYLS1qQ7VBOHl

                    C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe

                    Download File
                    Process:C:\Hypercontainer\blockwin.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):3900928
                    Entropy (8bit):7.809825110103827
                    Encrypted:false
                    SSDEEP:98304:SBi6P/9/7w3zThAILRk5/919K6K2ze2jI:SV9/7azT+ILcxKR2fjI
                    MD5:3E2CA8A03A09E9232A24945D78E87398
                    SHA1:26C4F20FE3FBFE14F27611C949CA7989ECF7DBD8
                    SHA-256:64E73FFBA3CBF8754B24831016A6A9CE43A1E0B111B898F528E7BE65F88A5357
                    SHA-512:9E7AD75B2D2689AE92A843A50180DF34D04B3728A1783C8F9D3DD2DD725E68290E32E022CB0129732B2FC968807AA07A9E91FC25C4F5FB0A0A1BBA61F44DBF6C
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................L;..6.......k;.. ....;...@.. ........................<...........@.................................pk;.K.....;.......................;...................................................... ............... ..H............text....K;.. ...L;................. ..`.sdata.../....;..0...P;.............@....rsrc.........;.......;.............@..@.reloc........;.......;.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.727586059290694
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.97%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:1Ta6ojwHc6.exe
                    File size:4'389'494 bytes
                    MD5:3c85ad90afa66cd4c5d1cccf63adc862
                    SHA1:ed3e4c1e2c9d3d588c48a855cad21dfe0a556930
                    SHA256:00564ed0e7500f4ed88ae136b1c140425556bf536c6bd8c6c74b7d9665d6fe20
                    SHA512:9358c25d694a546dfa91faddb9517a5f3b8602364cc0e3b5ec55818dd49b111f09b7635f646670a56da3e77e179630120ce034f8a3bb73b39df6b35739766e87
                    SSDEEP:98304:fbNBi6P/9/7w3zThAILRk5/919K6K2ze2jIN:fBV9/7azT+ILcxKR2fjIN
                    TLSH:C016E0093B43AD16E0082D32D1EE69CC57609BE03A6BDF576AB832ED15117833C5B9DB
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                    File Icon

                    Icon Hash:48b4c96964644a24

                    Static PE Info

                    General

                    Entrypoint:0x41ec40
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                    Entrypoint Preview

                    Instruction
                    call 00007F355C705F69h
                    jmp 00007F355C70597Dh
                    cmp ecx, dword ptr [0043E668h]
                    jne 00007F355C705AF5h
                    ret
                    jmp 00007F355C7060EEh
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007F355C6F8887h
                    mov dword ptr [esi], 00435580h
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 00435588h
                    mov dword ptr [ecx], 00435580h
                    ret
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    lea eax, dword ptr [ecx+04h]
                    mov dword ptr [ecx], 00435568h
                    push eax
                    call 00007F355C708C8Dh
                    pop ecx
                    ret
                    push ebp
                    mov ebp, esp
                    sub esp, 0Ch
                    lea ecx, dword ptr [ebp-0Ch]
                    call 00007F355C6F881Eh
                    push 0043B704h
                    lea eax, dword ptr [ebp-0Ch]
                    push eax
                    call 00007F355C7083A2h
                    int3
                    push ebp
                    mov ebp, esp
                    sub esp, 0Ch
                    lea ecx, dword ptr [ebp-0Ch]
                    call 00007F355C705A94h
                    push 0043B91Ch
                    lea eax, dword ptr [ebp-0Ch]
                    push eax
                    call 00007F355C708385h
                    int3
                    jmp 00007F355C70A3D3h
                    jmp dword ptr [00433260h]
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push 00421EB0h
                    push dword ptr fs:[00000000h]

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [C++] VS2015 UPD3.1 build 24215
                    • [EXP] VS2015 UPD3.1 build 24215
                    • [RES] VS2015 UPD3 build 24213
                    • [LNK] VS2015 UPD3.1 build 24215

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x37c8c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9b0000x2268.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x630000x37c8c0x37e002f86e658a91d4122e79cff5a81abee88False0.18820784395973153data5.028962664691394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x9b0000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    PNG0x635240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                    PNG0x6406c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                    RT_ICON0x656180x3334cDevice independent bitmap graphic, 225 x 450 x 32, image size 2025000.14635739486983884
                    RT_DIALOG0x989640x286dataEnglishUnited States0.5092879256965944
                    RT_DIALOG0x98bec0x13adataEnglishUnited States0.60828025477707
                    RT_DIALOG0x98d280xecdataEnglishUnited States0.6991525423728814
                    RT_DIALOG0x98e140x12edataEnglishUnited States0.5927152317880795
                    RT_DIALOG0x98f440x338dataEnglishUnited States0.45145631067961167
                    RT_DIALOG0x9927c0x252dataEnglishUnited States0.5757575757575758
                    RT_STRING0x994d00x1e2dataEnglishUnited States0.3900414937759336
                    RT_STRING0x996b40x1ccdataEnglishUnited States0.4282608695652174
                    RT_STRING0x998800x1b8dataEnglishUnited States0.45681818181818185
                    RT_STRING0x99a380x146dataEnglishUnited States0.5153374233128835
                    RT_STRING0x99b800x446dataEnglishUnited States0.340036563071298
                    RT_STRING0x99fc80x166dataEnglishUnited States0.49162011173184356
                    RT_STRING0x9a1300x152dataEnglishUnited States0.5059171597633136
                    RT_STRING0x9a2840x10adataEnglishUnited States0.49624060150375937
                    RT_STRING0x9a3900xbcdataEnglishUnited States0.6329787234042553
                    RT_STRING0x9a44c0xd6dataEnglishUnited States0.5747663551401869
                    RT_GROUP_ICON0x9a5240x14data1.2
                    RT_MANIFEST0x9a5380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                    Imports

                    DLLImport
                    KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                    gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 9, 2025 19:12:40.191099882 CET5567553192.168.2.5162.159.36.2
                    Jan 9, 2025 19:12:40.195960999 CET5355675162.159.36.2192.168.2.5
                    Jan 9, 2025 19:12:40.196037054 CET5567553192.168.2.5162.159.36.2
                    Jan 9, 2025 19:12:40.196080923 CET5567553192.168.2.5162.159.36.2
                    Jan 9, 2025 19:12:40.200849056 CET5355675162.159.36.2192.168.2.5
                    Jan 9, 2025 19:12:40.656702995 CET5355675162.159.36.2192.168.2.5
                    Jan 9, 2025 19:12:40.657366991 CET5567553192.168.2.5162.159.36.2
                    Jan 9, 2025 19:12:40.662436962 CET5355675162.159.36.2192.168.2.5
                    Jan 9, 2025 19:12:40.662502050 CET5567553192.168.2.5162.159.36.2

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 9, 2025 19:12:40.190601110 CET5350811162.159.36.2192.168.2.5
                    Jan 9, 2025 19:12:40.671327114 CET5150153192.168.2.51.1.1.1
                    Jan 9, 2025 19:12:40.678823948 CET53515011.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jan 9, 2025 19:12:40.671327114 CET192.168.2.51.1.1.10x7d04Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 9, 2025 19:12:18.636396885 CET1.1.1.1192.168.2.50x779fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                    Jan 9, 2025 19:12:18.636396885 CET1.1.1.1192.168.2.50x779fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                    Jan 9, 2025 19:12:40.678823948 CET1.1.1.1192.168.2.50x7d04Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                    Jan 9, 2025 19:13:21.201622963 CET1.1.1.1192.168.2.50xc1faNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                    Jan 9, 2025 19:13:21.201622963 CET1.1.1.1192.168.2.50xc1faNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:13:12:00
                    Start date:09/01/2025
                    Path:C:\Users\user\Desktop\1Ta6ojwHc6.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\1Ta6ojwHc6.exe"
                    Imagebase:0xec0000
                    File size:4'389'494 bytes
                    MD5 hash:3C85AD90AFA66CD4C5D1CCCF63ADC862
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:13:12:00
                    Start date:09/01/2025
                    Path:C:\Windows\SysWOW64\wscript.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Hypercontainer\vn0WDvdQhnymz38qOIXaYP3Vb.vbe"
                    Imagebase:0x450000
                    File size:147'456 bytes
                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:13:12:09
                    Start date:09/01/2025
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Hypercontainer\n880E6sbFEumx9tx.bat" "
                    Imagebase:0x790000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:13:12:09
                    Start date:09/01/2025
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:13:12:09
                    Start date:09/01/2025
                    Path:C:\Hypercontainer\blockwin.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Hypercontainer\blockwin.exe"
                    Imagebase:0xd70000
                    File size:3'900'928 bytes
                    MD5 hash:3E2CA8A03A09E9232A24945D78E87398
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2213231030.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2213231030.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2217147666.000000001330D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:13:12:13
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:13:12:13
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:13:12:13
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:15
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\Documents\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:16
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 11 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:17
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:18
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 13 /tr "'C:\Hypercontainer\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:19
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:20
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:21
                    Start time:13:12:14
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows defender\en-GB\conhost.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:22
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:24
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:25
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\explorer.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:27
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Hypercontainer\DwPKagqBqZ.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Hypercontainer\DwPKagqBqZ.exe
                    Imagebase:0x370000
                    File size:3'900'928 bytes
                    MD5 hash:3E2CA8A03A09E9232A24945D78E87398
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.2295439565.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Avira
                    • Detection: 100%, Avira
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:28
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:29
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:30
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Hypercontainer\DwPKagqBqZ.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Hypercontainer\DwPKagqBqZ.exe
                    Imagebase:0x240000
                    File size:3'900'928 bytes
                    MD5 hash:3E2CA8A03A09E9232A24945D78E87398
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2317453208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2317453208.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Has exited:true

                    General

                    Target ID:31
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\user\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:32
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Users\Default\wininit.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\Default\wininit.exe
                    Imagebase:0x7f0000
                    File size:3'900'928 bytes
                    MD5 hash:3E2CA8A03A09E9232A24945D78E87398
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2320365641.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2320365641.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:33
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Users\Default\wininit.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\Default\wininit.exe
                    Imagebase:0xf60000
                    File size:3'900'928 bytes
                    MD5 hash:3E2CA8A03A09E9232A24945D78E87398
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2317735342.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Has exited:true

                    General

                    Target ID:34
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:35
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:36
                    Start time:13:12:15
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:38
                    Start time:13:12:16
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:39
                    Start time:13:12:16
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZ" /sc ONLOGON /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:40
                    Start time:13:12:16
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "DwPKagqBqZD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\autoit3\AutoItX\DwPKagqBqZ.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:41
                    Start time:13:12:16
                    Start date:09/01/2025
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\WmiPrvSE.exe'" /f
                    Imagebase:0x7ff796a50000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.9%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.3%
                      Total number of Nodes:1517
                      Total number of Limit Nodes:36
                      execution_graph 22908 edaee0 22909 edaeea __EH_prolog 22908->22909 23071 ec130b 22909->23071 22912 edaf2c 22915 edaf39 22912->22915 22916 edafa2 22912->22916 22977 edaf18 22912->22977 22913 edb5cb 23149 edcd2e 22913->23149 22919 edaf3e 22915->22919 22923 edaf75 22915->22923 22918 edb041 GetDlgItemTextW 22916->22918 22922 edafbc 22916->22922 22918->22923 22924 edb077 22918->22924 22932 ecddd1 53 API calls 22919->22932 22919->22977 22920 edb5e9 SendMessageW 22921 edb5f7 22920->22921 22925 edb611 GetDlgItem SendMessageW 22921->22925 22926 edb600 SendDlgItemMessageW 22921->22926 22931 ecddd1 53 API calls 22922->22931 22927 edaf96 KiUserCallbackDispatcher 22923->22927 22923->22977 22928 edb08f GetDlgItem 22924->22928 22929 edb080 22924->22929 23167 ed9da4 GetCurrentDirectoryW 22925->23167 22926->22925 22927->22977 22934 edb0c5 SetFocus 22928->22934 22935 edb0a4 SendMessageW SendMessageW 22928->22935 22929->22923 22946 edb56b 22929->22946 22936 edafde SetDlgItemTextW 22931->22936 22937 edaf58 22932->22937 22933 edb641 GetDlgItem 22938 edb65e 22933->22938 22939 edb664 SetWindowTextW 22933->22939 22940 edb0d5 22934->22940 22956 edb0ed 22934->22956 22935->22934 22941 edafec 22936->22941 23187 ec1241 SHGetMalloc 22937->23187 22938->22939 23168 eda2c7 GetClassNameW 22939->23168 22944 ecddd1 53 API calls 22940->22944 22949 edaff9 GetMessageW 22941->22949 22941->22977 22948 edb0df 22944->22948 22945 edaf5f 22950 edaf63 SetDlgItemTextW 22945->22950 22945->22977 22951 ecddd1 53 API calls 22946->22951 23188 edcb5a 22948->23188 22955 edb010 IsDialogMessageW 22949->22955 22949->22977 22950->22977 22952 edb57b SetDlgItemTextW 22951->22952 22957 edb58f 22952->22957 22955->22941 22959 edb01f TranslateMessage DispatchMessageW 22955->22959 22960 ecddd1 53 API calls 22956->22960 22962 ecddd1 53 API calls 22957->22962 22959->22941 22961 edb124 22960->22961 22964 ec400a _swprintf 51 API calls 22961->22964 22965 edb5b8 22962->22965 22963 edb6af 22969 edb6df 22963->22969 22973 ecddd1 53 API calls 22963->22973 22970 edb136 22964->22970 22971 ecddd1 53 API calls 22965->22971 22966 edb0e6 23081 eca04f 22966->23081 22968 edbdf5 98 API calls 22968->22963 22976 edbdf5 98 API calls 22969->22976 23021 edb797 22969->23021 22975 edcb5a 16 API calls 22970->22975 22971->22977 22974 edb6c2 SetDlgItemTextW 22973->22974 22981 ecddd1 53 API calls 22974->22981 22975->22966 22982 edb6fa 22976->22982 22978 edb847 22983 edb859 22978->22983 22984 edb850 EnableWindow 22978->22984 22979 edb17f 23087 eda322 SetCurrentDirectoryW 22979->23087 22980 edb174 GetLastError 22980->22979 22986 edb6d6 SetDlgItemTextW 22981->22986 22992 edb70c 22982->22992 23008 edb731 22982->23008 22987 edb876 22983->22987 23206 ec12c8 GetDlgItem EnableWindow 22983->23206 22984->22983 22986->22969 22991 edb89d 22987->22991 23000 edb895 SendMessageW 22987->23000 22988 edb195 22989 edb19e GetLastError 22988->22989 22990 edb1ac 22988->22990 22989->22990 22999 edb227 22990->22999 23004 edb237 22990->23004 23005 edb1c4 GetTickCount 22990->23005 22991->22977 23001 ecddd1 53 API calls 22991->23001 23204 ed9635 32 API calls 22992->23204 22993 edb78a 22995 edbdf5 98 API calls 22993->22995 22995->23021 22997 edb86c 23207 ec12c8 GetDlgItem EnableWindow 22997->23207 23003 edb46c 22999->23003 22999->23004 23000->22991 23007 edb8b6 SetDlgItemTextW 23001->23007 23002 edb725 23002->23008 23106 ec12e6 GetDlgItem ShowWindow 23003->23106 23010 edb24f GetModuleFileNameW 23004->23010 23011 edb407 23004->23011 23088 ec400a 23005->23088 23006 edb825 23205 ed9635 32 API calls 23006->23205 23007->22977 23008->22993 23014 edbdf5 98 API calls 23008->23014 23198 eceb3a 80 API calls 23010->23198 23011->22923 23024 ecddd1 53 API calls 23011->23024 23020 edb75f 23014->23020 23015 ecddd1 53 API calls 23015->23021 23016 edb47c 23107 ec12e6 GetDlgItem ShowWindow 23016->23107 23018 edb1dd 23091 ec971e 23018->23091 23019 edb844 23019->22978 23020->22993 23025 edb768 DialogBoxParamW 23020->23025 23021->22978 23021->23006 23021->23015 23023 edb275 23027 ec400a _swprintf 51 API calls 23023->23027 23028 edb41b 23024->23028 23025->22923 23025->22993 23026 edb486 23108 ecddd1 23026->23108 23030 edb297 CreateFileMappingW 23027->23030 23031 ec400a _swprintf 51 API calls 23028->23031 23034 edb2f9 GetCommandLineW 23030->23034 23066 edb376 __vswprintf_c_l 23030->23066 23035 edb439 23031->23035 23039 edb30a 23034->23039 23048 ecddd1 53 API calls 23035->23048 23036 edb203 23040 edb215 23036->23040 23041 edb20a GetLastError 23036->23041 23037 edb381 ShellExecuteExW 23061 edb39e 23037->23061 23199 edab2e SHGetMalloc 23039->23199 23099 ec9653 23040->23099 23041->23040 23042 edb4a2 SetDlgItemTextW GetDlgItem 23045 edb4bf GetWindowLongW SetWindowLongW 23042->23045 23046 edb4d7 23042->23046 23045->23046 23112 edbdf5 23046->23112 23047 edb326 23200 edab2e SHGetMalloc 23047->23200 23048->22923 23051 edb332 23201 edab2e SHGetMalloc 23051->23201 23054 edb3e1 23054->23011 23060 edb3f7 UnmapViewOfFile CloseHandle 23054->23060 23055 edbdf5 98 API calls 23056 edb4f3 23055->23056 23137 edd0f5 23056->23137 23057 edb33e 23202 ececad 80 API calls ___scrt_fastfail 23057->23202 23060->23011 23061->23054 23064 edb3cd Sleep 23061->23064 23063 edb355 MapViewOfFile 23063->23066 23064->23054 23064->23061 23065 edbdf5 98 API calls 23069 edb519 23065->23069 23066->23037 23067 edb542 23203 ec12c8 GetDlgItem EnableWindow 23067->23203 23069->23067 23070 edbdf5 98 API calls 23069->23070 23070->23067 23072 ec136d 23071->23072 23073 ec1314 23071->23073 23209 ecda71 GetWindowLongW SetWindowLongW 23072->23209 23075 ec137a 23073->23075 23208 ecda98 62 API calls 2 library calls 23073->23208 23075->22912 23075->22913 23075->22977 23077 ec1336 23077->23075 23078 ec1349 GetDlgItem 23077->23078 23078->23075 23079 ec1359 23078->23079 23079->23075 23080 ec135f SetWindowTextW 23079->23080 23080->23075 23084 eca059 23081->23084 23082 eca0ea 23083 eca207 9 API calls 23082->23083 23085 eca113 23082->23085 23083->23085 23084->23082 23084->23085 23210 eca207 23084->23210 23085->22979 23085->22980 23087->22988 23257 ec3fdd 23088->23257 23092 ec9728 23091->23092 23093 ec9786 23092->23093 23094 ec9792 CreateFileW 23092->23094 23095 ec97e4 23093->23095 23096 ecb66c 2 API calls 23093->23096 23094->23093 23095->23036 23097 ec97cb 23096->23097 23097->23095 23098 ec97cf CreateFileW 23097->23098 23098->23095 23100 ec9677 23099->23100 23105 ec9688 23099->23105 23101 ec968a 23100->23101 23102 ec9683 23100->23102 23100->23105 23342 ec96d0 23101->23342 23337 ec9817 23102->23337 23105->22999 23106->23016 23107->23026 23357 ecddff 23108->23357 23111 ec12e6 GetDlgItem ShowWindow 23111->23042 23113 edbdff __EH_prolog 23112->23113 23120 edb4e5 23113->23120 23380 edaa36 23113->23380 23115 edbe36 _wcsrchr 23117 edaa36 ExpandEnvironmentStringsW 23115->23117 23118 edc11d SetWindowTextW 23115->23118 23115->23120 23124 edbf0b SetFileAttributesW 23115->23124 23129 edc2e7 GetDlgItem SetWindowTextW SendMessageW 23115->23129 23132 edc327 SendMessageW 23115->23132 23384 ed17ac CompareStringW 23115->23384 23385 ed9da4 GetCurrentDirectoryW 23115->23385 23387 eca52a 7 API calls 23115->23387 23388 eca4b3 FindClose 23115->23388 23389 edab9a 76 API calls ___std_exception_copy 23115->23389 23390 ee35de 23115->23390 23117->23115 23118->23115 23120->23055 23125 edbfc5 GetFileAttributesW 23124->23125 23136 edbf25 ___scrt_fastfail 23124->23136 23125->23115 23127 edbfd7 DeleteFileW 23125->23127 23127->23115 23130 edbfe8 23127->23130 23129->23115 23131 ec400a _swprintf 51 API calls 23130->23131 23133 edc008 GetFileAttributesW 23131->23133 23132->23115 23133->23130 23134 edc01d MoveFileW 23133->23134 23134->23115 23135 edc035 MoveFileExW 23134->23135 23135->23115 23136->23115 23136->23125 23386 ecb4f7 52 API calls 2 library calls 23136->23386 23138 edd0ff __EH_prolog 23137->23138 23414 ecfead 23138->23414 23140 edd130 23418 ec5c59 23140->23418 23142 edd14e 23422 ec7c68 23142->23422 23146 edd1a1 23439 ec7cfb 23146->23439 23148 edb504 23148->23065 23150 edcd38 23149->23150 23912 ed9d1a 23150->23912 23153 edcd45 GetWindow 23154 edb5d1 23153->23154 23157 edcd65 23153->23157 23154->22920 23154->22921 23155 edcd72 GetClassNameW 23917 ed17ac CompareStringW 23155->23917 23157->23154 23157->23155 23158 edcdfa GetWindow 23157->23158 23159 edcd96 GetWindowLongW 23157->23159 23158->23154 23158->23157 23159->23158 23160 edcda6 SendMessageW 23159->23160 23160->23158 23161 edcdbc GetObjectW 23160->23161 23918 ed9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23161->23918 23163 edcdd3 23919 ed9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23163->23919 23920 ed9f5d 8 API calls ___scrt_fastfail 23163->23920 23166 edcde4 SendMessageW DeleteObject 23166->23158 23167->22933 23169 eda2e8 23168->23169 23171 eda30d 23168->23171 23923 ed17ac CompareStringW 23169->23923 23174 eda7c3 23171->23174 23172 eda2fb 23172->23171 23173 eda2ff FindWindowExW 23172->23173 23173->23171 23175 eda7cd __EH_prolog 23174->23175 23176 ec1380 82 API calls 23175->23176 23177 eda7ef 23176->23177 23924 ec1f4f 23177->23924 23180 eda809 23182 ec1631 84 API calls 23180->23182 23181 eda818 23183 ec1951 126 API calls 23181->23183 23184 eda814 23182->23184 23186 eda83a __vswprintf_c_l ___std_exception_copy 23183->23186 23184->22963 23184->22968 23185 ec1631 84 API calls 23185->23184 23186->23184 23186->23185 23187->22945 23932 edac74 PeekMessageW 23188->23932 23191 edcbbc SendMessageW SendMessageW 23193 edcbf8 23191->23193 23194 edcc17 SendMessageW SendMessageW SendMessageW 23191->23194 23192 edcb88 23195 edcb93 ShowWindow SendMessageW SendMessageW 23192->23195 23193->23194 23196 edcc6d SendMessageW 23194->23196 23197 edcc4a SendMessageW 23194->23197 23195->23191 23196->22966 23197->23196 23198->23023 23199->23047 23200->23051 23201->23057 23202->23063 23203->22929 23204->23002 23205->23019 23206->22997 23207->22987 23208->23077 23209->23075 23211 eca214 23210->23211 23212 eca238 23211->23212 23213 eca22b CreateDirectoryW 23211->23213 23231 eca180 23212->23231 23213->23212 23215 eca26b 23213->23215 23221 eca27a 23215->23221 23223 eca444 23215->23223 23217 eca27e GetLastError 23217->23221 23220 eca254 23220->23217 23222 eca258 CreateDirectoryW 23220->23222 23221->23084 23222->23215 23222->23217 23244 ede360 23223->23244 23226 eca494 23226->23221 23227 eca467 23228 ecb66c 2 API calls 23227->23228 23229 eca47b 23228->23229 23229->23226 23230 eca47f SetFileAttributesW 23229->23230 23230->23226 23246 eca194 23231->23246 23234 ecb66c 23235 ecb679 23234->23235 23243 ecb683 23235->23243 23254 ecb806 CharUpperW 23235->23254 23237 ecb692 23255 ecb832 CharUpperW 23237->23255 23239 ecb6a1 23240 ecb71c GetCurrentDirectoryW 23239->23240 23241 ecb6a5 23239->23241 23240->23243 23256 ecb806 CharUpperW 23241->23256 23243->23220 23245 eca451 SetFileAttributesW 23244->23245 23245->23226 23245->23227 23247 ede360 23246->23247 23248 eca1a1 GetFileAttributesW 23247->23248 23249 eca189 23248->23249 23250 eca1b2 23248->23250 23249->23217 23249->23234 23251 ecb66c 2 API calls 23250->23251 23252 eca1c6 23251->23252 23252->23249 23253 eca1ca GetFileAttributesW 23252->23253 23253->23249 23254->23237 23255->23239 23256->23243 23258 ec3ff4 __vswprintf_c_l 23257->23258 23261 ee5759 23258->23261 23264 ee3837 23261->23264 23265 ee385f 23264->23265 23266 ee3877 23264->23266 23288 ee895a 20 API calls __dosmaperr 23265->23288 23266->23265 23268 ee387f 23266->23268 23290 ee3dd6 23268->23290 23269 ee3864 23289 ee8839 26 API calls __cftof 23269->23289 23275 ee3907 23299 ee4186 51 API calls 3 library calls 23275->23299 23276 ec3ffe 23276->23018 23279 ee386f 23281 edec4a 23279->23281 23280 ee3912 23300 ee3e59 20 API calls _free 23280->23300 23282 edec55 IsProcessorFeaturePresent 23281->23282 23283 edec53 23281->23283 23285 edf267 23282->23285 23283->23276 23301 edf22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23285->23301 23287 edf34a 23287->23276 23288->23269 23289->23279 23291 ee3df3 23290->23291 23297 ee388f 23290->23297 23291->23297 23302 ee8fa5 GetLastError 23291->23302 23293 ee3e14 23323 ee90fa 38 API calls __fassign 23293->23323 23295 ee3e2d 23324 ee9127 38 API calls __fassign 23295->23324 23298 ee3da1 20 API calls 2 library calls 23297->23298 23298->23275 23299->23280 23300->23279 23301->23287 23303 ee8fbb 23302->23303 23304 ee8fc7 23302->23304 23325 eea61b 11 API calls 2 library calls 23303->23325 23326 ee85a9 20 API calls 3 library calls 23304->23326 23307 ee8fc1 23307->23304 23309 ee9010 SetLastError 23307->23309 23308 ee8fd3 23310 ee8fdb 23308->23310 23333 eea671 11 API calls 2 library calls 23308->23333 23309->23293 23327 ee84de 23310->23327 23313 ee8ff0 23313->23310 23315 ee8ff7 23313->23315 23314 ee8fe1 23317 ee901c SetLastError 23314->23317 23334 ee8e16 20 API calls CallUnexpected 23315->23334 23335 ee8566 38 API calls _abort 23317->23335 23318 ee9002 23320 ee84de _free 20 API calls 23318->23320 23322 ee9009 23320->23322 23322->23309 23322->23317 23323->23295 23324->23297 23325->23307 23326->23308 23328 ee84e9 RtlFreeHeap 23327->23328 23329 ee8512 _free 23327->23329 23328->23329 23330 ee84fe 23328->23330 23329->23314 23336 ee895a 20 API calls __dosmaperr 23330->23336 23332 ee8504 GetLastError 23332->23329 23333->23313 23334->23318 23336->23332 23338 ec9820 23337->23338 23339 ec9824 23337->23339 23338->23105 23339->23338 23348 eca12d 23339->23348 23344 ec96fa 23342->23344 23345 ec96dc 23342->23345 23343 ec9719 23343->23105 23344->23343 23356 ec6e3e 74 API calls 23344->23356 23345->23344 23346 ec96e8 CloseHandle 23345->23346 23346->23344 23349 ede360 23348->23349 23350 eca13a DeleteFileW 23349->23350 23351 eca14d 23350->23351 23352 ec984c 23350->23352 23353 ecb66c 2 API calls 23351->23353 23352->23105 23354 eca161 23353->23354 23354->23352 23355 eca165 DeleteFileW 23354->23355 23355->23352 23356->23343 23363 ecd28a 23357->23363 23360 ecddfc SetDlgItemTextW 23360->23111 23361 ecde22 LoadStringW 23361->23360 23362 ecde39 LoadStringW 23361->23362 23362->23360 23368 ecd1c3 23363->23368 23365 ecd2a7 23366 ecd2bc 23365->23366 23376 ecd2c8 26 API calls 23365->23376 23366->23360 23366->23361 23369 ecd1de 23368->23369 23375 ecd1d7 _strncpy 23368->23375 23371 ecd202 23369->23371 23377 ed1596 WideCharToMultiByte 23369->23377 23374 ecd233 23371->23374 23378 ecdd6b 50 API calls __vsnprintf 23371->23378 23379 ee58d9 26 API calls 3 library calls 23374->23379 23375->23365 23376->23366 23377->23371 23378->23374 23379->23375 23381 edaa40 23380->23381 23382 edab16 23381->23382 23383 edaaf3 ExpandEnvironmentStringsW 23381->23383 23382->23115 23383->23382 23384->23115 23385->23115 23386->23136 23387->23115 23388->23115 23389->23115 23391 ee8606 23390->23391 23392 ee861e 23391->23392 23393 ee8613 23391->23393 23395 ee8626 23392->23395 23402 ee862f _CallSETranslator 23392->23402 23403 ee8518 23393->23403 23399 ee84de _free 20 API calls 23395->23399 23396 ee8659 HeapReAlloc 23398 ee861b 23396->23398 23396->23402 23397 ee8634 23410 ee895a 20 API calls __dosmaperr 23397->23410 23398->23115 23399->23398 23402->23396 23402->23397 23411 ee71ad 7 API calls 2 library calls 23402->23411 23404 ee8556 23403->23404 23408 ee8526 _CallSETranslator 23403->23408 23413 ee895a 20 API calls __dosmaperr 23404->23413 23405 ee8541 RtlAllocateHeap 23407 ee8554 23405->23407 23405->23408 23407->23398 23408->23404 23408->23405 23412 ee71ad 7 API calls 2 library calls 23408->23412 23410->23398 23411->23402 23412->23408 23413->23407 23415 ecfeba 23414->23415 23443 ec1789 23415->23443 23417 ecfed2 23417->23140 23419 ecfead 23418->23419 23420 ec1789 76 API calls 23419->23420 23421 ecfed2 23420->23421 23421->23142 23423 ec7c72 __EH_prolog 23422->23423 23460 ecc827 23423->23460 23425 ec7c8d 23466 ede24a 23425->23466 23427 ec7cb7 23472 ed440b 23427->23472 23430 ec7ddf 23431 ec7de9 23430->23431 23436 ec7e53 23431->23436 23504 eca4c6 23431->23504 23433 ec7f06 23433->23146 23434 ec7ec4 23434->23433 23510 ec6dc1 74 API calls 23434->23510 23436->23434 23437 eca4c6 8 API calls 23436->23437 23482 ec837f 23436->23482 23437->23436 23440 ec7d09 23439->23440 23442 ec7d10 23439->23442 23441 ed1acf 84 API calls 23440->23441 23441->23442 23444 ec179f 23443->23444 23455 ec17fa __vswprintf_c_l 23443->23455 23445 ec17c8 23444->23445 23456 ec6e91 74 API calls __vswprintf_c_l 23444->23456 23447 ec1827 23445->23447 23452 ec17e7 ___std_exception_copy 23445->23452 23449 ee35de 22 API calls 23447->23449 23448 ec17be 23457 ec6efd 75 API calls 23448->23457 23451 ec182e 23449->23451 23451->23455 23459 ec6efd 75 API calls 23451->23459 23452->23455 23458 ec6efd 75 API calls 23452->23458 23455->23417 23456->23448 23457->23445 23458->23455 23459->23455 23461 ecc831 __EH_prolog 23460->23461 23462 ede24a new 8 API calls 23461->23462 23463 ecc874 23462->23463 23464 ede24a new 8 API calls 23463->23464 23465 ecc898 23464->23465 23465->23425 23467 ede24f ___std_exception_copy 23466->23467 23468 ede27b 23467->23468 23478 ee71ad 7 API calls 2 library calls 23467->23478 23479 edecce RaiseException __CxxThrowException@8 new 23467->23479 23480 edecb1 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23467->23480 23468->23427 23473 ed4415 __EH_prolog 23472->23473 23474 ede24a new 8 API calls 23473->23474 23475 ed4431 23474->23475 23476 ec7ce6 23475->23476 23481 ed06ba 78 API calls 23475->23481 23476->23430 23478->23467 23481->23476 23483 ec8389 __EH_prolog 23482->23483 23511 ec1380 23483->23511 23485 ec83a4 23519 ec9ef7 23485->23519 23491 ec83d3 23642 ec1631 23491->23642 23494 ec84ce 23545 ec1f00 23494->23545 23496 ec83cf 23496->23491 23500 eca4c6 8 API calls 23496->23500 23502 ec846e 23496->23502 23646 ecbac4 CompareStringW 23496->23646 23500->23496 23538 ec8517 23502->23538 23503 ec84d9 23503->23491 23549 ec3aac 23503->23549 23559 ec857b 23503->23559 23505 eca4db 23504->23505 23509 eca4df 23505->23509 23900 eca5f4 23505->23900 23507 eca4ef 23508 eca4f4 FindClose 23507->23508 23507->23509 23508->23509 23509->23431 23510->23433 23512 ec1385 __EH_prolog 23511->23512 23513 ecc827 8 API calls 23512->23513 23514 ec13bd 23513->23514 23515 ede24a new 8 API calls 23514->23515 23518 ec1416 ___scrt_fastfail 23514->23518 23516 ec1403 23515->23516 23516->23518 23647 ecb07d 23516->23647 23518->23485 23520 ec9f0e 23519->23520 23522 ec83ba 23520->23522 23663 ec6f5d 76 API calls 23520->23663 23522->23491 23523 ec19a6 23522->23523 23524 ec19b0 __EH_prolog 23523->23524 23527 ec1a00 23524->23527 23535 ec19e5 23524->23535 23664 ec709d 23524->23664 23526 ec1b50 23667 ec6dc1 74 API calls 23526->23667 23527->23526 23530 ec1b60 23527->23530 23527->23535 23529 ec3aac 97 API calls 23531 ec1bb3 23529->23531 23530->23529 23530->23535 23532 ec1bff 23531->23532 23534 ec3aac 97 API calls 23531->23534 23532->23535 23537 ec1c32 23532->23537 23668 ec6dc1 74 API calls 23532->23668 23534->23531 23535->23496 23536 ec3aac 97 API calls 23536->23537 23537->23535 23537->23536 23539 ec8524 23538->23539 23686 ed0c26 GetSystemTime SystemTimeToFileTime 23539->23686 23541 ec8488 23541->23494 23542 ed1359 23541->23542 23688 edd51a 23542->23688 23546 ec1f05 __EH_prolog 23545->23546 23547 ec1f39 23546->23547 23696 ec1951 23546->23696 23547->23503 23550 ec3abc 23549->23550 23551 ec3ab8 23549->23551 23552 ec3ae9 23550->23552 23553 ec3af7 23550->23553 23551->23503 23554 ec3b29 23552->23554 23830 ec3281 85 API calls 3 library calls 23552->23830 23831 ec27e8 97 API calls 3 library calls 23553->23831 23554->23503 23557 ec3af5 23557->23554 23832 ec204e 74 API calls 23557->23832 23560 ec8585 __EH_prolog 23559->23560 23561 ec85be 23560->23561 23573 ec85c2 23560->23573 23855 ed84bd 99 API calls 23560->23855 23562 ec85e7 23561->23562 23567 ec867a 23561->23567 23561->23573 23564 ec8609 23562->23564 23562->23573 23856 ec7b66 151 API calls 23562->23856 23564->23573 23857 ed84bd 99 API calls 23564->23857 23567->23573 23833 ec5e3a 23567->23833 23569 ec8705 23569->23573 23839 ec826a 23569->23839 23572 ec8875 23574 eca4c6 8 API calls 23572->23574 23577 ec88e0 23572->23577 23573->23503 23574->23577 23576 ecc991 80 API calls 23581 ec893b _memcmp 23576->23581 23843 ec7d6c 23577->23843 23578 ec8a70 23579 ec8b43 23578->23579 23585 ec8abf 23578->23585 23584 ec8b9e 23579->23584 23595 ec8b4e 23579->23595 23580 ec8a69 23860 ec1f94 74 API calls 23580->23860 23581->23573 23581->23576 23581->23578 23581->23580 23858 ec8236 82 API calls 23581->23858 23859 ec1f94 74 API calls 23581->23859 23594 ec8b30 23584->23594 23863 ec80ea 96 API calls 23584->23863 23588 eca180 4 API calls 23585->23588 23585->23594 23586 ec91c1 __except_handler4 23591 ec9653 79 API calls 23586->23591 23587 ec8b9c 23589 ec9653 79 API calls 23587->23589 23592 ec8af7 23588->23592 23589->23573 23591->23573 23592->23594 23861 ec9377 96 API calls 23592->23861 23593 ec8c09 23593->23586 23606 ec8c74 23593->23606 23864 ec9989 23593->23864 23594->23587 23594->23593 23595->23587 23862 ec7f26 100 API calls __except_handler4 23595->23862 23596 ecaa88 8 API calls 23599 ec8cc3 23596->23599 23602 ecaa88 8 API calls 23599->23602 23601 ec8c4c 23601->23606 23868 ec1f94 74 API calls 23601->23868 23615 ec8cd9 23602->23615 23604 ec8c62 23869 ec7061 75 API calls 23604->23869 23606->23596 23607 ec8d9c 23608 ec8efd 23607->23608 23609 ec8df7 23607->23609 23613 ec8f0f 23608->23613 23614 ec8f23 23608->23614 23630 ec8e27 23608->23630 23610 ec8e69 23609->23610 23612 ec8e07 23609->23612 23611 ec826a CharUpperW 23610->23611 23616 ec8e84 23611->23616 23617 ec8e4d 23612->23617 23624 ec8e15 23612->23624 23618 ec92e6 121 API calls 23613->23618 23619 ed2c42 75 API calls 23614->23619 23615->23607 23870 ec9b21 SetFilePointer GetLastError SetEndOfFile 23615->23870 23625 ec8ead 23616->23625 23626 ec8eb4 23616->23626 23616->23630 23617->23630 23872 ec7907 108 API calls 23617->23872 23618->23630 23620 ec8f3c 23619->23620 23875 ed28f1 121 API calls 23620->23875 23871 ec1f94 74 API calls 23624->23871 23873 ec7698 84 API calls __except_handler4 23625->23873 23874 ec9224 94 API calls __EH_prolog 23626->23874 23635 ec904b 23630->23635 23876 ec1f94 74 API calls 23630->23876 23632 ec9156 23632->23586 23634 eca444 4 API calls 23632->23634 23633 ec9104 23850 ec9d62 23633->23850 23636 ec91b1 23634->23636 23635->23586 23635->23632 23635->23633 23849 ec9ebf SetEndOfFile 23635->23849 23636->23586 23877 ec1f94 74 API calls 23636->23877 23639 ec914b 23641 ec96d0 75 API calls 23639->23641 23641->23632 23643 ec1643 23642->23643 23892 ecc8ca 23643->23892 23646->23496 23648 ecb087 __EH_prolog 23647->23648 23653 ecea80 80 API calls 23648->23653 23650 ecb099 23654 ecb195 23650->23654 23653->23650 23655 ecb1a7 ___scrt_fastfail 23654->23655 23658 ed0948 23655->23658 23661 ed0908 GetCurrentProcess GetProcessAffinityMask 23658->23661 23662 ecb10f 23661->23662 23662->23518 23663->23522 23669 ec16d2 23664->23669 23666 ec70b9 23666->23527 23667->23535 23668->23537 23670 ec16e8 23669->23670 23681 ec1740 __vswprintf_c_l 23669->23681 23671 ec1711 23670->23671 23682 ec6e91 74 API calls __vswprintf_c_l 23670->23682 23672 ec1767 23671->23672 23678 ec172d ___std_exception_copy 23671->23678 23675 ee35de 22 API calls 23672->23675 23674 ec1707 23683 ec6efd 75 API calls 23674->23683 23676 ec176e 23675->23676 23676->23681 23685 ec6efd 75 API calls 23676->23685 23678->23681 23684 ec6efd 75 API calls 23678->23684 23681->23666 23682->23674 23683->23671 23684->23681 23685->23681 23687 ed0c56 __vsnwprintf_l 23686->23687 23687->23541 23689 edd527 23688->23689 23690 ecddd1 53 API calls 23689->23690 23691 edd54a 23690->23691 23692 ec400a _swprintf 51 API calls 23691->23692 23693 edd55c 23692->23693 23694 edcb5a 16 API calls 23693->23694 23695 ed1372 23694->23695 23695->23494 23697 ec1961 23696->23697 23699 ec195d 23696->23699 23700 ec1896 23697->23700 23699->23547 23701 ec18a8 23700->23701 23702 ec18e5 23700->23702 23703 ec3aac 97 API calls 23701->23703 23708 ec3f18 23702->23708 23704 ec18c8 23703->23704 23704->23699 23709 ec3f21 23708->23709 23710 ec3aac 97 API calls 23709->23710 23712 ec1906 23709->23712 23725 ed067c 23709->23725 23710->23709 23712->23704 23713 ec1e00 23712->23713 23714 ec1e0a __EH_prolog 23713->23714 23733 ec3b3d 23714->23733 23716 ec1e34 23717 ec16d2 76 API calls 23716->23717 23719 ec1ebb 23716->23719 23718 ec1e4b 23717->23718 23761 ec1849 76 API calls 23718->23761 23719->23704 23721 ec1e63 23722 ec1e6f 23721->23722 23762 ed137a MultiByteToWideChar 23721->23762 23763 ec1849 76 API calls 23722->23763 23726 ed0683 23725->23726 23727 ed069e 23726->23727 23731 ec6e8c RaiseException __CxxThrowException@8 23726->23731 23729 ed06af SetThreadExecutionState 23727->23729 23732 ec6e8c RaiseException __CxxThrowException@8 23727->23732 23729->23709 23731->23727 23732->23729 23734 ec3b47 __EH_prolog 23733->23734 23735 ec3b5d 23734->23735 23736 ec3b79 23734->23736 23792 ec6dc1 74 API calls 23735->23792 23738 ec3dc2 23736->23738 23741 ec3ba5 23736->23741 23809 ec6dc1 74 API calls 23738->23809 23740 ec3b68 23740->23716 23741->23740 23764 ed2c42 23741->23764 23743 ec3c26 23745 ec3cb1 23743->23745 23760 ec3c1d 23743->23760 23795 ecc991 23743->23795 23744 ec3c22 23744->23743 23794 ec2034 76 API calls 23744->23794 23777 ecaa88 23745->23777 23747 ec3bf4 23747->23743 23747->23744 23748 ec3c12 23747->23748 23793 ec6dc1 74 API calls 23748->23793 23749 ec3cc4 23754 ec3d3e 23749->23754 23755 ec3d48 23749->23755 23781 ec92e6 23754->23781 23801 ed28f1 121 API calls 23755->23801 23758 ec3d46 23758->23760 23802 ec1f94 74 API calls 23758->23802 23803 ed1acf 23760->23803 23761->23721 23762->23722 23763->23719 23765 ed2c51 23764->23765 23767 ed2c5b 23764->23767 23810 ec6efd 75 API calls 23765->23810 23768 ed2ca2 ___std_exception_copy 23767->23768 23771 ed2c9d Concurrency::cancel_current_task 23767->23771 23776 ed2cfd ___scrt_fastfail 23767->23776 23769 ed2da9 Concurrency::cancel_current_task 23768->23769 23770 ed2cd9 23768->23770 23768->23776 23813 ee157a RaiseException 23769->23813 23811 ed2b7b 75 API calls 4 library calls 23770->23811 23812 ee157a RaiseException 23771->23812 23775 ed2dc1 23776->23747 23778 ecaa95 23777->23778 23780 ecaa9f 23777->23780 23779 ede24a new 8 API calls 23778->23779 23779->23780 23780->23749 23782 ec92f0 __EH_prolog 23781->23782 23814 ec7dc6 23782->23814 23785 ec709d 76 API calls 23786 ec9302 23785->23786 23817 ecca6c 23786->23817 23788 ec935c 23788->23758 23790 ecca6c 114 API calls 23791 ec9314 23790->23791 23791->23788 23791->23790 23826 eccc51 97 API calls __vswprintf_c_l 23791->23826 23792->23740 23793->23760 23794->23743 23796 ecc9c4 23795->23796 23797 ecc9b2 23795->23797 23828 ec6249 80 API calls 23796->23828 23827 ec6249 80 API calls 23797->23827 23800 ecc9bc 23800->23745 23801->23758 23802->23760 23805 ed1ad9 23803->23805 23804 ed1af2 23829 ed075b 84 API calls 23804->23829 23805->23804 23808 ed1b06 23805->23808 23807 ed1af9 23807->23808 23809->23740 23810->23767 23811->23776 23812->23769 23813->23775 23815 ecacf5 GetVersionExW 23814->23815 23816 ec7dcb 23815->23816 23816->23785 23818 ecca82 __vswprintf_c_l 23817->23818 23819 eccbf7 23818->23819 23823 ed84bd 99 API calls 23818->23823 23824 eccbee 23818->23824 23825 ecab70 89 API calls 23818->23825 23820 ecca0b 6 API calls 23819->23820 23822 eccc1f 23819->23822 23820->23822 23821 ed067c SetThreadExecutionState RaiseException 23821->23824 23822->23821 23823->23818 23824->23791 23825->23818 23826->23791 23827->23800 23828->23800 23829->23807 23830->23557 23831->23557 23832->23554 23834 ec5e4a 23833->23834 23878 ec5d67 23834->23878 23836 ec5e7d 23838 ec5eb5 23836->23838 23883 ecad65 CharUpperW CompareStringW 23836->23883 23838->23569 23840 ec8289 23839->23840 23889 ed179d CharUpperW 23840->23889 23842 ec8333 23842->23572 23844 ec7d7b 23843->23844 23845 ec7dbb 23844->23845 23890 ec7043 74 API calls 23844->23890 23845->23581 23847 ec7db3 23891 ec6dc1 74 API calls 23847->23891 23849->23633 23851 ec9d73 23850->23851 23854 ec9d82 23850->23854 23852 ec9d79 FlushFileBuffers 23851->23852 23851->23854 23852->23854 23853 ec9dfb SetFileTime 23853->23639 23854->23853 23855->23561 23856->23564 23857->23573 23858->23581 23859->23581 23860->23578 23861->23594 23862->23587 23863->23594 23865 ec998f 23864->23865 23866 ec9992 GetFileType 23864->23866 23865->23601 23867 ec99a0 23866->23867 23867->23601 23868->23604 23869->23606 23870->23607 23871->23630 23872->23630 23873->23630 23874->23630 23875->23630 23876->23635 23877->23586 23884 ec5c64 23878->23884 23880 ec5d88 23880->23836 23882 ec5c64 2 API calls 23882->23880 23883->23836 23887 ec5c6e 23884->23887 23885 ec5d56 23885->23880 23885->23882 23887->23885 23888 ecad65 CharUpperW CompareStringW 23887->23888 23888->23887 23889->23842 23890->23847 23891->23845 23893 ecc8db 23892->23893 23898 eca90e 84 API calls 23893->23898 23895 ecc90d 23899 eca90e 84 API calls 23895->23899 23897 ecc918 23898->23895 23899->23897 23901 eca5fe 23900->23901 23902 eca691 FindNextFileW 23901->23902 23903 eca621 FindFirstFileW 23901->23903 23905 eca69c GetLastError 23902->23905 23906 eca6b0 23902->23906 23904 eca638 23903->23904 23911 eca675 23903->23911 23907 ecb66c 2 API calls 23904->23907 23905->23906 23906->23911 23908 eca64d 23907->23908 23909 eca66a GetLastError 23908->23909 23910 eca651 FindFirstFileW 23908->23910 23909->23911 23910->23909 23910->23911 23911->23507 23921 ed9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23912->23921 23914 ed9d21 23915 ed9d2d 23914->23915 23922 ed9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23914->23922 23915->23153 23915->23154 23917->23157 23918->23163 23919->23163 23920->23166 23921->23914 23922->23915 23923->23172 23925 ec9ef7 76 API calls 23924->23925 23926 ec1f5b 23925->23926 23927 ec19a6 97 API calls 23926->23927 23930 ec1f78 23926->23930 23928 ec1f68 23927->23928 23928->23930 23931 ec6dc1 74 API calls 23928->23931 23930->23180 23930->23181 23931->23930 23933 edac8f GetMessageW 23932->23933 23934 edacc8 GetDlgItem 23932->23934 23935 edaca5 IsDialogMessageW 23933->23935 23936 edacb4 TranslateMessage DispatchMessageW 23933->23936 23934->23191 23934->23192 23935->23934 23935->23936 23936->23934 24864 edb8e0 93 API calls _swprintf 24865 ed8ce0 6 API calls 24868 ef16e0 CloseHandle 23940 ede1f9 23941 ede203 23940->23941 23944 eddf59 23941->23944 23972 eddc67 23944->23972 23946 eddf73 23947 eddfd0 23946->23947 23955 eddff4 23946->23955 23948 edded7 DloadReleaseSectionWriteAccess 11 API calls 23947->23948 23949 eddfdb RaiseException 23948->23949 23966 ede1c9 23949->23966 23950 edec4a DloadUnlock 5 API calls 23952 ede1d8 23950->23952 23951 ede06c LoadLibraryExA 23953 ede0cd 23951->23953 23954 ede07f GetLastError 23951->23954 23956 ede0df 23953->23956 23960 ede0d8 FreeLibrary 23953->23960 23957 ede0a8 23954->23957 23958 ede092 23954->23958 23955->23951 23955->23953 23955->23956 23968 ede19b 23955->23968 23959 ede13d GetProcAddress 23956->23959 23956->23968 23961 edded7 DloadReleaseSectionWriteAccess 11 API calls 23957->23961 23958->23953 23958->23957 23962 ede14d GetLastError 23959->23962 23959->23968 23960->23956 23965 ede0b3 RaiseException 23961->23965 23963 ede160 23962->23963 23967 edded7 DloadReleaseSectionWriteAccess 11 API calls 23963->23967 23963->23968 23965->23966 23966->23950 23969 ede181 RaiseException 23967->23969 23983 edded7 23968->23983 23970 eddc67 ___delayLoadHelper2@8 11 API calls 23969->23970 23971 ede198 23970->23971 23971->23968 23973 eddc99 23972->23973 23974 eddc73 23972->23974 23973->23946 23991 eddd15 23974->23991 23977 eddc94 24001 eddc9a 23977->24001 23980 edec4a DloadUnlock 5 API calls 23981 eddf55 23980->23981 23981->23946 23982 eddf24 23982->23980 23984 eddee9 23983->23984 23985 eddf0b 23983->23985 23986 eddd15 DloadLock 8 API calls 23984->23986 23985->23966 23987 eddeee 23986->23987 23988 eddf06 23987->23988 23989 edde67 DloadProtectSection 3 API calls 23987->23989 24010 eddf0f 8 API calls DloadUnlock 23988->24010 23989->23988 23992 eddc9a DloadUnlock 3 API calls 23991->23992 23993 eddd2a 23992->23993 23994 edec4a DloadUnlock 5 API calls 23993->23994 23995 eddc78 23994->23995 23995->23977 23996 edde67 23995->23996 23999 edde7c DloadObtainSection 23996->23999 23997 edde82 23997->23977 23998 eddeb7 VirtualProtect 23998->23997 23999->23997 23999->23998 24009 eddd72 VirtualQuery GetSystemInfo 23999->24009 24002 eddcab 24001->24002 24003 eddca7 24001->24003 24004 eddcaf 24002->24004 24005 eddcb3 GetModuleHandleW 24002->24005 24003->23982 24004->23982 24006 eddcc9 GetProcAddress 24005->24006 24008 eddcc5 24005->24008 24007 eddcd9 GetProcAddress 24006->24007 24006->24008 24007->24008 24008->23982 24009->23998 24010->23985 24913 edebf7 20 API calls 24871 edeac0 27 API calls pre_c_initialization 24918 ed97c0 10 API calls 24873 ee9ec0 21 API calls 24919 eeb5c0 GetCommandLineA GetCommandLineW 24874 eda8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24920 eeebc1 21 API calls __vsnwprintf_l 24045 ec10d5 24050 ec5bd7 24045->24050 24051 ec5be1 __EH_prolog 24050->24051 24052 ecb07d 82 API calls 24051->24052 24053 ec5bed 24052->24053 24059 ec5dcc GetCurrentProcess GetProcessAffinityMask 24053->24059 24875 edacd0 100 API calls 24924 ed19d0 26 API calls std::bad_exception::bad_exception 24070 edead2 24071 edeade ___scrt_is_nonwritable_in_current_image 24070->24071 24096 ede5c7 24071->24096 24073 edeae5 24075 edeb0e 24073->24075 24176 edef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24073->24176 24083 edeb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24075->24083 24107 ee824d 24075->24107 24079 edeb2d ___scrt_is_nonwritable_in_current_image 24080 edebad 24115 edf020 24080->24115 24083->24080 24177 ee7243 38 API calls 3 library calls 24083->24177 24092 edebd9 24093 edebe2 24092->24093 24178 ee764a 28 API calls _abort 24092->24178 24179 ede73e 13 API calls 2 library calls 24093->24179 24097 ede5d0 24096->24097 24180 eded5b IsProcessorFeaturePresent 24097->24180 24099 ede5dc 24181 ee2016 24099->24181 24101 ede5e1 24102 ede5e5 24101->24102 24190 ee80d7 24101->24190 24102->24073 24105 ede5fc 24105->24073 24109 ee8264 24107->24109 24108 edec4a DloadUnlock 5 API calls 24110 edeb27 24108->24110 24109->24108 24110->24079 24111 ee81f1 24110->24111 24113 ee8220 24111->24113 24112 edec4a DloadUnlock 5 API calls 24114 ee8249 24112->24114 24113->24112 24114->24083 24240 edf350 24115->24240 24117 edf033 GetStartupInfoW 24118 edebb3 24117->24118 24119 ee819e 24118->24119 24242 eeb290 24119->24242 24121 edebbc 24124 edd5d4 24121->24124 24122 ee81a7 24122->24121 24246 eeb59a 38 API calls 24122->24246 24381 ed00cf 24124->24381 24128 edd5f3 24430 eda335 24128->24430 24130 edd5fc 24434 ed13b3 GetCPInfo 24130->24434 24132 edd606 ___scrt_fastfail 24133 edd619 GetCommandLineW 24132->24133 24134 edd628 24133->24134 24135 edd6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24133->24135 24437 edbc84 24134->24437 24136 ec400a _swprintf 51 API calls 24135->24136 24138 edd70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24136->24138 24448 edaded LoadBitmapW 24138->24448 24140 edd636 OpenFileMappingW 24143 edd64f MapViewOfFile 24140->24143 24144 edd696 CloseHandle 24140->24144 24141 edd6a0 24442 edd287 24141->24442 24148 edd68d UnmapViewOfFile 24143->24148 24149 edd660 __vswprintf_c_l 24143->24149 24144->24135 24148->24144 24153 edd287 2 API calls 24149->24153 24155 edd67c 24153->24155 24154 ed8835 8 API calls 24156 edd76a DialogBoxParamW 24154->24156 24155->24148 24157 edd7a4 24156->24157 24158 edd7bd 24157->24158 24159 edd7b6 Sleep 24157->24159 24161 edd7cb 24158->24161 24478 eda544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24158->24478 24159->24158 24162 edd7ea DeleteObject 24161->24162 24163 edd7ff DeleteObject 24162->24163 24164 edd806 24162->24164 24163->24164 24165 edd849 24164->24165 24166 edd837 24164->24166 24475 eda39d 24165->24475 24479 edd2e6 6 API calls 24166->24479 24169 edd83d CloseHandle 24169->24165 24170 edd883 24171 ee757e GetModuleHandleW 24170->24171 24172 edebcf 24171->24172 24172->24092 24173 ee76a7 24172->24173 24615 ee7424 24173->24615 24176->24073 24177->24080 24178->24093 24179->24079 24180->24099 24182 ee201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24181->24182 24194 ee310e 24182->24194 24185 ee2029 24185->24101 24187 ee2031 24188 ee203c 24187->24188 24208 ee314a DeleteCriticalSection 24187->24208 24188->24101 24236 eeb73a 24190->24236 24193 ee203f 8 API calls 3 library calls 24193->24102 24195 ee3117 24194->24195 24197 ee3140 24195->24197 24198 ee2025 24195->24198 24209 ee3385 24195->24209 24214 ee314a DeleteCriticalSection 24197->24214 24198->24185 24200 ee215c 24198->24200 24229 ee329a 24200->24229 24202 ee2166 24207 ee2171 24202->24207 24234 ee3348 6 API calls try_get_function 24202->24234 24204 ee217f 24205 ee218c 24204->24205 24235 ee218f 6 API calls ___vcrt_FlsFree 24204->24235 24205->24187 24207->24187 24208->24185 24215 ee3179 24209->24215 24212 ee33bc InitializeCriticalSectionAndSpinCount 24213 ee33a8 24212->24213 24213->24195 24214->24198 24216 ee31a9 24215->24216 24217 ee31ad 24215->24217 24216->24217 24220 ee31cd 24216->24220 24222 ee3219 24216->24222 24217->24212 24217->24213 24219 ee31d9 GetProcAddress 24221 ee31e9 __crt_fast_encode_pointer 24219->24221 24220->24217 24220->24219 24221->24217 24223 ee3241 LoadLibraryExW 24222->24223 24228 ee3236 24222->24228 24224 ee325d GetLastError 24223->24224 24225 ee3275 24223->24225 24224->24225 24226 ee3268 LoadLibraryExW 24224->24226 24227 ee328c FreeLibrary 24225->24227 24225->24228 24226->24225 24227->24228 24228->24216 24230 ee3179 try_get_function 5 API calls 24229->24230 24231 ee32b4 24230->24231 24232 ee32cc TlsAlloc 24231->24232 24233 ee32bd 24231->24233 24233->24202 24234->24204 24235->24207 24239 eeb753 24236->24239 24237 edec4a DloadUnlock 5 API calls 24238 ede5ee 24237->24238 24238->24105 24238->24193 24239->24237 24241 edf367 24240->24241 24241->24117 24241->24241 24243 eeb2a2 24242->24243 24244 eeb299 24242->24244 24243->24122 24247 eeb188 24244->24247 24246->24122 24248 ee8fa5 CallUnexpected 38 API calls 24247->24248 24249 eeb195 24248->24249 24267 eeb2ae 24249->24267 24251 eeb19d 24276 eeaf1b 24251->24276 24254 eeb1b4 24254->24243 24255 ee8518 __onexit 21 API calls 24256 eeb1c5 24255->24256 24257 eeb1f7 24256->24257 24283 eeb350 24256->24283 24260 ee84de _free 20 API calls 24257->24260 24260->24254 24261 eeb1f2 24293 ee895a 20 API calls __dosmaperr 24261->24293 24263 eeb23b 24263->24257 24294 eeadf1 26 API calls 24263->24294 24264 eeb20f 24264->24263 24265 ee84de _free 20 API calls 24264->24265 24265->24263 24268 eeb2ba ___scrt_is_nonwritable_in_current_image 24267->24268 24269 ee8fa5 CallUnexpected 38 API calls 24268->24269 24274 eeb2c4 24269->24274 24271 eeb348 ___scrt_is_nonwritable_in_current_image 24271->24251 24274->24271 24275 ee84de _free 20 API calls 24274->24275 24295 ee8566 38 API calls _abort 24274->24295 24296 eea3f1 EnterCriticalSection 24274->24296 24297 eeb33f LeaveCriticalSection _abort 24274->24297 24275->24274 24277 ee3dd6 __fassign 38 API calls 24276->24277 24278 eeaf2d 24277->24278 24279 eeaf4e 24278->24279 24280 eeaf3c GetOEMCP 24278->24280 24281 eeaf53 GetACP 24279->24281 24282 eeaf65 24279->24282 24280->24282 24281->24282 24282->24254 24282->24255 24284 eeaf1b 40 API calls 24283->24284 24285 eeb36f 24284->24285 24288 eeb3c0 IsValidCodePage 24285->24288 24290 eeb376 24285->24290 24292 eeb3e5 ___scrt_fastfail 24285->24292 24286 edec4a DloadUnlock 5 API calls 24287 eeb1ea 24286->24287 24287->24261 24287->24264 24289 eeb3d2 GetCPInfo 24288->24289 24288->24290 24289->24290 24289->24292 24290->24286 24298 eeaff4 GetCPInfo 24292->24298 24293->24257 24294->24257 24296->24274 24297->24274 24304 eeb02e 24298->24304 24307 eeb0d8 24298->24307 24300 edec4a DloadUnlock 5 API calls 24303 eeb184 24300->24303 24303->24290 24308 eec099 24304->24308 24306 eea275 __vsnwprintf_l 43 API calls 24306->24307 24307->24300 24309 ee3dd6 __fassign 38 API calls 24308->24309 24310 eec0b9 MultiByteToWideChar 24309->24310 24312 eec0f7 24310->24312 24313 eec18f 24310->24313 24316 eec118 __vsnwprintf_l ___scrt_fastfail 24312->24316 24317 ee8518 __onexit 21 API calls 24312->24317 24314 edec4a DloadUnlock 5 API calls 24313->24314 24318 eeb08f 24314->24318 24315 eec189 24327 eea2c0 20 API calls _free 24315->24327 24316->24315 24320 eec15d MultiByteToWideChar 24316->24320 24317->24316 24322 eea275 24318->24322 24320->24315 24321 eec179 GetStringTypeW 24320->24321 24321->24315 24323 ee3dd6 __fassign 38 API calls 24322->24323 24324 eea288 24323->24324 24328 eea058 24324->24328 24327->24313 24329 eea073 __vsnwprintf_l 24328->24329 24330 eea099 MultiByteToWideChar 24329->24330 24331 eea0c3 24330->24331 24332 eea24d 24330->24332 24336 ee8518 __onexit 21 API calls 24331->24336 24338 eea0e4 __vsnwprintf_l 24331->24338 24333 edec4a DloadUnlock 5 API calls 24332->24333 24334 eea260 24333->24334 24334->24306 24335 eea12d MultiByteToWideChar 24337 eea146 24335->24337 24350 eea199 24335->24350 24336->24338 24355 eea72c 24337->24355 24338->24335 24338->24350 24342 eea1a8 24344 ee8518 __onexit 21 API calls 24342->24344 24347 eea1c9 __vsnwprintf_l 24342->24347 24343 eea170 24345 eea72c __vsnwprintf_l 11 API calls 24343->24345 24343->24350 24344->24347 24345->24350 24346 eea23e 24363 eea2c0 20 API calls _free 24346->24363 24347->24346 24348 eea72c __vsnwprintf_l 11 API calls 24347->24348 24351 eea21d 24348->24351 24364 eea2c0 20 API calls _free 24350->24364 24351->24346 24352 eea22c WideCharToMultiByte 24351->24352 24352->24346 24353 eea26c 24352->24353 24365 eea2c0 20 API calls _free 24353->24365 24366 eea458 24355->24366 24359 eea79c LCMapStringW 24360 eea75c 24359->24360 24361 edec4a DloadUnlock 5 API calls 24360->24361 24362 eea15d 24361->24362 24362->24342 24362->24343 24362->24350 24363->24350 24364->24332 24365->24350 24367 eea484 24366->24367 24368 eea488 24366->24368 24367->24368 24371 eea4a8 24367->24371 24374 eea4f4 24367->24374 24368->24360 24373 eea7b4 10 API calls 3 library calls 24368->24373 24370 eea4b4 GetProcAddress 24372 eea4c4 __crt_fast_encode_pointer 24370->24372 24371->24368 24371->24370 24372->24368 24373->24359 24375 eea515 LoadLibraryExW 24374->24375 24380 eea50a 24374->24380 24376 eea54a 24375->24376 24377 eea532 GetLastError 24375->24377 24378 eea561 FreeLibrary 24376->24378 24376->24380 24377->24376 24379 eea53d LoadLibraryExW 24377->24379 24378->24380 24379->24376 24380->24367 24382 ede360 24381->24382 24383 ed00d9 GetModuleHandleW 24382->24383 24384 ed0154 24383->24384 24385 ed00f0 GetProcAddress 24383->24385 24388 ed0484 GetModuleFileNameW 24384->24388 24489 ee70dd 42 API calls 2 library calls 24384->24489 24386 ed0109 24385->24386 24387 ed0121 GetProcAddress 24385->24387 24386->24387 24387->24384 24395 ed0133 24387->24395 24401 ed04a3 24388->24401 24390 ed03be 24390->24388 24391 ed03c9 GetModuleFileNameW CreateFileW 24390->24391 24392 ed03fc SetFilePointer 24391->24392 24393 ed0478 CloseHandle 24391->24393 24392->24393 24394 ed040c ReadFile 24392->24394 24393->24388 24394->24393 24398 ed042b 24394->24398 24395->24384 24398->24393 24400 ed0085 2 API calls 24398->24400 24399 ed04d2 CompareStringW 24399->24401 24400->24398 24401->24399 24402 ed0508 GetFileAttributesW 24401->24402 24403 ed0520 24401->24403 24480 ecacf5 24401->24480 24483 ed0085 24401->24483 24402->24401 24402->24403 24404 ed052a 24403->24404 24407 ed0560 24403->24407 24406 ed0542 GetFileAttributesW 24404->24406 24408 ed055a 24404->24408 24405 ed066f 24429 ed9da4 GetCurrentDirectoryW 24405->24429 24406->24404 24406->24408 24407->24405 24409 ecacf5 GetVersionExW 24407->24409 24408->24407 24410 ed057a 24409->24410 24411 ed05e7 24410->24411 24412 ed0581 24410->24412 24413 ec400a _swprintf 51 API calls 24411->24413 24414 ed0085 2 API calls 24412->24414 24415 ed060f AllocConsole 24413->24415 24416 ed058b 24414->24416 24417 ed061c GetCurrentProcessId AttachConsole 24415->24417 24418 ed0667 ExitProcess 24415->24418 24419 ed0085 2 API calls 24416->24419 24490 ee35b3 24417->24490 24421 ed0595 24419->24421 24422 ecddd1 53 API calls 24421->24422 24424 ed05b0 24422->24424 24423 ed063d GetStdHandle WriteConsoleW Sleep FreeConsole 24423->24418 24425 ec400a _swprintf 51 API calls 24424->24425 24426 ed05c3 24425->24426 24427 ecddd1 53 API calls 24426->24427 24428 ed05d2 24427->24428 24428->24418 24429->24128 24431 ed0085 2 API calls 24430->24431 24432 eda349 OleInitialize 24431->24432 24433 eda36c GdiplusStartup SHGetMalloc 24432->24433 24433->24130 24435 ed13d7 IsDBCSLeadByte 24434->24435 24435->24435 24436 ed13ef 24435->24436 24436->24132 24439 edbc8e 24437->24439 24438 edbda4 24438->24140 24438->24141 24439->24438 24440 ed179d CharUpperW 24439->24440 24492 ececad 80 API calls ___scrt_fastfail 24439->24492 24440->24439 24443 ede360 24442->24443 24444 edd294 SetEnvironmentVariableW 24443->24444 24446 edd2b7 24444->24446 24445 edd2df 24445->24135 24446->24445 24447 edd2d3 SetEnvironmentVariableW 24446->24447 24447->24445 24449 edae0e 24448->24449 24453 edae15 24448->24453 24493 ed9e1c FindResourceW 24449->24493 24451 edae1b GetObjectW 24452 edae2a 24451->24452 24454 ed9d1a 4 API calls 24452->24454 24453->24451 24453->24452 24455 edae3d 24454->24455 24456 edae80 24455->24456 24457 edae5c 24455->24457 24458 ed9e1c 13 API calls 24455->24458 24467 ecd31c 24456->24467 24509 ed9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24457->24509 24460 edae4d 24458->24460 24460->24457 24462 edae53 DeleteObject 24460->24462 24461 edae64 24510 ed9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24461->24510 24462->24457 24464 edae6d 24511 ed9f5d 8 API calls ___scrt_fastfail 24464->24511 24466 edae74 DeleteObject 24466->24456 24520 ecd341 24467->24520 24469 ecd328 24560 ecda4e GetModuleHandleW FindResourceW 24469->24560 24472 ed8835 24473 ede24a new 8 API calls 24472->24473 24474 ed8854 24473->24474 24474->24154 24476 eda3cc GdiplusShutdown CoUninitialize 24475->24476 24476->24170 24478->24161 24479->24169 24481 ecad09 GetVersionExW 24480->24481 24482 ecad45 24480->24482 24481->24482 24482->24401 24484 ede360 24483->24484 24485 ed0092 GetSystemDirectoryW 24484->24485 24486 ed00c8 24485->24486 24487 ed00aa 24485->24487 24486->24401 24488 ed00bb LoadLibraryW 24487->24488 24488->24486 24489->24390 24491 ee35bb 24490->24491 24491->24423 24491->24491 24492->24439 24494 ed9e70 24493->24494 24495 ed9e3e SizeofResource 24493->24495 24494->24453 24495->24494 24496 ed9e52 LoadResource 24495->24496 24496->24494 24497 ed9e63 LockResource 24496->24497 24497->24494 24498 ed9e77 GlobalAlloc 24497->24498 24498->24494 24499 ed9e92 GlobalLock 24498->24499 24500 ed9f21 GlobalFree 24499->24500 24501 ed9ea1 __vswprintf_c_l 24499->24501 24500->24494 24502 ed9ea9 CreateStreamOnHGlobal 24501->24502 24503 ed9f1a GlobalUnlock 24502->24503 24504 ed9ec1 24502->24504 24503->24500 24512 ed9d7b GdipAlloc 24504->24512 24507 ed9eef GdipCreateHBITMAPFromBitmap 24508 ed9f05 24507->24508 24508->24503 24509->24461 24510->24464 24511->24466 24513 ed9d8d 24512->24513 24514 ed9d9a 24512->24514 24516 ed9b0f 24513->24516 24514->24503 24514->24507 24514->24508 24517 ed9b37 GdipCreateBitmapFromStream 24516->24517 24518 ed9b30 GdipCreateBitmapFromStreamICM 24516->24518 24519 ed9b3c 24517->24519 24518->24519 24519->24514 24521 ecd34b _wcschr __EH_prolog 24520->24521 24522 ecd37a GetModuleFileNameW 24521->24522 24523 ecd3ab 24521->24523 24524 ecd394 24522->24524 24562 ec99b0 24523->24562 24524->24523 24526 ec9653 79 API calls 24530 ecd7ab 24526->24530 24527 ecd3db 24528 ecd407 24527->24528 24531 ed3781 76 API calls 24527->24531 24555 ecd627 24527->24555 24573 ee5a90 26 API calls 3 library calls 24528->24573 24530->24469 24531->24527 24532 ecd41a 24574 ee5a90 26 API calls 3 library calls 24532->24574 24534 ecd563 24534->24555 24592 ec9d30 77 API calls 24534->24592 24538 ecd57d ___std_exception_copy 24539 ec9bf0 80 API calls 24538->24539 24538->24555 24542 ecd5a6 ___std_exception_copy 24539->24542 24541 ecd42c 24541->24534 24541->24555 24575 ec9e40 24541->24575 24583 ec9bf0 24541->24583 24591 ec9d30 77 API calls 24541->24591 24542->24555 24557 ecd5b2 ___std_exception_copy 24542->24557 24593 ed137a MultiByteToWideChar 24542->24593 24544 ecd72b 24594 ecce72 76 API calls 24544->24594 24546 ecda0a 24599 ecce72 76 API calls 24546->24599 24548 ecd9fa 24548->24469 24549 ecd771 24595 ee5a90 26 API calls 3 library calls 24549->24595 24551 ed3781 76 API calls 24552 ecd742 24551->24552 24552->24549 24552->24551 24553 ecd78b 24596 ee5a90 26 API calls 3 library calls 24553->24596 24555->24526 24556 ed1596 WideCharToMultiByte 24556->24557 24557->24544 24557->24546 24557->24548 24557->24555 24557->24556 24597 ecdd6b 50 API calls __vsnprintf 24557->24597 24598 ee58d9 26 API calls 3 library calls 24557->24598 24561 ecd32f 24560->24561 24561->24472 24563 ec99ba 24562->24563 24564 ec9a39 CreateFileW 24563->24564 24565 ec9a59 GetLastError 24564->24565 24566 ec9aaa 24564->24566 24568 ecb66c 2 API calls 24565->24568 24567 ec9ae1 24566->24567 24569 ec9ac7 SetFileTime 24566->24569 24567->24527 24570 ec9a79 24568->24570 24569->24567 24570->24566 24571 ec9a7d CreateFileW GetLastError 24570->24571 24572 ec9aa1 24571->24572 24572->24566 24573->24532 24574->24541 24576 ec9e64 SetFilePointer 24575->24576 24577 ec9e53 24575->24577 24578 ec9e82 GetLastError 24576->24578 24581 ec9e9d 24576->24581 24577->24581 24600 ec6fa5 75 API calls 24577->24600 24580 ec9e8c 24578->24580 24578->24581 24580->24581 24601 ec6fa5 75 API calls 24580->24601 24581->24541 24584 ec9c03 24583->24584 24588 ec9bfc 24583->24588 24586 ec9c9e 24584->24586 24584->24588 24590 ec9cc0 24584->24590 24602 ec984e 24584->24602 24586->24588 24614 ec6f6b 75 API calls 24586->24614 24588->24541 24589 ec984e 5 API calls 24589->24590 24590->24588 24590->24589 24591->24541 24592->24538 24593->24557 24594->24552 24595->24553 24596->24555 24597->24557 24598->24557 24599->24548 24600->24576 24601->24581 24603 ec985c GetStdHandle 24602->24603 24604 ec9867 ReadFile 24602->24604 24603->24604 24605 ec98a0 24604->24605 24606 ec9880 24604->24606 24605->24584 24607 ec9989 GetFileType 24606->24607 24608 ec9887 24607->24608 24609 ec98a8 GetLastError 24608->24609 24610 ec98b7 24608->24610 24611 ec9895 24608->24611 24609->24605 24609->24610 24610->24605 24613 ec98c7 GetLastError 24610->24613 24612 ec984e GetFileType 24611->24612 24612->24605 24613->24605 24613->24611 24614->24588 24616 ee7430 CallUnexpected 24615->24616 24617 ee7448 24616->24617 24618 ee757e _abort GetModuleHandleW 24616->24618 24637 eea3f1 EnterCriticalSection 24617->24637 24620 ee743c 24618->24620 24620->24617 24649 ee75c2 GetModuleHandleExW 24620->24649 24624 ee74c5 24627 ee74dd 24624->24627 24631 ee81f1 _abort 5 API calls 24624->24631 24625 ee750b 24641 ee753d 24625->24641 24626 ee7537 24658 ef1a19 5 API calls DloadUnlock 24626->24658 24632 ee81f1 _abort 5 API calls 24627->24632 24631->24627 24636 ee74ee 24632->24636 24633 ee7450 24633->24624 24633->24636 24657 ee7f30 20 API calls _abort 24633->24657 24638 ee752e 24636->24638 24637->24633 24659 eea441 LeaveCriticalSection 24638->24659 24640 ee7507 24640->24625 24640->24626 24660 eea836 24641->24660 24644 ee756b 24647 ee75c2 _abort 8 API calls 24644->24647 24645 ee754b GetPEB 24645->24644 24646 ee755b GetCurrentProcess TerminateProcess 24645->24646 24646->24644 24648 ee7573 ExitProcess 24647->24648 24650 ee760f 24649->24650 24651 ee75ec GetProcAddress 24649->24651 24652 ee761e 24650->24652 24653 ee7615 FreeLibrary 24650->24653 24656 ee7601 24651->24656 24654 edec4a DloadUnlock 5 API calls 24652->24654 24653->24652 24655 ee7628 24654->24655 24655->24617 24656->24650 24657->24624 24659->24640 24661 eea85b 24660->24661 24665 eea851 24660->24665 24662 eea458 CallUnexpected 5 API calls 24661->24662 24662->24665 24663 edec4a DloadUnlock 5 API calls 24664 ee7547 24663->24664 24664->24644 24664->24645 24665->24663 24876 ec96a0 79 API calls 24925 eee9a0 51 API calls 24879 ede4a2 38 API calls 2 library calls 24685 ee76bd 24686 ee76cc 24685->24686 24687 ee76e8 24685->24687 24686->24687 24688 ee76d2 24686->24688 24689 eeb290 51 API calls 24687->24689 24708 ee895a 20 API calls __dosmaperr 24688->24708 24691 ee76ef GetModuleFileNameA 24689->24691 24693 ee7713 24691->24693 24692 ee76d7 24709 ee8839 26 API calls __cftof 24692->24709 24710 ee77e1 38 API calls 24693->24710 24696 ee76e1 24697 ee7730 24711 ee7956 20 API calls 2 library calls 24697->24711 24699 ee773d 24700 ee7746 24699->24700 24701 ee7752 24699->24701 24712 ee895a 20 API calls __dosmaperr 24700->24712 24713 ee77e1 38 API calls 24701->24713 24704 ee84de _free 20 API calls 24704->24696 24705 ee7768 24706 ee84de _free 20 API calls 24705->24706 24707 ee774b 24705->24707 24706->24707 24707->24704 24708->24692 24709->24696 24710->24697 24711->24699 24712->24707 24713->24705 24928 ee79b7 55 API calls _free 24881 ec16b0 84 API calls 24715 ee90b0 24723 eea56f 24715->24723 24718 ee90c4 24720 ee90cc 24721 ee90d9 24720->24721 24731 ee90e0 11 API calls 24720->24731 24724 eea458 CallUnexpected 5 API calls 24723->24724 24725 eea596 24724->24725 24726 eea5ae TlsAlloc 24725->24726 24727 eea59f 24725->24727 24726->24727 24728 edec4a DloadUnlock 5 API calls 24727->24728 24729 ee90ba 24728->24729 24729->24718 24730 ee9029 20 API calls 3 library calls 24729->24730 24730->24720 24731->24718 24732 eea3b0 24733 eea3bb 24732->24733 24735 eea3e4 24733->24735 24736 eea3e0 24733->24736 24738 eea6ca 24733->24738 24745 eea410 DeleteCriticalSection 24735->24745 24739 eea458 CallUnexpected 5 API calls 24738->24739 24740 eea6f1 24739->24740 24741 eea70f InitializeCriticalSectionAndSpinCount 24740->24741 24742 eea6fa 24740->24742 24741->24742 24743 edec4a DloadUnlock 5 API calls 24742->24743 24744 eea726 24743->24744 24744->24733 24745->24736 24882 ee1eb0 6 API calls 3 library calls 24810 ec1385 82 API calls 3 library calls 24931 ee5780 QueryPerformanceFrequency QueryPerformanceCounter 24884 eda89d 78 API calls 24885 ecea98 FreeLibrary 24932 ee2397 48 API calls 24858 edd997 24860 edd89b 24858->24860 24859 eddf59 ___delayLoadHelper2@8 19 API calls 24859->24860 24860->24859 24861 edd891 19 API calls ___delayLoadHelper2@8 24887 ed7090 114 API calls 24888 edcc90 70 API calls 24933 eda990 97 API calls 24934 ed9b90 GdipCloneImage GdipAlloc 24935 ee9b90 21 API calls 2 library calls 24893 edfc60 51 API calls 2 library calls 24895 ee3460 RtlUnwind 24896 ee9c60 71 API calls _free 24897 ee9e60 31 API calls 2 library calls 24898 ec1075 82 API calls pre_c_initialization 24899 ed5c77 121 API calls __vswprintf_c_l 24013 edd573 24014 edd580 24013->24014 24015 ecddd1 53 API calls 24014->24015 24016 edd594 24015->24016 24017 ec400a _swprintf 51 API calls 24016->24017 24018 edd5a6 SetDlgItemTextW 24017->24018 24019 edac74 5 API calls 24018->24019 24020 edd5c3 24019->24020 24937 edd34e DialogBoxParamW 24938 edbe49 98 API calls 3 library calls 24903 edec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24904 ed8c40 GetClientRect 24905 ee3040 5 API calls 2 library calls 24906 ef0040 IsProcessorFeaturePresent 24039 ec9b59 24040 ec9b63 24039->24040 24043 ec9bd7 24039->24043 24041 ec9bad SetFilePointer 24040->24041 24042 ec9bcd GetLastError 24041->24042 24041->24043 24042->24043 24939 ed9b50 GdipDisposeImage GdipFree __except_handler4 24908 ee8050 8 API calls ___vcrt_uninitialize 24668 ec9f2f 24669 ec9f44 24668->24669 24670 ec9f3d 24668->24670 24671 ec9f4a GetStdHandle 24669->24671 24678 ec9f55 24669->24678 24671->24678 24672 ec9fa9 WriteFile 24672->24678 24673 ec9f7c WriteFile 24674 ec9f7a 24673->24674 24673->24678 24674->24673 24674->24678 24676 eca031 24680 ec7061 75 API calls 24676->24680 24678->24670 24678->24672 24678->24673 24678->24674 24678->24676 24679 ec6e18 60 API calls 24678->24679 24679->24678 24680->24670 24909 ec1025 29 API calls pre_c_initialization 24945 edbe49 103 API calls 4 library calls 24910 eda430 73 API calls 24747 edc40e 24748 edc4c7 24747->24748 24755 edc42c _wcschr 24747->24755 24749 edc4e5 24748->24749 24763 edbe49 _wcsrchr 24748->24763 24782 edce22 24748->24782 24752 edce22 18 API calls 24749->24752 24749->24763 24750 edaa36 ExpandEnvironmentStringsW 24750->24763 24752->24763 24753 edca8d 24755->24748 24756 ed17ac CompareStringW 24755->24756 24756->24755 24757 edc11d SetWindowTextW 24757->24763 24760 ee35de 22 API calls 24760->24763 24762 edbf0b SetFileAttributesW 24764 edbfc5 GetFileAttributesW 24762->24764 24765 edbf25 ___scrt_fastfail 24762->24765 24763->24750 24763->24753 24763->24757 24763->24760 24763->24762 24769 edc2e7 GetDlgItem SetWindowTextW SendMessageW 24763->24769 24771 edc327 SendMessageW 24763->24771 24776 ed17ac CompareStringW 24763->24776 24777 ed9da4 GetCurrentDirectoryW 24763->24777 24779 eca52a 7 API calls 24763->24779 24780 eca4b3 FindClose 24763->24780 24781 edab9a 76 API calls ___std_exception_copy 24763->24781 24764->24763 24767 edbfd7 DeleteFileW 24764->24767 24765->24763 24765->24764 24778 ecb4f7 52 API calls 2 library calls 24765->24778 24767->24763 24773 edbfe8 24767->24773 24769->24763 24770 ec400a _swprintf 51 API calls 24772 edc008 GetFileAttributesW 24770->24772 24771->24763 24772->24773 24774 edc01d MoveFileW 24772->24774 24773->24770 24774->24763 24775 edc035 MoveFileExW 24774->24775 24775->24763 24776->24763 24777->24763 24778->24765 24779->24763 24780->24763 24781->24763 24785 edce2c ___scrt_fastfail 24782->24785 24783 edd08a 24783->24749 24784 edcf1b 24787 eca180 4 API calls 24784->24787 24785->24783 24785->24784 24805 ed17ac CompareStringW 24785->24805 24788 edcf30 24787->24788 24789 edcf4f ShellExecuteExW 24788->24789 24806 ecb239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24788->24806 24789->24783 24796 edcf62 24789->24796 24791 edcf47 24791->24789 24792 edcf9b 24807 edd2e6 6 API calls 24792->24807 24793 edcff1 CloseHandle 24794 edcfff 24793->24794 24795 edd00a 24793->24795 24808 ed17ac CompareStringW 24794->24808 24795->24783 24801 edd081 ShowWindow 24795->24801 24796->24792 24796->24793 24798 edcf91 ShowWindow 24796->24798 24798->24792 24800 edcfb3 24800->24793 24802 edcfc6 GetExitCodeProcess 24800->24802 24801->24783 24802->24793 24803 edcfd9 24802->24803 24803->24793 24805->24784 24806->24791 24807->24800 24808->24795 24911 edec0b 28 API calls 2 library calls 24949 eddb0b 19 API calls ___delayLoadHelper2@8 24950 ec1f05 126 API calls __EH_prolog 24815 edea00 24816 edea08 pre_c_initialization 24815->24816 24833 ee8292 24816->24833 24818 edea13 pre_c_initialization 24840 ede600 24818->24840 24820 edea9c 24848 edef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24820->24848 24822 edea28 __RTC_Initialize 24822->24820 24824 ede7a1 pre_c_initialization 29 API calls 24822->24824 24823 edeaa3 ___scrt_initialize_default_local_stdio_options 24825 edea41 pre_c_initialization 24824->24825 24825->24820 24826 edea52 24825->24826 24845 edf15b InitializeSListHead 24826->24845 24828 edea57 pre_c_initialization __except_handler4 24846 edf167 30 API calls 2 library calls 24828->24846 24830 edea7a pre_c_initialization 24847 ee8332 38 API calls 3 library calls 24830->24847 24832 edea85 pre_c_initialization 24834 ee82c4 24833->24834 24835 ee82a1 24833->24835 24834->24818 24835->24834 24849 ee895a 20 API calls __dosmaperr 24835->24849 24837 ee82b4 24850 ee8839 26 API calls __cftof 24837->24850 24839 ee82bf 24839->24818 24841 ede60e 24840->24841 24844 ede613 ___scrt_initialize_onexit_tables 24840->24844 24841->24844 24851 edef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24841->24851 24843 ede696 24844->24822 24845->24828 24846->24830 24847->24832 24848->24823 24849->24837 24850->24839 24851->24843 24951 eea918 27 API calls 2 library calls 24952 edbe49 108 API calls 4 library calls 24953 ec6110 80 API calls 24954 eeb710 GetProcessHeap

                      Executed Functions

                      Function 00EDD5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00ED00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00ED00E4
                        • Part of subcall function 00ED00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00ED00F6
                        • Part of subcall function 00ED00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00ED0127
                        • Part of subcall function 00ED9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00ED9DAC
                        • Part of subcall function 00EDA335: OleInitialize.OLE32(00000000), ref: 00EDA34E
                        • Part of subcall function 00EDA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00EDA385
                        • Part of subcall function 00EDA335: SHGetMalloc.SHELL32(00F08430), ref: 00EDA38F
                        • Part of subcall function 00ED13B3: GetCPInfo.KERNEL32(00000000,?), ref: 00ED13C4
                        • Part of subcall function 00ED13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00ED13D8
                      • GetCommandLineW.KERNEL32 ref: 00EDD61C
                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00EDD643
                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00EDD654
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00EDD68E
                        • Part of subcall function 00EDD287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00EDD29D
                        • Part of subcall function 00EDD287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00EDD2D9
                      • CloseHandle.KERNEL32(00000000), ref: 00EDD697
                      • GetModuleFileNameW.KERNEL32(00000000,00F1DC90,00000800), ref: 00EDD6B2
                      • SetEnvironmentVariableW.KERNEL32(sfxname,00F1DC90), ref: 00EDD6BE
                      • GetLocalTime.KERNEL32(?), ref: 00EDD6C9
                      • _swprintf.LIBCMT ref: 00EDD708
                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00EDD71A
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00EDD721
                      • LoadIconW.USER32(00000000,00000064), ref: 00EDD738
                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00EDD789
                      • Sleep.KERNEL32(?), ref: 00EDD7B7
                      • DeleteObject.GDI32 ref: 00EDD7F0
                      • DeleteObject.GDI32(?), ref: 00EDD800
                      • CloseHandle.KERNEL32 ref: 00EDD843
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                      • API String ID: 788466649-2656992072
                      • Opcode ID: 92cb598264cfd8d623173cdbc0816663003c7c86b542a34a664691a0d65a8444
                      • Instruction ID: 35b85f998be5a5d315ea09f48009abcbbf9ab52efc89caf5ccda8e4e658e917c
                      • Opcode Fuzzy Hash: 92cb598264cfd8d623173cdbc0816663003c7c86b542a34a664691a0d65a8444
                      • Instruction Fuzzy Hash: 8A61D075908345AFD320AB71EC49F7A37E8FB84744F04142AF545B22A2DF748906E7A2
                      Function 00ED9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 770 ed9e1c-ed9e38 FindResourceW 771 ed9f2f-ed9f32 770->771 772 ed9e3e-ed9e50 SizeofResource 770->772 773 ed9e70-ed9e72 772->773 774 ed9e52-ed9e61 LoadResource 772->774 775 ed9f2e 773->775 774->773 776 ed9e63-ed9e6e LockResource 774->776 775->771 776->773 777 ed9e77-ed9e8c GlobalAlloc 776->777 778 ed9f28-ed9f2d 777->778 779 ed9e92-ed9e9b GlobalLock 777->779 778->775 780 ed9f21-ed9f22 GlobalFree 779->780 781 ed9ea1-ed9ebf call edf4b0 CreateStreamOnHGlobal 779->781 780->778 784 ed9f1a-ed9f1b GlobalUnlock 781->784 785 ed9ec1-ed9ee3 call ed9d7b 781->785 784->780 785->784 790 ed9ee5-ed9eed 785->790 791 ed9eef-ed9f03 GdipCreateHBITMAPFromBitmap 790->791 792 ed9f08-ed9f16 790->792 791->792 793 ed9f05 791->793 792->784 793->792
                      APIs
                      • FindResourceW.KERNEL32(00EDAE4D,PNG,?,?,?,00EDAE4D,00000066), ref: 00ED9E2E
                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E46
                      • LoadResource.KERNEL32(00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E59
                      • LockResource.KERNEL32(00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E64
                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00EDAE4D,00000066), ref: 00ED9E82
                      • GlobalLock.KERNEL32(00000000), ref: 00ED9E93
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00ED9EB7
                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00ED9EFC
                      • GlobalUnlock.KERNEL32(00000000), ref: 00ED9F1B
                      • GlobalFree.KERNEL32(00000000), ref: 00ED9F22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                      • String ID: PNG
                      • API String ID: 3656887471-364855578
                      • Opcode ID: bd0bd59ce90dc0af5b1baa97a59e220f7c2937dbde73370eaaf12b145ab735de
                      • Instruction ID: 0ce7f6111d0d4862ac6b53e55bdbd8f7407b3f28e5a20fb7d7226d3a03b8b248
                      • Opcode Fuzzy Hash: bd0bd59ce90dc0af5b1baa97a59e220f7c2937dbde73370eaaf12b145ab735de
                      • Instruction Fuzzy Hash: D9316D71205306AFD7109F32DC48A3BBBA9FF85755B04191AF906F2361EB31DC05DA61
                      Function 00ECA5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 979 eca5f4-eca61f call ede360 982 eca691-eca69a FindNextFileW 979->982 983 eca621-eca632 FindFirstFileW 979->983 986 eca69c-eca6aa GetLastError 982->986 987 eca6b0-eca6b2 982->987 984 eca6b8-eca75c call ecfe56 call ecbcfb call ed0e19 * 3 983->984 985 eca638-eca64f call ecb66c 983->985 990 eca761-eca774 984->990 994 eca66a-eca673 GetLastError 985->994 995 eca651-eca668 FindFirstFileW 985->995 986->987 987->984 987->990 997 eca684 994->997 998 eca675-eca678 994->998 995->984 995->994 1001 eca686-eca68c 997->1001 998->997 1000 eca67a-eca67d 998->1000 1000->997 1003 eca67f-eca682 1000->1003 1001->990 1003->1001
                      APIs
                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00ECA4EF,000000FF,?,?), ref: 00ECA628
                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00ECA4EF,000000FF,?,?), ref: 00ECA65E
                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00ECA4EF,000000FF,?,?), ref: 00ECA66A
                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00ECA4EF,000000FF,?,?), ref: 00ECA692
                      • GetLastError.KERNEL32(?,?,?,?,00ECA4EF,000000FF,?,?), ref: 00ECA69E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FileFind$ErrorFirstLast$Next
                      • String ID:
                      • API String ID: 869497890-0
                      • Opcode ID: acd08051e95ac26e4cb1dfe533b2264ee42eef82cac691f52313cfc2a0e147ba
                      • Instruction ID: 112632ab618c5a9bf3562d336baac6d7f70ae039d397b1c56e118b53e6b7899b
                      • Opcode Fuzzy Hash: acd08051e95ac26e4cb1dfe533b2264ee42eef82cac691f52313cfc2a0e147ba
                      • Instruction Fuzzy Hash: EA418471504245AFC720EF78C984FDAF7E8BF88344F08092EF599E3240D775A9558B52
                      Function 00EE753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,?,00EE7513,00000000,00EFBAD8,0000000C,00EE766A,00000000,00000002,00000000), ref: 00EE755E
                      • TerminateProcess.KERNEL32(00000000,?,00EE7513,00000000,00EFBAD8,0000000C,00EE766A,00000000,00000002,00000000), ref: 00EE7565
                      • ExitProcess.KERNEL32 ref: 00EE7577
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: dcfe21ecd9d0c6118e8acfa903493e1c2d408037c233c516799c44d1b557ece6
                      • Instruction ID: 57a98c7ae7eb2e4928d1b0a066695ed17334fdbdc7d4372a25617a61ff39e58d
                      • Opcode Fuzzy Hash: dcfe21ecd9d0c6118e8acfa903493e1c2d408037c233c516799c44d1b557ece6
                      • Instruction Fuzzy Hash: BEE0EC3100558CAFCF11AF66DD0DA593F6AEF80785F109424F945AA232CB35EE4ACB50
                      Function 00EC857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog_memcmp
                      • String ID:
                      • API String ID: 3004599000-0
                      • Opcode ID: 0eb3ae45514e4d2862ebac0705c1b1c945938bc35eb498ec9e29dcc4b0d4cd12
                      • Instruction ID: 5547684256e482973c888e60805a31f72ac0cf645786dcf86ded637f1ab26581
                      • Opcode Fuzzy Hash: 0eb3ae45514e4d2862ebac0705c1b1c945938bc35eb498ec9e29dcc4b0d4cd12
                      • Instruction Fuzzy Hash: 1F821C70904285AEDF25DB60CB45FFABBA9AF05304F0861BEE859BB143DB325E46C750
                      Function 00EDAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EDAEE5
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prologItemTextWindow
                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                      • API String ID: 810644672-3472986185
                      • Opcode ID: fada6640668ed03d4d86c917b54313653b993459973ce7c8bc297bc0f53f6293
                      • Instruction ID: ad2d30c50e4fd13eedbd4b7c7890d31de8e013332efe45617433b8b95d0cd8e2
                      • Opcode Fuzzy Hash: fada6640668ed03d4d86c917b54313653b993459973ce7c8bc297bc0f53f6293
                      • Instruction Fuzzy Hash: 59420674944248FEEB21DB609D8AFBE7BBCEB01744F00115AF241B62D2DB754947EB21
                      Function 00ED00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 257 ed00cf-ed00ee call ede360 GetModuleHandleW 260 ed0154-ed03b2 257->260 261 ed00f0-ed0107 GetProcAddress 257->261 264 ed03b8-ed03c3 call ee70dd 260->264 265 ed0484-ed04b3 GetModuleFileNameW call ecbc85 call ecfe56 260->265 262 ed0109-ed011f 261->262 263 ed0121-ed0131 GetProcAddress 261->263 262->263 263->260 266 ed0133-ed0152 263->266 264->265 274 ed03c9-ed03fa GetModuleFileNameW CreateFileW 264->274 280 ed04b5-ed04bf call ecacf5 265->280 266->260 276 ed03fc-ed040a SetFilePointer 274->276 277 ed0478-ed047f CloseHandle 274->277 276->277 278 ed040c-ed0429 ReadFile 276->278 277->265 278->277 281 ed042b-ed0450 278->281 285 ed04cc 280->285 286 ed04c1-ed04c5 call ed0085 280->286 284 ed046d-ed0476 call ecfbd8 281->284 284->277 294 ed0452-ed046c call ed0085 284->294 289 ed04ce-ed04d0 285->289 291 ed04ca 286->291 292 ed04f2-ed0518 call ecbcfb GetFileAttributesW 289->292 293 ed04d2-ed04f0 CompareStringW 289->293 291->289 296 ed051a-ed051e 292->296 301 ed0522 292->301 293->292 293->296 294->284 296->280 300 ed0520 296->300 302 ed0526-ed0528 300->302 301->302 303 ed052a 302->303 304 ed0560-ed0562 302->304 307 ed052c-ed0552 call ecbcfb GetFileAttributesW 303->307 305 ed066f-ed0679 304->305 306 ed0568-ed057f call ecbccf call ecacf5 304->306 317 ed05e7-ed061a call ec400a AllocConsole 306->317 318 ed0581-ed05e2 call ed0085 * 2 call ecddd1 call ec400a call ecddd1 call ed9f35 306->318 312 ed055c 307->312 313 ed0554-ed0558 307->313 312->304 313->307 315 ed055a 313->315 315->304 323 ed061c-ed0661 GetCurrentProcessId AttachConsole call ee35b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->323 324 ed0667-ed0669 ExitProcess 317->324 318->324 323->324
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32), ref: 00ED00E4
                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00ED00F6
                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00ED0127
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00ED03D4
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ED03F0
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED0402
                      • ReadFile.KERNEL32(00000000,?,00007FFE,00EF3BA4,00000000), ref: 00ED0421
                      • CloseHandle.KERNEL32(00000000), ref: 00ED0479
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00ED048F
                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00ED04E7
                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00ED0510
                      • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00ED054A
                        • Part of subcall function 00ED0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00ED00A0
                        • Part of subcall function 00ED0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ECEB86,Crypt32.dll,00000000,00ECEC0A,?,?,00ECEBEC,?,?,?), ref: 00ED00C2
                      • _swprintf.LIBCMT ref: 00ED05BE
                      • _swprintf.LIBCMT ref: 00ED060A
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                      • AllocConsole.KERNEL32 ref: 00ED0612
                      • GetCurrentProcessId.KERNEL32 ref: 00ED061C
                      • AttachConsole.KERNEL32(00000000), ref: 00ED0623
                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00ED0649
                      • WriteConsoleW.KERNEL32(00000000), ref: 00ED0650
                      • Sleep.KERNEL32(00002710), ref: 00ED065B
                      • FreeConsole.KERNEL32 ref: 00ED0661
                      • ExitProcess.KERNEL32 ref: 00ED0669
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                      • String ID: <$ ?$(>$(@$0A$4=$8<$<?$@>$@@$D=$DA$DXGIDebug.dll$P<$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;$T?$X>$X@$\A$`=$dwmapi.dll$kernel32$l<$p>$p?$p@$uxtheme.dll$x=$|<$>$?
                      • API String ID: 1201351596-2360068917
                      • Opcode ID: a7ae80672761b7819cf5dcb79424d3a9f64f50829b137550a79a57561cbc6130
                      • Instruction ID: aa08de48986c633da8df2073721a6ad18ed2c22cb26bb53946195fa01c18907b
                      • Opcode Fuzzy Hash: a7ae80672761b7819cf5dcb79424d3a9f64f50829b137550a79a57561cbc6130
                      • Instruction Fuzzy Hash: 1ED165B1108348ABD7309F70D84AFAFB6E8EBC4704F54691DF795B6240DBB18649CB62
                      Function 00EDBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 406 edbdf5-edbe0d call ede28c call ede360 411 edca90-edca9d 406->411 412 edbe13-edbe3d call edaa36 406->412 412->411 415 edbe43-edbe48 412->415 416 edbe49-edbe57 415->416 417 edbe58-edbe6d call eda6c7 416->417 420 edbe6f 417->420 421 edbe71-edbe86 call ed17ac 420->421 424 edbe88-edbe8c 421->424 425 edbe93-edbe96 421->425 424->421 426 edbe8e 424->426 427 edca5c-edca87 call edaa36 425->427 428 edbe9c 425->428 426->427 427->416 442 edca8d-edca8f 427->442 430 edc115-edc117 428->430 431 edc074-edc076 428->431 432 edbea3-edbea6 428->432 433 edc132-edc134 428->433 430->427 436 edc11d-edc12d SetWindowTextW 430->436 431->427 438 edc07c-edc088 431->438 432->427 434 edbeac-edbf06 call ed9da4 call ecb965 call eca49d call eca5d7 call ec70bf 432->434 433->427 437 edc13a-edc141 433->437 495 edc045-edc05a call eca52a 434->495 436->427 437->427 443 edc147-edc160 437->443 439 edc09c-edc0a1 438->439 440 edc08a-edc09b call ee7168 438->440 446 edc0ab-edc0b6 call edab9a 439->446 447 edc0a3-edc0a9 439->447 440->439 442->411 448 edc168-edc176 call ee35b3 443->448 449 edc162 443->449 453 edc0bb-edc0bd 446->453 447->453 448->427 460 edc17c-edc185 448->460 449->448 458 edc0bf-edc0c6 call ee35b3 453->458 459 edc0c8-edc0e8 call ee35b3 call ee35de 453->459 458->459 480 edc0ea-edc0f1 459->480 481 edc101-edc103 459->481 464 edc1ae-edc1b1 460->464 465 edc187-edc18b 460->465 471 edc1b7-edc1ba 464->471 472 edc296-edc2a4 call ecfe56 464->472 465->464 469 edc18d-edc195 465->469 469->427 476 edc19b-edc1a9 call ecfe56 469->476 478 edc1bc-edc1c1 471->478 479 edc1c7-edc1e2 471->479 488 edc2a6-edc2ba call ee17cb 472->488 476->488 478->472 478->479 496 edc22c-edc233 479->496 497 edc1e4-edc21e 479->497 485 edc0f8-edc100 call ee7168 480->485 486 edc0f3-edc0f5 480->486 481->427 487 edc109-edc110 call ee35ce 481->487 485->481 486->485 487->427 506 edc2bc-edc2c0 488->506 507 edc2c7-edc318 call ecfe56 call eda8d0 GetDlgItem SetWindowTextW SendMessageW call ee35e9 488->507 512 edbf0b-edbf1f SetFileAttributesW 495->512 513 edc060-edc06f call eca4b3 495->513 499 edc235-edc24d call ee35b3 496->499 500 edc261-edc284 call ee35b3 * 2 496->500 525 edc220 497->525 526 edc222-edc224 497->526 499->500 517 edc24f-edc25c call ecfe2e 499->517 500->488 533 edc286-edc294 call ecfe2e 500->533 506->507 511 edc2c2-edc2c4 506->511 540 edc31d-edc321 507->540 511->507 518 edbfc5-edbfd5 GetFileAttributesW 512->518 519 edbf25-edbf58 call ecb4f7 call ecb207 call ee35b3 512->519 513->427 517->500 518->495 523 edbfd7-edbfe6 DeleteFileW 518->523 549 edbf6b-edbf79 call ecb925 519->549 550 edbf5a-edbf69 call ee35b3 519->550 523->495 532 edbfe8-edbfeb 523->532 525->526 526->496 536 edbfef-edc01b call ec400a GetFileAttributesW 532->536 533->488 547 edbfed-edbfee 536->547 548 edc01d-edc033 MoveFileW 536->548 540->427 544 edc327-edc33b SendMessageW 540->544 544->427 547->536 548->495 551 edc035-edc03f MoveFileExW 548->551 549->513 556 edbf7f-edbfbe call ee35b3 call edf350 549->556 550->549 550->556 551->495 556->518
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EDBDFA
                        • Part of subcall function 00EDAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00EDAAFE
                      • SetWindowTextW.USER32(?,?), ref: 00EDC127
                      • _wcsrchr.LIBVCRUNTIME ref: 00EDC2B1
                      • GetDlgItem.USER32(?,00000066), ref: 00EDC2EC
                      • SetWindowTextW.USER32(00000000,?), ref: 00EDC2FC
                      • SendMessageW.USER32(00000000,00000143,00000000,00F0A472), ref: 00EDC30A
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EDC335
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                      • API String ID: 3564274579-312220925
                      • Opcode ID: 9f9573dbd7cb3bee572fc83b226ebc198eaf278d4f8035ef9250ff7f58e6f12d
                      • Instruction ID: 0ca9343a317022af33cb304181f5d4b1c45d99dab0821dcb56d45d6dd5e35965
                      • Opcode Fuzzy Hash: 9f9573dbd7cb3bee572fc83b226ebc198eaf278d4f8035ef9250ff7f58e6f12d
                      • Instruction Fuzzy Hash: 55E17D72D0421DAADB25DBA0DC49EEB77BCEF08354F1051A7E609F3251EB709A86CB50
                      Function 00ECD341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 561 ecd341-ecd378 call ede28c call ede360 call ee15e8 568 ecd37a-ecd3a9 GetModuleFileNameW call ecbc85 call ecfe2e 561->568 569 ecd3ab-ecd3b4 call ecfe56 561->569 573 ecd3b9-ecd3dd call ec9619 call ec99b0 568->573 569->573 580 ecd7a0-ecd7a6 call ec9653 573->580 581 ecd3e3-ecd3eb 573->581 586 ecd7ab-ecd7bb 580->586 583 ecd3ed-ecd405 call ed3781 * 2 581->583 584 ecd409-ecd438 call ee5a90 * 2 581->584 594 ecd407 583->594 595 ecd43b-ecd43e 584->595 594->584 596 ecd56c-ecd58f call ec9d30 call ee35d3 595->596 597 ecd444-ecd44a call ec9e40 595->597 596->580 606 ecd595-ecd5b0 call ec9bf0 596->606 601 ecd44f-ecd476 call ec9bf0 597->601 607 ecd47c-ecd484 601->607 608 ecd535-ecd538 601->608 622 ecd5b9-ecd5cc call ee35d3 606->622 623 ecd5b2-ecd5b7 606->623 611 ecd4af-ecd4ba 607->611 612 ecd486-ecd48e 607->612 609 ecd53b-ecd55d call ec9d30 608->609 609->595 627 ecd563-ecd566 609->627 614 ecd4bc-ecd4c8 611->614 615 ecd4e5-ecd4ed 611->615 612->611 617 ecd490-ecd4aa call ee5ec0 612->617 614->615 619 ecd4ca-ecd4cf 614->619 620 ecd4ef-ecd4f7 615->620 621 ecd519-ecd51d 615->621 633 ecd4ac 617->633 634 ecd52b-ecd533 617->634 619->615 628 ecd4d1-ecd4e3 call ee5808 619->628 620->621 629 ecd4f9-ecd513 call ee5ec0 620->629 621->608 630 ecd51f-ecd522 621->630 622->580 639 ecd5d2-ecd5ee call ed137a call ee35ce 622->639 631 ecd5f1-ecd5f8 623->631 627->580 627->596 628->615 644 ecd527 628->644 629->580 629->621 630->607 636 ecd5fc-ecd625 call ecfdfb call ee35d3 631->636 637 ecd5fa 631->637 633->611 634->609 651 ecd627-ecd62e call ee35ce 636->651 652 ecd633-ecd649 636->652 637->636 639->631 644->634 651->580 653 ecd64f-ecd65d 652->653 654 ecd731-ecd757 call ecce72 call ee35ce * 2 652->654 657 ecd664-ecd669 653->657 694 ecd759-ecd76f call ed3781 * 2 654->694 695 ecd771-ecd79d call ee5a90 * 2 654->695 659 ecd97c-ecd984 657->659 660 ecd66f-ecd678 657->660 664 ecd98a-ecd98e 659->664 665 ecd72b-ecd72e 659->665 662 ecd67a-ecd67e 660->662 663 ecd684-ecd68b 660->663 662->659 662->663 667 ecd880-ecd891 call ecfcbf 663->667 668 ecd691-ecd6b6 663->668 669 ecd9de-ecd9e4 664->669 670 ecd990-ecd996 664->670 665->654 686 ecd976-ecd979 667->686 687 ecd897-ecd8c0 call ecfe56 call ee5885 667->687 674 ecd6b9-ecd6de call ee35b3 call ee5808 668->674 672 ecda0a-ecda2a call ecce72 669->672 673 ecd9e6-ecd9ec 669->673 675 ecd99c-ecd9a3 670->675 676 ecd722-ecd725 670->676 698 ecda02-ecda05 672->698 673->672 680 ecd9ee-ecd9f4 673->680 712 ecd6f6 674->712 713 ecd6e0-ecd6ea 674->713 683 ecd9ca 675->683 684 ecd9a5-ecd9a8 675->684 676->657 676->665 680->676 689 ecd9fa-ecda01 680->689 688 ecd9cc-ecd9d9 683->688 692 ecd9aa-ecd9ad 684->692 693 ecd9c6-ecd9c8 684->693 686->659 687->686 721 ecd8c6-ecd93c call ed1596 call ecfdfb call ecfdd4 call ecfdfb call ee58d9 687->721 688->676 689->698 700 ecd9af-ecd9b2 692->700 701 ecd9c2-ecd9c4 692->701 693->688 694->695 695->580 707 ecd9be-ecd9c0 700->707 708 ecd9b4-ecd9b8 700->708 701->688 707->688 708->680 714 ecd9ba-ecd9bc 708->714 715 ecd6f9-ecd6fd 712->715 713->712 719 ecd6ec-ecd6f4 713->719 714->688 715->674 720 ecd6ff-ecd706 715->720 719->715 722 ecd70c-ecd71a call ecfdfb 720->722 723 ecd7be-ecd7c1 720->723 753 ecd93e-ecd947 721->753 754 ecd94a-ecd95f 721->754 728 ecd71f 722->728 723->667 727 ecd7c7-ecd7ce 723->727 730 ecd7d6-ecd7d7 727->730 731 ecd7d0-ecd7d4 727->731 728->676 730->727 731->730 733 ecd7d9-ecd7e7 731->733 734 ecd808-ecd830 call ed1596 733->734 735 ecd7e9-ecd7ec 733->735 743 ecd832-ecd84e call ee35e9 734->743 744 ecd853-ecd85b 734->744 737 ecd7ee-ecd803 735->737 738 ecd805 735->738 737->735 737->738 738->734 743->728 747 ecd85d 744->747 748 ecd862-ecd87b call ecdd6b 744->748 747->748 748->728 753->754 756 ecd960-ecd967 754->756 757 ecd969-ecd96d 756->757 758 ecd973-ecd974 756->758 757->728 757->758 758->756
                      APIs
                      • __EH_prolog.LIBCMT ref: 00ECD346
                      • _wcschr.LIBVCRUNTIME ref: 00ECD367
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00ECD328,?), ref: 00ECD382
                      • __fprintf_l.LIBCMT ref: 00ECD873
                        • Part of subcall function 00ED137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00ECB652,00000000,?,?,?,0001044A), ref: 00ED1396
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                      • String ID: $ ,$$%s:$$9$*messages***$*messages***$@%s:$R$RTL$a
                      • API String ID: 4184910265-2374907605
                      • Opcode ID: 170b19aafa369f940fbc4b1ed304bc6202a904702f13687623a541c237918f82
                      • Instruction ID: 7f6f3a1387ccc65a6784351d9b43ec41b3dc93da7f46bdee7d2a147c8a69ec5c
                      • Opcode Fuzzy Hash: 170b19aafa369f940fbc4b1ed304bc6202a904702f13687623a541c237918f82
                      • Instruction Fuzzy Hash: 3912C1719042499ACB24DFA4CE85FEEB7B5EF44304F10617EE506B7281EB739A46CB20
                      Function 00EDCB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00EDAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EDAC85
                        • Part of subcall function 00EDAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EDAC96
                        • Part of subcall function 00EDAC74: IsDialogMessageW.USER32(0001044A,?), ref: 00EDACAA
                        • Part of subcall function 00EDAC74: TranslateMessage.USER32(?), ref: 00EDACB8
                        • Part of subcall function 00EDAC74: DispatchMessageW.USER32(?), ref: 00EDACC2
                      • GetDlgItem.USER32(00000068,00F1ECB0), ref: 00EDCB6E
                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00EDA632,00000001,?,?,00EDAECB,00EF4F88,00F1ECB0), ref: 00EDCB96
                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00EDCBA1
                      • SendMessageW.USER32(00000000,000000C2,00000000,00EF35B4), ref: 00EDCBAF
                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00EDCBC5
                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00EDCBDF
                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00EDCC23
                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00EDCC31
                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00EDCC40
                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00EDCC67
                      • SendMessageW.USER32(00000000,000000C2,00000000,00EF431C), ref: 00EDCC76
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                      • String ID: \
                      • API String ID: 3569833718-2967466578
                      • Opcode ID: fc8d6be2695939ca3b1c34be83960d05ead849dacb41e030c09c215edfc406fc
                      • Instruction ID: f72fa35a2ed84fed0df81ecdc1ca07338ae7020aee231fdcdbd7092674a72a23
                      • Opcode Fuzzy Hash: fc8d6be2695939ca3b1c34be83960d05ead849dacb41e030c09c215edfc406fc
                      • Instruction Fuzzy Hash: 0F31F37118934ABFD311DF20DC4AFAB7FACEB82744F000509F69096291DB644A06EB76
                      Function 00EDCE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 795 edce22-edce3a call ede360 798 edd08b-edd093 795->798 799 edce40-edce4c call ee35b3 795->799 799->798 802 edce52-edce7a call edf350 799->802 805 edce7c 802->805 806 edce84-edce91 802->806 805->806 807 edce95-edce9e 806->807 808 edce93 806->808 809 edced6 807->809 810 edcea0-edcea2 807->810 808->807 812 edceda-edcedd 809->812 811 edceaa-edcead 810->811 815 edd03c-edd041 811->815 816 edceb3-edcebb 811->816 813 edcedf-edcee2 812->813 814 edcee4-edcee6 812->814 813->814 817 edcef9-edcf0e call ecb493 813->817 814->817 818 edcee8-edceef 814->818 821 edd036-edd03a 815->821 822 edd043 815->822 819 edd055-edd05d 816->819 820 edcec1-edcec7 816->820 830 edcf27-edcf32 call eca180 817->830 831 edcf10-edcf1d call ed17ac 817->831 818->817 823 edcef1 818->823 824 edd05f-edd061 819->824 825 edd065-edd06d 819->825 820->819 827 edcecd-edced4 820->827 821->815 828 edd048-edd04c 821->828 822->828 823->817 824->825 825->812 827->809 827->811 828->819 837 edcf4f-edcf5c ShellExecuteExW 830->837 838 edcf34-edcf4b call ecb239 830->838 831->830 836 edcf1f 831->836 836->830 839 edd08a 837->839 840 edcf62-edcf6f 837->840 838->837 839->798 843 edcf71-edcf78 840->843 844 edcf82-edcf84 840->844 843->844 845 edcf7a-edcf80 843->845 846 edcf9b-edcfba call edd2e6 844->846 847 edcf86-edcf8f 844->847 845->844 848 edcff1-edcffd CloseHandle 845->848 846->848 865 edcfbc-edcfc4 846->865 847->846 856 edcf91-edcf99 ShowWindow 847->856 849 edcfff-edd00c call ed17ac 848->849 850 edd00e-edd01c 848->850 849->850 862 edd072 849->862 854 edd01e-edd020 850->854 855 edd079-edd07b 850->855 854->855 860 edd022-edd028 854->860 855->839 859 edd07d-edd07f 855->859 856->846 859->839 863 edd081-edd084 ShowWindow 859->863 860->855 864 edd02a-edd034 860->864 862->855 863->839 864->855 865->848 866 edcfc6-edcfd7 GetExitCodeProcess 865->866 866->848 867 edcfd9-edcfe3 866->867 868 edcfea 867->868 869 edcfe5 867->869 868->848 869->868
                      APIs
                      • ShellExecuteExW.SHELL32(?), ref: 00EDCF54
                      • ShowWindow.USER32(?,00000000), ref: 00EDCF93
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00EDCFCF
                      • CloseHandle.KERNEL32(?), ref: 00EDCFF5
                      • ShowWindow.USER32(?,00000001), ref: 00EDD084
                        • Part of subcall function 00ED17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00ECBB05,00000000,.exe,?,?,00000800,?,?,00ED85DF,?), ref: 00ED17C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                      • String ID: $.exe$.inf
                      • API String ID: 3686203788-2452507128
                      • Opcode ID: 4af4728d765984123ea7397c9521c6a68d58e6394d610b380a155447c3987641
                      • Instruction ID: 2cf6c062f12825fcc96d18febf86b184f2c8dd7589044267d529206af18f5f9b
                      • Opcode Fuzzy Hash: 4af4728d765984123ea7397c9521c6a68d58e6394d610b380a155447c3987641
                      • Instruction Fuzzy Hash: D961F6B0508385AAD7319F24D8006BB7BE6EF85348F14681BF9C4B7351D7B18947DB92
                      Function 00EEA058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 870 eea058-eea071 871 eea087-eea08c 870->871 872 eea073-eea083 call eee6ed 870->872 873 eea08e-eea096 871->873 874 eea099-eea0bd MultiByteToWideChar 871->874 872->871 882 eea085 872->882 873->874 876 eea0c3-eea0cf 874->876 877 eea250-eea263 call edec4a 874->877 879 eea123 876->879 880 eea0d1-eea0e2 876->880 886 eea125-eea127 879->886 883 eea0e4-eea0f3 call ef1a30 880->883 884 eea101-eea112 call ee8518 880->884 882->871 888 eea245 883->888 897 eea0f9-eea0ff 883->897 884->888 898 eea118 884->898 887 eea12d-eea140 MultiByteToWideChar 886->887 886->888 887->888 891 eea146-eea158 call eea72c 887->891 892 eea247-eea24e call eea2c0 888->892 899 eea15d-eea161 891->899 892->877 901 eea11e-eea121 897->901 898->901 899->888 902 eea167-eea16e 899->902 901->886 903 eea1a8-eea1b4 902->903 904 eea170-eea175 902->904 906 eea1b6-eea1c7 903->906 907 eea200 903->907 904->892 905 eea17b-eea17d 904->905 905->888 908 eea183-eea19d call eea72c 905->908 910 eea1c9-eea1d8 call ef1a30 906->910 911 eea1e2-eea1f3 call ee8518 906->911 909 eea202-eea204 907->909 908->892 925 eea1a3 908->925 914 eea23e-eea244 call eea2c0 909->914 915 eea206-eea21f call eea72c 909->915 910->914 923 eea1da-eea1e0 910->923 911->914 924 eea1f5 911->924 914->888 915->914 928 eea221-eea228 915->928 927 eea1fb-eea1fe 923->927 924->927 925->888 927->909 929 eea22a-eea22b 928->929 930 eea264-eea26a 928->930 931 eea22c-eea23c WideCharToMultiByte 929->931 930->931 931->914 932 eea26c-eea273 call eea2c0 931->932 932->892
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EE4E35,00EE4E35,?,?,?,00EEA2A9,00000001,00000001,3FE85006), ref: 00EEA0B2
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EEA2A9,00000001,00000001,3FE85006,?,?,?), ref: 00EEA138
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EEA232
                      • __freea.LIBCMT ref: 00EEA23F
                        • Part of subcall function 00EE8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EEC13D,00000000,?,00EE67E2,?,00000008,?,00EE89AD,?,?,?), ref: 00EE854A
                      • __freea.LIBCMT ref: 00EEA248
                      • __freea.LIBCMT ref: 00EEA26D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: d3f1a6ff0e176af0a059b19cebc8a68d760f0f680e579d170e9c383cad4f8586
                      • Instruction ID: 063a55976ebe0d0a29550191fac76bb8e06e9802a2f8c4561622c583e631db8c
                      • Opcode Fuzzy Hash: d3f1a6ff0e176af0a059b19cebc8a68d760f0f680e579d170e9c383cad4f8586
                      • Instruction Fuzzy Hash: 6451F2B260024AAFDB258E72CC41EBB77AAEB48754F19123DFD04F6150DB35EC44C6A2
                      Function 00EDA2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 935 eda2c7-eda2e6 GetClassNameW 936 eda30e-eda310 935->936 937 eda2e8-eda2fd call ed17ac 935->937 939 eda31b-eda31f 936->939 940 eda312-eda314 936->940 942 eda30d 937->942 943 eda2ff-eda30b FindWindowExW 937->943 940->939 942->936 943->942
                      APIs
                      • GetClassNameW.USER32(?,?,00000050), ref: 00EDA2DE
                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00EDA315
                        • Part of subcall function 00ED17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00ECBB05,00000000,.exe,?,?,00000800,?,?,00ED85DF,?), ref: 00ED17C2
                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00EDA305
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                      • String ID: @Ut$EDIT
                      • API String ID: 4243998846-2065656831
                      • Opcode ID: 8bc977e6a7acfdc2ebc62cb6e1878224896b14b4772b0b5d2602011faee556d6
                      • Instruction ID: fc401c0e79d117992d943c7ce4f6479ec6097005884e1e99a43631ae080c5ffc
                      • Opcode Fuzzy Hash: 8bc977e6a7acfdc2ebc62cb6e1878224896b14b4772b0b5d2602011faee556d6
                      • Instruction Fuzzy Hash: 9FF08232A0122C77E7309A649C05FAF77ACDB46B50F480067BE05F2280D7609A43C6FA
                      Function 00EDA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00ED0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00ED00A0
                        • Part of subcall function 00ED0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ECEB86,Crypt32.dll,00000000,00ECEC0A,?,?,00ECEBEC,?,?,?), ref: 00ED00C2
                      • OleInitialize.OLE32(00000000), ref: 00EDA34E
                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00EDA385
                      • SHGetMalloc.SHELL32(00F08430), ref: 00EDA38F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                      • String ID: riched20.dll$3Qo
                      • API String ID: 3498096277-4232643773
                      • Opcode ID: 9fd28bfd8f413e13c3f0770a3c9e106f91ca165699578b51bc5765b9803568c8
                      • Instruction ID: 0d89f6ffcba42004198b1dee7a30ae6efd10332ac513bb87a4f0a39e779fab3c
                      • Opcode Fuzzy Hash: 9fd28bfd8f413e13c3f0770a3c9e106f91ca165699578b51bc5765b9803568c8
                      • Instruction Fuzzy Hash: 3DF049B1C0020DABCB60EF99D8499EFFBFCEF94301F00415AE814E2240DBB446069BA2
                      Function 00EC99B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 948 ec99b0-ec99d1 call ede360 951 ec99dc 948->951 952 ec99d3-ec99d6 948->952 953 ec99de-ec99fb 951->953 952->951 954 ec99d8-ec99da 952->954 955 ec99fd 953->955 956 ec9a03-ec9a0d 953->956 954->953 955->956 957 ec9a0f 956->957 958 ec9a12-ec9a31 call ec70bf 956->958 957->958 961 ec9a39-ec9a57 CreateFileW 958->961 962 ec9a33 958->962 963 ec9a59-ec9a7b GetLastError call ecb66c 961->963 964 ec9abb-ec9ac0 961->964 962->961 973 ec9a7d-ec9a9f CreateFileW GetLastError 963->973 974 ec9aaa-ec9aaf 963->974 965 ec9ae1-ec9af5 964->965 966 ec9ac2-ec9ac5 964->966 969 ec9af7-ec9b0f call ecfe56 965->969 970 ec9b13-ec9b1e 965->970 966->965 968 ec9ac7-ec9adb SetFileTime 966->968 968->965 969->970 977 ec9aa5-ec9aa8 973->977 978 ec9aa1 973->978 974->964 975 ec9ab1 974->975 975->964 977->964 977->974 978->977
                      APIs
                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00EC78AD,?,00000005,?,00000011), ref: 00EC9A4C
                      • GetLastError.KERNEL32(?,?,00EC78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00EC9A59
                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00EC78AD,?,00000005,?), ref: 00EC9A8E
                      • GetLastError.KERNEL32(?,?,00EC78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00EC9A96
                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00EC78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00EC9ADB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File$CreateErrorLast$Time
                      • String ID:
                      • API String ID: 1999340476-0
                      • Opcode ID: 2ba38f6cf3324ba68d47a11d0dd8bda97d047fe1e5b0033d7740eaac905d1ab1
                      • Instruction ID: 416c7af53194ccc4ab7573822865a6c2a826d91f7d7c777792abafde88386fbd
                      • Opcode Fuzzy Hash: 2ba38f6cf3324ba68d47a11d0dd8bda97d047fe1e5b0033d7740eaac905d1ab1
                      • Instruction Fuzzy Hash: B84175315447416FE3208B30CD0AFEABBD0BB41328F10071EF5E4A61D2E776A98ACB95
                      Function 00EDAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1007 edac74-edac8d PeekMessageW 1008 edac8f-edaca3 GetMessageW 1007->1008 1009 edacc8-edaccc 1007->1009 1010 edaca5-edacb2 IsDialogMessageW 1008->1010 1011 edacb4-edacc2 TranslateMessage DispatchMessageW 1008->1011 1010->1009 1010->1011 1011->1009
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EDAC85
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EDAC96
                      • IsDialogMessageW.USER32(0001044A,?), ref: 00EDACAA
                      • TranslateMessage.USER32(?), ref: 00EDACB8
                      • DispatchMessageW.USER32(?), ref: 00EDACC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Message$DialogDispatchPeekTranslate
                      • String ID:
                      • API String ID: 1266772231-0
                      • Opcode ID: 72ec4df1bd57491735b5d820c50fab528ce1f1ae70ff01ce755b5cc32d2a21a3
                      • Instruction ID: 4607b5004c8dec7cc4924ffbc50b39dc1d4ebd80ae1c277c9538ee9f9577628c
                      • Opcode Fuzzy Hash: 72ec4df1bd57491735b5d820c50fab528ce1f1ae70ff01ce755b5cc32d2a21a3
                      • Instruction Fuzzy Hash: CFF01D7190112DBBCB70DBE19C4CDEBBF6CEE052A17444425F905D2200EA24D507D7B1
                      Function 00EE76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1012 ee76bd-ee76ca 1013 ee76cc-ee76d0 1012->1013 1014 ee76e8-ee7711 call eeb290 GetModuleFileNameA 1012->1014 1013->1014 1015 ee76d2-ee76e3 call ee895a call ee8839 1013->1015 1020 ee7718 1014->1020 1021 ee7713-ee7716 1014->1021 1027 ee77dc-ee77e0 1015->1027 1022 ee771a-ee7744 call ee77e1 call ee7956 1020->1022 1021->1020 1021->1022 1030 ee7746-ee7750 call ee895a 1022->1030 1031 ee7752-ee776f call ee77e1 1022->1031 1036 ee7783-ee7785 1030->1036 1037 ee7787-ee779a call eeada3 1031->1037 1038 ee7771-ee777e 1031->1038 1039 ee77d1-ee77db call ee84de 1036->1039 1043 ee779c-ee779f 1037->1043 1044 ee77a1-ee77aa 1037->1044 1038->1036 1039->1027 1046 ee77c7-ee77ce call ee84de 1043->1046 1047 ee77ac-ee77b2 1044->1047 1048 ee77b4-ee77c1 1044->1048 1046->1039 1047->1047 1047->1048 1048->1046
                      APIs
                      • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\1Ta6ojwHc6.exe,00000104), ref: 00EE76FD
                      • _free.LIBCMT ref: 00EE77C8
                      • _free.LIBCMT ref: 00EE77D2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\1Ta6ojwHc6.exe
                      • API String ID: 2506810119-2107873517
                      • Opcode ID: 61900a5c6cfc9e272a339612096ecc12960739ff8975078ed33b1469cf8fecc7
                      • Instruction ID: 7f096e32bdd9858edb5b49be707a91c0fbcf255fca07bbfa02551700bac53450
                      • Opcode Fuzzy Hash: 61900a5c6cfc9e272a339612096ecc12960739ff8975078ed33b1469cf8fecc7
                      • Instruction Fuzzy Hash: 0631D071A0429CAFDB21DF9ADC81DAEBBFCEB94314F1410A7F848A7201D6704E41DBA0
                      Function 00EDD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1051 edd287-edd2b2 call ede360 SetEnvironmentVariableW call ecfbd8 1055 edd2b7-edd2bb 1051->1055 1056 edd2bd-edd2c1 1055->1056 1057 edd2df-edd2e3 1055->1057 1058 edd2ca-edd2d1 call ecfcf1 1056->1058 1061 edd2c3-edd2c9 1058->1061 1062 edd2d3-edd2d9 SetEnvironmentVariableW 1058->1062 1061->1058 1062->1057
                      APIs
                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00EDD29D
                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00EDD2D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: EnvironmentVariable
                      • String ID: sfxcmd$sfxpar
                      • API String ID: 1431749950-3493335439
                      • Opcode ID: 88d5dc6910b3df3f1e2c336746f28239a8a769a14a9d9876a80c86b1eb6e2acf
                      • Instruction ID: 3d87b493fa3a318ac5d3ea671b261561f6db292cce816896c9d762001b535041
                      • Opcode Fuzzy Hash: 88d5dc6910b3df3f1e2c336746f28239a8a769a14a9d9876a80c86b1eb6e2acf
                      • Instruction Fuzzy Hash: A3F0A77390522CA6C7202F959C09FFA7799EF19741B001116FD4876251DB71CD41D6F1
                      Function 00EC984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 00EC985E
                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00EC9876
                      • GetLastError.KERNEL32 ref: 00EC98A8
                      • GetLastError.KERNEL32 ref: 00EC98C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLast$FileHandleRead
                      • String ID:
                      • API String ID: 2244327787-0
                      • Opcode ID: ecb5faab6ec7105de3a8f6ee77036ee8749f1b1056eff371525551734e58f565
                      • Instruction ID: ab51e12cf86816ee06b4d149b68c879fd425d6971556682903c42c7f1ac0dd66
                      • Opcode Fuzzy Hash: ecb5faab6ec7105de3a8f6ee77036ee8749f1b1056eff371525551734e58f565
                      • Instruction Fuzzy Hash: 59119133900204EFDB285A61CA08FB937A9EB42734F10D12EE42AA7582DB36DD469B51
                      Function 00EEA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00ECCFE0,00000000,00000000,?,00EEA49B,00ECCFE0,00000000,00000000,00000000,?,00EEA698,00000006,FlsSetValue), ref: 00EEA526
                      • GetLastError.KERNEL32(?,00EEA49B,00ECCFE0,00000000,00000000,00000000,?,00EEA698,00000006,FlsSetValue,00EF7348,00EF7350,00000000,00000364,?,00EE9077), ref: 00EEA532
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EEA49B,00ECCFE0,00000000,00000000,00000000,?,00EEA698,00000006,FlsSetValue,00EF7348,00EF7350,00000000), ref: 00EEA540
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: fe537b7d67d9b031d7448a7915981be050815237d0ac59f15721838d2cab6142
                      • Instruction ID: eace90c229c7cb2514b4f52245e20da8ba0a7ffbca037c0340e084e045df3d6d
                      • Opcode Fuzzy Hash: fe537b7d67d9b031d7448a7915981be050815237d0ac59f15721838d2cab6142
                      • Instruction Fuzzy Hash: 06012B3271126AAFC7218B7BAC44A677B58AF85BA17181539F907F3140D731FA08CAE1
                      Function 00EEB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EE8FA5: GetLastError.KERNEL32(?,00F00EE8,00EE3E14,00F00EE8,?,?,00EE3713,00000050,?,00F00EE8,00000200), ref: 00EE8FA9
                        • Part of subcall function 00EE8FA5: _free.LIBCMT ref: 00EE8FDC
                        • Part of subcall function 00EE8FA5: SetLastError.KERNEL32(00000000,?,00F00EE8,00000200), ref: 00EE901D
                        • Part of subcall function 00EE8FA5: _abort.LIBCMT ref: 00EE9023
                        • Part of subcall function 00EEB2AE: _abort.LIBCMT ref: 00EEB2E0
                        • Part of subcall function 00EEB2AE: _free.LIBCMT ref: 00EEB314
                        • Part of subcall function 00EEAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EEB1A5,?), ref: 00EEAF46
                      • _free.LIBCMT ref: 00EEB200
                      • _free.LIBCMT ref: 00EEB236
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorLast_abort
                      • String ID:
                      • API String ID: 2991157371-3162483948
                      • Opcode ID: 51252d2aac351dac4998fbba494a8090f2bb8b6b45afa91404e835648ebec0ae
                      • Instruction ID: e86b55031bec03b187444ae53d57a8d33db09e9d8e90bbd376286f91d993e45a
                      • Opcode Fuzzy Hash: 51252d2aac351dac4998fbba494a8090f2bb8b6b45afa91404e835648ebec0ae
                      • Instruction Fuzzy Hash: 4131F63190028CAFDB10EFABD941BAE77E1EF44324F255099E518BB2A1EB725D41CB50
                      Function 00EC9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00ECCC94,00000001,?,?,?,00000000,00ED4ECD,?,?,?), ref: 00EC9F4C
                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00ED4ECD,?,?,?,?,?,00ED4972,?), ref: 00EC9F8E
                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00ECCC94,00000001,?,?), ref: 00EC9FB8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FileWrite$Handle
                      • String ID:
                      • API String ID: 4209713984-0
                      • Opcode ID: 786de18fb141a7af8213d1b4031bc09b724a9af9bbf34e59dfcdd59a68ae7425
                      • Instruction ID: b9ea3f85a6949ba8aeaf8a0bb5cf6f88b353eb24d472dfbe7ec16b72c15745a3
                      • Opcode Fuzzy Hash: 786de18fb141a7af8213d1b4031bc09b724a9af9bbf34e59dfcdd59a68ae7425
                      • Instruction Fuzzy Hash: 633104712083459FDF208F24DA48F7ABBA4EB80754F04551DF945BA282CB72DD4ACBA2
                      Function 00ECA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA22E
                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA261
                      • GetLastError.KERNEL32(?,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA27E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CreateDirectory$ErrorLast
                      • String ID:
                      • API String ID: 2485089472-0
                      • Opcode ID: cbfc3a0976c444648c4f68349c7755aed054c91d40a7781b3f0a729b8ad01d52
                      • Instruction ID: 69fe16e191dbd032a015f9110ae82c5f48d3cf58ccbbf29c8395e3bbd43885ba
                      • Opcode Fuzzy Hash: cbfc3a0976c444648c4f68349c7755aed054c91d40a7781b3f0a729b8ad01d52
                      • Instruction Fuzzy Hash: BC01612114122C65DB35AA758E09FFD339CAB0674DF0C586EF801F5161DA67CA43C667
                      Function 00EEAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00EEB019
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Info
                      • String ID:
                      • API String ID: 1807457897-3916222277
                      • Opcode ID: e8344bb994d8ba797a92a94be908cf0a8fe6e4dd8a41c92c51ad605a1bbc81ab
                      • Instruction ID: 09e2f2388e7d2b3a27cd5b29ddd3d3cb7e9cd1312380cc3e8d6900dd144785bf
                      • Opcode Fuzzy Hash: e8344bb994d8ba797a92a94be908cf0a8fe6e4dd8a41c92c51ad605a1bbc81ab
                      • Instruction Fuzzy Hash: D94125B05043CC9EDF228A268C94AF7BBA9EB45308F1414EDE59AA7142D335AE45DF20
                      Function 00EEA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00EEA79D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: String
                      • String ID: LCMapStringEx
                      • API String ID: 2568140703-3893581201
                      • Opcode ID: 00a65f543a6dd0664b1ebf0ae12cee7609b2aa4833c2493ce0bc2293bd9ae350
                      • Instruction ID: caa8b82da56bb32e9d31e2ebd16781c09f4f02389c19c5a29ca95bf701c271ac
                      • Opcode Fuzzy Hash: 00a65f543a6dd0664b1ebf0ae12cee7609b2aa4833c2493ce0bc2293bd9ae350
                      • Instruction Fuzzy Hash: 1901253250524CBBCF02AFA1DC05DEE3FA6EF48710F054129FE1435160CA329931EB91
                      Function 00EEA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00EE9D2F), ref: 00EEA715
                      Strings
                      • InitializeCriticalSectionEx, xrefs: 00EEA6E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CountCriticalInitializeSectionSpin
                      • String ID: InitializeCriticalSectionEx
                      • API String ID: 2593887523-3084827643
                      • Opcode ID: d35f80ae0f7a5445643b4cbdc46628d9a224204fffb1c5fce2ae705730a28b95
                      • Instruction ID: 646deff049beaa9a70618217038ec16db70881123852e5dd2884fab9f1d0bfcb
                      • Opcode Fuzzy Hash: d35f80ae0f7a5445643b4cbdc46628d9a224204fffb1c5fce2ae705730a28b95
                      • Instruction Fuzzy Hash: 30F0BE3164620CBBCB01AF62DC05CBE7FA1EF54720B455069FD197A360DA716A11EB91
                      Function 00EEA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Alloc
                      • String ID: FlsAlloc
                      • API String ID: 2773662609-671089009
                      • Opcode ID: ab4eb4289b56837e371030e846f120753c6c4a5efac7d382a4950fbdc1ba5b06
                      • Instruction ID: 1abe36382661370dce5eafd0d46e5fa574ec1f8a0830355cdf0fd4ac27941881
                      • Opcode Fuzzy Hash: ab4eb4289b56837e371030e846f120753c6c4a5efac7d382a4950fbdc1ba5b06
                      • Instruction Fuzzy Hash: 8FE0557074636C7F83106F629C068BEBB90CF64B11B050029FD047B340DD702E01D2D6
                      Function 00EE329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • try_get_function.LIBVCRUNTIME ref: 00EE32AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: try_get_function
                      • String ID: FlsAlloc
                      • API String ID: 2742660187-671089009
                      • Opcode ID: 3c498c3aea747fb510c487609d2c9780b078a1790f74206cb694df697a717338
                      • Instruction ID: 926c06be70abc35445d6f9a3ea32e88aa86c327d66364510a29f555f695a746b
                      • Opcode Fuzzy Hash: 3c498c3aea747fb510c487609d2c9780b078a1790f74206cb694df697a717338
                      • Instruction Fuzzy Hash: A3D02B23782B7C6AC11033E26C07ABEBE44CF01FB7F461152FF08BB2428461470141C5
                      Function 00EDE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDE20B
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID: 3Qo
                      • API String ID: 1269201914-1944013411
                      • Opcode ID: a1088938ca38546195067d88531711fb4fa86cbe242af997aa74346c7b0c80ca
                      • Instruction ID: 5160af3e88e0f8ebd430dcd96b0097f2d4f518415bfb8ec0404f62f037de247a
                      • Opcode Fuzzy Hash: a1088938ca38546195067d88531711fb4fa86cbe242af997aa74346c7b0c80ca
                      • Instruction Fuzzy Hash: CBB0129136E1057C320C6200FD0AC76032CC4C0B50330A01BB205F828196404D0B5032
                      Function 00EEB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EEAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EEB1A5,?), ref: 00EEAF46
                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00EEB1EA,?,00000000), ref: 00EEB3C4
                      • GetCPInfo.KERNEL32(00000000,00EEB1EA,?,?,?,00EEB1EA,?,00000000), ref: 00EEB3D7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CodeInfoPageValid
                      • String ID:
                      • API String ID: 546120528-0
                      • Opcode ID: d40c43f3f86f31a933bf2f8df014e5f9bd0d4bcedf46f8347c6326c6a76775e9
                      • Instruction ID: 4db1ffa4acd1fb2bce8a951a1ef812273eb7580a4c8d9d56dfa1ef7c54a2591c
                      • Opcode Fuzzy Hash: d40c43f3f86f31a933bf2f8df014e5f9bd0d4bcedf46f8347c6326c6a76775e9
                      • Instruction Fuzzy Hash: 66516B70A0029D9FDB24DF73C8816BBBBE5EF40314F18506ED0A6A7293E735A945CB81
                      Function 00EC1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC1385
                        • Part of subcall function 00EC6057: __EH_prolog.LIBCMT ref: 00EC605C
                        • Part of subcall function 00ECC827: __EH_prolog.LIBCMT ref: 00ECC82C
                        • Part of subcall function 00ECC827: new.LIBCMT ref: 00ECC86F
                        • Part of subcall function 00ECC827: new.LIBCMT ref: 00ECC893
                      • new.LIBCMT ref: 00EC13FE
                        • Part of subcall function 00ECB07D: __EH_prolog.LIBCMT ref: 00ECB082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 3d612246688a775f750a77f01f6cc89ccf84284929e35ff9ee297ca20b6edf08
                      • Instruction ID: 1c86228910033449a91b64259b6f26176c07efb130fd1f06670052e45ec15365
                      • Opcode Fuzzy Hash: 3d612246688a775f750a77f01f6cc89ccf84284929e35ff9ee297ca20b6edf08
                      • Instruction Fuzzy Hash: 0F4166B0805B40DED724DF798485AE7FBE5FB18300F505A6EE2EE93282CB322554CB11
                      Function 00EC1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC1385
                        • Part of subcall function 00EC6057: __EH_prolog.LIBCMT ref: 00EC605C
                        • Part of subcall function 00ECC827: __EH_prolog.LIBCMT ref: 00ECC82C
                        • Part of subcall function 00ECC827: new.LIBCMT ref: 00ECC86F
                        • Part of subcall function 00ECC827: new.LIBCMT ref: 00ECC893
                      • new.LIBCMT ref: 00EC13FE
                        • Part of subcall function 00ECB07D: __EH_prolog.LIBCMT ref: 00ECB082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 0675634e5d941f29fccc6ba0a17f3e0ea4e78df4f65c5960115309d5ba5ce859
                      • Instruction ID: 01c184216424955073bf8719b58018f69112b8a38f3041cfb70c447265fc7c53
                      • Opcode Fuzzy Hash: 0675634e5d941f29fccc6ba0a17f3e0ea4e78df4f65c5960115309d5ba5ce859
                      • Instruction Fuzzy Hash: 7B4135B0805B409EE724DF798585AE7FAE5FB19300F545A6EE1EEA3282CB322554CB11
                      Function 00EC971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00EC9EDC,?,?,00EC7867), ref: 00EC97A6
                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00EC9EDC,?,?,00EC7867), ref: 00EC97DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 661b3f5723f3428ca833badac042de1b6f13b28ca19ee6013b8b2bfe61035512
                      • Instruction ID: 2c449c774462f1a1b342ff1b124569c6e8c42a98cc3aca4bd64b4ae3aec82712
                      • Opcode Fuzzy Hash: 661b3f5723f3428ca833badac042de1b6f13b28ca19ee6013b8b2bfe61035512
                      • Instruction Fuzzy Hash: 8D213AB0001744AFD7308F24CD89FA777E8EB49768F00491EF5D5A21D2C376AC4A8B20
                      Function 00EC9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                      Download Yara Rule
                      APIs
                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00EC7547,?,?,?,?), ref: 00EC9D7C
                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00EC9E2C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File$BuffersFlushTime
                      • String ID:
                      • API String ID: 1392018926-0
                      • Opcode ID: 542a90c78d0bb2930aa1f9ed286af4e6eaec370816db1cb08fccb289c586a557
                      • Instruction ID: 632507aa97ec7be119d10c0276bdfdbce6696adc437a38ad3d4b7b6439aecd9d
                      • Opcode Fuzzy Hash: 542a90c78d0bb2930aa1f9ed286af4e6eaec370816db1cb08fccb289c586a557
                      • Instruction Fuzzy Hash: C621E431148246ABC710DE25C555FAABFE4AF91708F08185DF4C2B3142C72ADA0ECBA1
                      Function 00EEA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(00000000,00EF3958), ref: 00EEA4B8
                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EEA4C5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AddressProc__crt_fast_encode_pointer
                      • String ID:
                      • API String ID: 2279764990-0
                      • Opcode ID: 34c42c6a1ba34122c58c3fd89a43b47e2392e5efb380eabaaf3db89c874e3e83
                      • Instruction ID: 29b984a6029dc19a01d3bfd010821e6fbb5e96ae2f314f21464d471f4fea7ad0
                      • Opcode Fuzzy Hash: 34c42c6a1ba34122c58c3fd89a43b47e2392e5efb380eabaaf3db89c874e3e83
                      • Instruction Fuzzy Hash: C911E733A1116D5F9B329E2AEC448AA73959B8036471A5134FD25FF294EB70FC41C7D2
                      Function 00EC9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00EC9B35,?,?,00000000,?,?,00EC8D9C,?), ref: 00EC9BC0
                      • GetLastError.KERNEL32 ref: 00EC9BCD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: b46db76bc474ec7c24c7f4abe4803d2abfc3133d8a7b3f99b9f3817e034b931a
                      • Instruction ID: 48d8666912eec4f7e76c58d352bb882066409e3e32e41f8b9a7a9c587cebf673
                      • Opcode Fuzzy Hash: b46db76bc474ec7c24c7f4abe4803d2abfc3133d8a7b3f99b9f3817e034b931a
                      • Instruction Fuzzy Hash: F4010C32304205AF8708CF25AE8CEBEB399AFC0721710552DF816A7292CE32DC069624
                      Function 00EC9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00EC9E76
                      • GetLastError.KERNEL32 ref: 00EC9E82
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: af95dc9aca0831f1268849a8ce4039727b033c5a65c48b9ffdc34ccc89be7e42
                      • Instruction ID: bc6ee55fa50eee5104d461e67a5d5a80eda12e4354fec3227dda589781ab4ebc
                      • Opcode Fuzzy Hash: af95dc9aca0831f1268849a8ce4039727b033c5a65c48b9ffdc34ccc89be7e42
                      • Instruction Fuzzy Hash: 7301B1713042005FEB34DE29DE48FABB7D99B98319F14493EB146D3681DE32EC4D8610
                      Function 00EE8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00EE8627
                        • Part of subcall function 00EE8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EEC13D,00000000,?,00EE67E2,?,00000008,?,00EE89AD,?,?,?), ref: 00EE854A
                      • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00F00F50,00ECCE57,?,?,?,?,?,?), ref: 00EE8663
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Heap$AllocAllocate_free
                      • String ID:
                      • API String ID: 2447670028-0
                      • Opcode ID: c0b96caef16fcad25991ade102eea0d9376a3c5cc5d67931df9b8ce1bbc6cdf4
                      • Instruction ID: b7219d389a662df0e88943a070d99a0e1f299f6b11babf1e0b3a000da7a64291
                      • Opcode Fuzzy Hash: c0b96caef16fcad25991ade102eea0d9376a3c5cc5d67931df9b8ce1bbc6cdf4
                      • Instruction Fuzzy Hash: 4DF062311015DF6ADB212B27AF00E6F37A9AFE27A4F246116F85CB6191DF20C80195A5
                      Function 00ED0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?), ref: 00ED0915
                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00ED091C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Process$AffinityCurrentMask
                      • String ID:
                      • API String ID: 1231390398-0
                      • Opcode ID: 283192b245c6b3094337374716889b22f4266c36c53b943cf49ca0e864baa983
                      • Instruction ID: 89f97bf973702c5cbe865f5b811319b1825702b2f32463b5bf9e4385c564c30c
                      • Opcode Fuzzy Hash: 283192b245c6b3094337374716889b22f4266c36c53b943cf49ca0e864baa983
                      • Instruction Fuzzy Hash: 7BE09B72A10105BF6F05CAB59C146FB739DDBC4314B18517BA806F3301F930DD068664
                      Function 00ECA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00ECA27A,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA458
                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00ECA27A,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA489
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 50868c15a4cf297b96d7c5814858fa1f6a17a17a38ec5f92416a65dca51ff14a
                      • Instruction ID: a8672029a44c951a58d57cb8a278972591aa10e2f0875953121f23ecdc4019a0
                      • Opcode Fuzzy Hash: 50868c15a4cf297b96d7c5814858fa1f6a17a17a38ec5f92416a65dca51ff14a
                      • Instruction Fuzzy Hash: 56F0373124020D7BDF115F71DC45FE9775CBB04389F488065BC4CA6161DB7699A9EA50
                      Function 00EDD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemText_swprintf
                      • String ID:
                      • API String ID: 3011073432-0
                      • Opcode ID: 155a2c3b0a5c4d5ee4abfde486ed0b3d704191938b28369c06bcbd983099001d
                      • Instruction ID: f6faa0c6494e20bdd3eeb377502df65598b1ac8d0b4b55fe5d393da080da5612
                      • Opcode Fuzzy Hash: 155a2c3b0a5c4d5ee4abfde486ed0b3d704191938b28369c06bcbd983099001d
                      • Instruction Fuzzy Hash: C0F0EC7150434C7ADB11EB70AC07FA9379DE704745F040657B601771A2DA726A629762
                      Function 00ECA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNELBASE(?,?,?,00EC984C,?,?,00EC9688,?,?,?,?,00EF1FA1,000000FF), ref: 00ECA13E
                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00EC984C,?,?,00EC9688,?,?,?,?,00EF1FA1,000000FF), ref: 00ECA16C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: DeleteFile
                      • String ID:
                      • API String ID: 4033686569-0
                      • Opcode ID: 8a9091f759a4fcac947654afda3f0f1336c166df73d4c62a4c10d9428f9c56bb
                      • Instruction ID: c7e74590395c831f42456e31b957177d3c181df8a576505057dfba29b98d1756
                      • Opcode Fuzzy Hash: 8a9091f759a4fcac947654afda3f0f1336c166df73d4c62a4c10d9428f9c56bb
                      • Instruction Fuzzy Hash: 1AE0ED7424120C6ADB10AA30DC01FF9339CAB08385F48106AB888E2160DB22CD99EA90
                      Function 00EDA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00EF1FA1,000000FF), ref: 00EDA3D1
                      • CoUninitialize.COMBASE(?,?,?,?,00EF1FA1,000000FF), ref: 00EDA3D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: GdiplusShutdownUninitialize
                      • String ID:
                      • API String ID: 3856339756-0
                      • Opcode ID: 0da9eb39d0fad7a2f849d34b3f7c049c700e6472dbb4b6804056acd175cdc1ba
                      • Instruction ID: 91757c6d229802ab715f0afe1d586f9d339ade168fabf2a1c7d397ce86aa8d6d
                      • Opcode Fuzzy Hash: 0da9eb39d0fad7a2f849d34b3f7c049c700e6472dbb4b6804056acd175cdc1ba
                      • Instruction Fuzzy Hash: 96F06D32A18A58EFC710EB5DDD05B19FBACFB89B20F04436AF41993760CB746811CA91
                      Function 00ECA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?,?,?,00ECA189,?,00EC76B2,?,?,?,?), ref: 00ECA1A5
                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00ECA189,?,00EC76B2,?,?,?,?), ref: 00ECA1D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 81169c34e094a4df2bb422c008f6b1a802bd7c4e58ae1c5c613265a8abf4e009
                      • Instruction ID: fa6b06b9d5954f18dddd14fc36027d8f4351df7aa6abb4246dcd7974a2ad1180
                      • Opcode Fuzzy Hash: 81169c34e094a4df2bb422c008f6b1a802bd7c4e58ae1c5c613265a8abf4e009
                      • Instruction Fuzzy Hash: C5E065769001186BCB11AA64DC05FE9779CAB083A5F044266BD48F3290DA719D459AD0
                      Function 00ED0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00ED00A0
                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ECEB86,Crypt32.dll,00000000,00ECEC0A,?,?,00ECEBEC,?,?,?), ref: 00ED00C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: DirectoryLibraryLoadSystem
                      • String ID:
                      • API String ID: 1175261203-0
                      • Opcode ID: 91a1afca2041b32b25c723bd632e98189d79da0b2e74556f24c82ddb03a2a5cc
                      • Instruction ID: f7acce2556db549ccd1b5a267d16924da60405e2ed6d8ea3f1e86b2de9fea4f0
                      • Opcode Fuzzy Hash: 91a1afca2041b32b25c723bd632e98189d79da0b2e74556f24c82ddb03a2a5cc
                      • Instruction Fuzzy Hash: B4E0927690011C6ACB20AAA4DC09FEA77ACEF09382F0400A6B908E3144DA709A44CBA4
                      Function 00ED9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                      Download Yara Rule
                      APIs
                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00ED9B30
                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00ED9B37
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: BitmapCreateFromGdipStream
                      • String ID:
                      • API String ID: 1918208029-0
                      • Opcode ID: 7e3e9d745dc59615f46281d80d60315efa8591ee0ba36277cd6c832b8c6bec68
                      • Instruction ID: d3e91f793bcd400072be4d8d9abf5e4b1a4b015e67a8a485a97351db48f47dba
                      • Opcode Fuzzy Hash: 7e3e9d745dc59615f46281d80d60315efa8591ee0ba36277cd6c832b8c6bec68
                      • Instruction Fuzzy Hash: DFE0ED71901218EBCB10EF98E9056AAB7F8EB04321F10905FE895A7311D6716E049B95
                      Function 00EE215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EE329A: try_get_function.LIBVCRUNTIME ref: 00EE32AF
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EE217A
                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00EE2185
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                      • String ID:
                      • API String ID: 806969131-0
                      • Opcode ID: 7fc5ca1be2ec05a846d86438220902dca51023ff4aea84de2292e11c7bfb4242
                      • Instruction ID: 78235fb95fcab0de5d6dce92a0b429894829f0e2f3a4de92148405253086946d
                      • Opcode Fuzzy Hash: 7fc5ca1be2ec05a846d86438220902dca51023ff4aea84de2292e11c7bfb4242
                      • Instruction Fuzzy Hash: AAD0A7341053CD242D082EB328464A8238D6952B743E03A8DE320F60E1EE1083046111
                      Function 00EDDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DloadLock.DELAYIMP ref: 00EDDC73
                      • DloadProtectSection.DELAYIMP ref: 00EDDC8F
                        • Part of subcall function 00EDDE67: DloadObtainSection.DELAYIMP ref: 00EDDE77
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Dload$Section$LockObtainProtect
                      • String ID:
                      • API String ID: 731663317-0
                      • Opcode ID: 574a3696c1f86ade7499619d67a725e01dd8a7dbb87eecd592bb9cb655c574c4
                      • Instruction ID: 3bb12616dfdf936e16354af5456e4fa6814c67105bf07b7d0c7845e204988b22
                      • Opcode Fuzzy Hash: 574a3696c1f86ade7499619d67a725e01dd8a7dbb87eecd592bb9cb655c574c4
                      • Instruction Fuzzy Hash: 2BD012B158C2144EC621EB149D4676C73B4F714759F642603F505F73A2DFF44487E606
                      Function 00EC12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemShowWindow
                      • String ID:
                      • API String ID: 3351165006-0
                      • Opcode ID: 333d868eaf4bb4cb4c16db8e409f56f4141d7a57b4585c00763e6b01bd59b8d8
                      • Instruction ID: 184e90f4d379c6785104743ccca48e4f658a1243cef36967d91b84884a1e6ab9
                      • Opcode Fuzzy Hash: 333d868eaf4bb4cb4c16db8e409f56f4141d7a57b4585c00763e6b01bd59b8d8
                      • Instruction Fuzzy Hash: 7DC01232058208BECB410BB0DC09D3FBBA8BBA4212F05C908B2A5C0060C238C020EB11
                      Function 00EC19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 361c93829343fb2d679c7e2e0297491705168f222a6236654a7ff563403e7b77
                      • Instruction ID: 354245a908f72262e3977773c4532976d19ebdfb233d97d46bec4c62058c0d9d
                      • Opcode Fuzzy Hash: 361c93829343fb2d679c7e2e0297491705168f222a6236654a7ff563403e7b77
                      • Instruction Fuzzy Hash: 7EC1A330A042449FEF14DF68C684FA97BA5AF46314F1860FDEC46AB243CB329956CB61
                      Function 00EC3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 9de62abe30fb0591222e845d43121208907bc6a06bf9fa33897a3af436a65f22
                      • Instruction ID: 00f60a0a7b06c2038a648de12b9de13fdf8ae35875a1f519106f0f1ed87582b9
                      • Opcode Fuzzy Hash: 9de62abe30fb0591222e845d43121208907bc6a06bf9fa33897a3af436a65f22
                      • Instruction Fuzzy Hash: 2F71EE71100F44AECB25DB30CD41FEBB7E8AF14301F44996EE5AB67242DA326A4ADF10
                      Function 00EC837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC8384
                        • Part of subcall function 00EC1380: __EH_prolog.LIBCMT ref: 00EC1385
                        • Part of subcall function 00EC1380: new.LIBCMT ref: 00EC13FE
                        • Part of subcall function 00EC19A6: __EH_prolog.LIBCMT ref: 00EC19AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: ba4dc743340939e89b973df12df8f23ccddb9aaef813ba71c17b383eb9e4918c
                      • Instruction ID: 254fcdd35d0677e563599ace9f612388170a3e2ecdde1238cd65b52a1baf3c56
                      • Opcode Fuzzy Hash: ba4dc743340939e89b973df12df8f23ccddb9aaef813ba71c17b383eb9e4918c
                      • Instruction Fuzzy Hash: 5541D4318006589ADB24EB60CB55FEA73A8AF50304F0450EEE59AB7093DF765ECADB50
                      Function 00EC1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC1E05
                        • Part of subcall function 00EC3B3D: __EH_prolog.LIBCMT ref: 00EC3B42
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: ea9ab229ed985acf91d0b17b823a8e161b8d8174b8786783519ecd3fe6a78584
                      • Instruction ID: 69eec90b5824593c18763d4a4813ee94e7d92bd73d552d6e06d8358a7d310321
                      • Opcode Fuzzy Hash: ea9ab229ed985acf91d0b17b823a8e161b8d8174b8786783519ecd3fe6a78584
                      • Instruction Fuzzy Hash: 9F211C729042489FCB15EF99DA51AEEFBF5FF59300B1010AEE845B7252CB325E15CB60
                      Function 00EDA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EDA7C8
                        • Part of subcall function 00EC1380: __EH_prolog.LIBCMT ref: 00EC1385
                        • Part of subcall function 00EC1380: new.LIBCMT ref: 00EC13FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: a80f73efbbe1483dee093eefbd268129e170e2866debef7352539bdb67ae0844
                      • Instruction ID: d1e1deebfb58ac4401a467112724d7b76e868a495f8badb73f44b3bef2eba72c
                      • Opcode Fuzzy Hash: a80f73efbbe1483dee093eefbd268129e170e2866debef7352539bdb67ae0844
                      • Instruction Fuzzy Hash: BB215C75C042899ACB15DF94C9429EEB7F4EF1A304F0414EEE809B7342DB356E069BA1
                      Function 00EC92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 8b76ecfbdec6f02d46aa1a03f9d14059001ed9f6696ede9329ec694ffd5bf5fb
                      • Instruction ID: fbdb0777acf382a54ba50aa2b9d28d93905c79805e86a713d55a3f5a60d72024
                      • Opcode Fuzzy Hash: 8b76ecfbdec6f02d46aa1a03f9d14059001ed9f6696ede9329ec694ffd5bf5fb
                      • Instruction Fuzzy Hash: F6118673E0056897CB11AB9CCE45EDDB775EF48750F005119FC09B7252CB368D128690
                      Function 00EC5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC5BDC
                        • Part of subcall function 00ECB07D: __EH_prolog.LIBCMT ref: 00ECB082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: ce99b4d7a09b89f02fa7d648bf89ea26fa32a0c6ed2194e205729b12c3679a5b
                      • Instruction ID: c9332b20dc7d1d115d1ace1910e01ddcbefdf3ea2b65ac03d7ccc8edf6af0ec0
                      • Opcode Fuzzy Hash: ce99b4d7a09b89f02fa7d648bf89ea26fa32a0c6ed2194e205729b12c3679a5b
                      • Instruction Fuzzy Hash: 2501A230900744DEC724F7A8C146BDDF7E49F19300F40609EE45A23283CBB11B05C652
                      Function 00EE8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EEC13D,00000000,?,00EE67E2,?,00000008,?,00EE89AD,?,?,?), ref: 00EE854A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 7cc6447061a051ad2eeeaaf34103111d55afc2a84c3f1e217698c69d3e64a3cf
                      • Instruction ID: aa732a7b45e2c8cc2b8a206252fa99d0fcfb4e304fb426e7c8c86e5e74ab9759
                      • Opcode Fuzzy Hash: 7cc6447061a051ad2eeeaaf34103111d55afc2a84c3f1e217698c69d3e64a3cf
                      • Instruction Fuzzy Hash: 8AE0E5215406ED5AEB31276B5E00B9A3BCC9B813B0F142212AC5DB6091CE20CC0585E5
                      Function 00ECA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00ECA4F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: 64639925f326e897efd68c457208a454672f44f3ea431a4d955c963f1b30faf0
                      • Instruction ID: 608a0fcdc4c8b49e4dc26c6c3266f1857e9537c7c6a84b344314a349f474aab1
                      • Opcode Fuzzy Hash: 64639925f326e897efd68c457208a454672f44f3ea431a4d955c963f1b30faf0
                      • Instruction Fuzzy Hash: 5DF0E931409384ABCB221BB88904FD6BBD16F05339F0CDA0DF1FD22192C27614879723
                      Function 00ED067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00ED06B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ExecutionStateThread
                      • String ID:
                      • API String ID: 2211380416-0
                      • Opcode ID: e9ab7f24df1d6e6c0b840dfc3d99aec18eb79d3e2627fffb367d6d781e04bf1b
                      • Instruction ID: 794f0f711fe1367a29a18712b1ee0741249a71c6c3a45d147a72a8ce0e1bb899
                      • Opcode Fuzzy Hash: e9ab7f24df1d6e6c0b840dfc3d99aec18eb79d3e2627fffb367d6d781e04bf1b
                      • Instruction Fuzzy Hash: A9D0C2202042102DDB213379A805BFF1A86CFC6712F0D2067B10D337878E460887A2A2
                      Function 00ED9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GdipAlloc.GDIPLUS(00000010), ref: 00ED9D81
                        • Part of subcall function 00ED9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00ED9B30
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Gdip$AllocBitmapCreateFromStream
                      • String ID:
                      • API String ID: 1915507550-0
                      • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                      • Instruction ID: f542753f2ebc08ca855c99a68728b2761d8b98da332142ffd7b5745f2dfba05d
                      • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                      • Instruction Fuzzy Hash: 7DD0A73031420C7ADF40BA708C0297A7BE9DB00300F005027BC0CA6352EE71DE11A261
                      Function 00EC9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNELBASE(000000FF,00EC9887), ref: 00EC9995
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FileType
                      • String ID:
                      • API String ID: 3081899298-0
                      • Opcode ID: 6a18748744a17b9a1c7e7e7dcaef1fd88c6988709b6379b72f47aaee57e97072
                      • Instruction ID: 18b1469e38dbee2a2c53ed31514a8b4a34e497b4a6372f39e15ac94934201ff1
                      • Opcode Fuzzy Hash: 6a18748744a17b9a1c7e7e7dcaef1fd88c6988709b6379b72f47aaee57e97072
                      • Instruction Fuzzy Hash: EAD01231111180A58F2146354E0DAA97751DBC337EB38E6ECD025D80A2DB33C813F542
                      Function 00EDD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00EDD43F
                        • Part of subcall function 00EDAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EDAC85
                        • Part of subcall function 00EDAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EDAC96
                        • Part of subcall function 00EDAC74: IsDialogMessageW.USER32(0001044A,?), ref: 00EDACAA
                        • Part of subcall function 00EDAC74: TranslateMessage.USER32(?), ref: 00EDACB8
                        • Part of subcall function 00EDAC74: DispatchMessageW.USER32(?), ref: 00EDACC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                      • String ID:
                      • API String ID: 897784432-0
                      • Opcode ID: 8e894a7ba6f6a211e92cc9bbbcd6601185a21826e51679e8f28dafebf8bbdf59
                      • Instruction ID: 322b0834edb8d28a1de3636d8b53a79bef0a839f14107c8e1a5b824da938df57
                      • Opcode Fuzzy Hash: 8e894a7ba6f6a211e92cc9bbbcd6601185a21826e51679e8f28dafebf8bbdf59
                      • Instruction Fuzzy Hash: 96D09E31144300BBDA116B51CE07F1FBAE6BB88B04F004564B344740B286729D32AB16
                      Function 00EDD8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 43f82a3304b69ead37db6f9433c34e958dd97fe5678ec53809ac4cd79c788627
                      • Instruction ID: 7ba5380c5e1b7395df80350d1bdd7c12f9125207f637fb8fb544a4214c3751cc
                      • Opcode Fuzzy Hash: 43f82a3304b69ead37db6f9433c34e958dd97fe5678ec53809ac4cd79c788627
                      • Instruction Fuzzy Hash: 8CB012E536C2017D318C6204FC02D36025CC5C0B10330611BF10DF12C1D4406C466432
                      Function 00EDD8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: a697537672479feb55059f65fbc9ac48531d8fb41a1e2c8c0347b4980b84587e
                      • Instruction ID: 85a87c4f1f81f027da5bc3872f81da2ec435bd86075920a4013f9755b635efa2
                      • Opcode Fuzzy Hash: a697537672479feb55059f65fbc9ac48531d8fb41a1e2c8c0347b4980b84587e
                      • Instruction Fuzzy Hash: CEB012E536C1017D314C6205FC02D36025CD5C0B10330601BF10DF12C1D4406C066432
                      Function 00EDD8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: bbcc940cca0986a7d44f1553920a925b1d151edf68874a93e669ca0b9a4ccc69
                      • Instruction ID: 19eab9e01c4cb842aebed1d10731a95d84af1f3ea5d55fbb4f8ad068b5b2b00a
                      • Opcode Fuzzy Hash: bbcc940cca0986a7d44f1553920a925b1d151edf68874a93e669ca0b9a4ccc69
                      • Instruction Fuzzy Hash: 7AB012E536C1017D314C6204FD03D36025CC5C0B10330601BF10DF12C1D4416D076432
                      Function 00EDD8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 45a05c86e36428203dedc1d71c7dd89e8790adb491bcd967762aa16fad0d2d85
                      • Instruction ID: 9f0ab6246984e22f8b168c8a0acbe7f81581c943ede992e510446247517bdd37
                      • Opcode Fuzzy Hash: 45a05c86e36428203dedc1d71c7dd89e8790adb491bcd967762aa16fad0d2d85
                      • Instruction Fuzzy Hash: 42B012D536C1017C314C6204FD03D36025CC5C0B10330A01BF109F13C1D4416C1F2432
                      Function 00EDD8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: d1685524814d327f818df540955dfcdd152e9e2176a3026a37a49ffe926a9865
                      • Instruction ID: e13326ea60c36ab549da4d587e081cf44fd3ca72149ee06cb49f1ae8053112ea
                      • Opcode Fuzzy Hash: d1685524814d327f818df540955dfcdd152e9e2176a3026a37a49ffe926a9865
                      • Instruction Fuzzy Hash: 91B012D536C2017C318C6204FC02D36025CC5C0B10330A11BF109F13C1D4406C9B2432
                      Function 00EDD8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: b262f3e34fabb3b7049494bebc8ef636cf457dbe9998942ea57caf318426a4f3
                      • Instruction ID: 9d150eaaf4a8696d8767863986c2ebf6e8912e9b388e082ee1f5d87077bd1e56
                      • Opcode Fuzzy Hash: b262f3e34fabb3b7049494bebc8ef636cf457dbe9998942ea57caf318426a4f3
                      • Instruction Fuzzy Hash: 34B012E536C1017D314C6204FC02D36025CC5C1B10330A01BF50DF12C1D4406C066432
                      Function 00EDD8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: abab6f01aead4be0da0fc36d3baef652072a14f3072b6e1677d5c9aa09f9ffb6
                      • Instruction ID: 95152f1561a56995f5b5298d1f0445df53ab3cb87ade660e44ac6d68fae5e1f4
                      • Opcode Fuzzy Hash: abab6f01aead4be0da0fc36d3baef652072a14f3072b6e1677d5c9aa09f9ffb6
                      • Instruction Fuzzy Hash: B5B012D936C2057C314C6204FC42D3B025CF5C0B10330601BF109F12C1D4406C062532
                      Function 00EDD8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: d471eec474500406434a5f5e10b4285d28a018da8b13eac545e5a9c90432bd5e
                      • Instruction ID: 6b6faa9837aee8d845a7e45880a46a3bcd14b67c8e568e8226ccae00e54ba7f7
                      • Opcode Fuzzy Hash: d471eec474500406434a5f5e10b4285d28a018da8b13eac545e5a9c90432bd5e
                      • Instruction Fuzzy Hash: 57B012D536C1017C314C6204FC02D36025CC5C1B10330E01BF509F13C1D4406C1B2432
                      Function 00EDD891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 8f199c682c46d14c5d34c9572a0ea4038ab0314aac2d17a695a0431125d32598
                      • Instruction ID: a5e697cb257dcb52fedc6b938423902a455ce9b64b815c19726251f0eb2508bf
                      • Opcode Fuzzy Hash: 8f199c682c46d14c5d34c9572a0ea4038ab0314aac2d17a695a0431125d32598
                      • Instruction Fuzzy Hash: CDB012D936C3017C314C2200FC52C3B021CD5C0B10330652BF109F01C1D4406C4A6832
                      Function 00EDD942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: f5c55746fce4c7708895da320872962fd988bbc687039abba4b0fe25f55f3e15
                      • Instruction ID: 0d51cad0eca43970d676e0cba9825d6e0302aac47867998575c5db6954fae523
                      • Opcode Fuzzy Hash: f5c55746fce4c7708895da320872962fd988bbc687039abba4b0fe25f55f3e15
                      • Instruction Fuzzy Hash: 1AB012E536C1117C314D6204FD03D3602DCC5C0B10330611BF109F12C1D5416C072432
                      Function 00EDD92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: c68485134b52c3b342ddda09ab5c002d1d24a28d868f2053968afc25713e6ea8
                      • Instruction ID: 7c0cf578412ad67c1bbd62f8e7673c18512ebea5d0e062b95b2cffab10504a91
                      • Opcode Fuzzy Hash: c68485134b52c3b342ddda09ab5c002d1d24a28d868f2053968afc25713e6ea8
                      • Instruction Fuzzy Hash: 9AB012D536C1117C314D6214FC02D36029CC5C1B10330A11BF609F12C1D6406C062432
                      Function 00EDD924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 6dc4782c43f5bed53b3c9032617c3a444f0dc2223aa2342581cb874a8fef2a24
                      • Instruction ID: 4d35af4904b71c70bba0d1e5506ef9f1b33415cfb9ba439fbe325f706896ff3b
                      • Opcode Fuzzy Hash: 6dc4782c43f5bed53b3c9032617c3a444f0dc2223aa2342581cb874a8fef2a24
                      • Instruction Fuzzy Hash: CAB012D577D1017C314C6204FC42D36029DD9C0B10330601BF109F12C1D4406C062432
                      Function 00EDD906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: ee43701dda29bf5f77782b7bfed43740188d71a7a01c63c41035cc6d794812ef
                      • Instruction ID: cb88c65a3d553f9fe7a70b6208b683d222e5ec44c11f2815d6730b3b75ff8b9c
                      • Opcode Fuzzy Hash: ee43701dda29bf5f77782b7bfed43740188d71a7a01c63c41035cc6d794812ef
                      • Instruction Fuzzy Hash: 7CB012D536D1017C314C6204FC42D36025DC5C1B10330A01BF509F12C1D4406C462432
                      Function 00EDD910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e6ccd5656527fe7db7983f5ce048fcd90af692ad30c14b92a57d5c62fb625beb
                      • Instruction ID: 28dac489f4c3cd994de2543a8232ef035be05329c2bf66ffc9440cd954be7797
                      • Opcode Fuzzy Hash: e6ccd5656527fe7db7983f5ce048fcd90af692ad30c14b92a57d5c62fb625beb
                      • Instruction Fuzzy Hash: 2EB012E536D2017C318C6304FC42D36025DC5C0B10330611BF109F12C1D4406C462432
                      Function 00EDDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 676ba3e78fad0ce2566a4e55b9c40a325d703cf93407e82a1115db4c984bd79e
                      • Instruction ID: 7c4b432c34903ad3be559221deb9fdfd2024237125c30c34c568bc2b057797d5
                      • Opcode Fuzzy Hash: 676ba3e78fad0ce2566a4e55b9c40a325d703cf93407e82a1115db4c984bd79e
                      • Instruction Fuzzy Hash: 0BB012A136C102BD3148B205FC02D7A029CC1C0B10330F11BF409F0245D4444C069432
                      Function 00EDDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 9193a9defe10c28f7d578003aba854dad1b52eca7d73a09bdedf0658cb2199ab
                      • Instruction ID: b17da88195850a25640d25b5a7b154633ae2a4ed1ed881374871b97393850be4
                      • Opcode Fuzzy Hash: 9193a9defe10c28f7d578003aba854dad1b52eca7d73a09bdedf0658cb2199ab
                      • Instruction Fuzzy Hash: 84B0129136C1027C3148B205FC02F7E029CE0C4B10330F51BF109F0245D4404C0B5432
                      Function 00EDDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: d2f846fbe505baae1bb98ddc6c2e528ffd173381092c5714197efd00674f46ed
                      • Instruction ID: ccf1503929b854a13453599f0b2a703a859eb62ecd4dfd8c31eb4fa3e93434f1
                      • Opcode Fuzzy Hash: d2f846fbe505baae1bb98ddc6c2e528ffd173381092c5714197efd00674f46ed
                      • Instruction Fuzzy Hash: 95B0129936D10AFC314C9219BC07D77027CD1C0B10330E01BB509F5245D9404C0E5032
                      Function 00EDDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 867feec1867d915d6eb066b48b658b6d22c352c32d0df4264c754029e728c904
                      • Instruction ID: 879d8cb6963c21713aa293192161241ead3c580bf7963ecbfb67cf367d56c825
                      • Opcode Fuzzy Hash: 867feec1867d915d6eb066b48b658b6d22c352c32d0df4264c754029e728c904
                      • Instruction Fuzzy Hash: 85B0129936C10ABC314C9219BD07D77026CD0C0B10330E01BB209F4241D9414C0B5032
                      Function 00EDDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 64e0e2dd812779cb52a43bb7cc1d022f24e9c67f1e08d9797a8d513f425717a3
                      • Instruction ID: dc701f71ea54fffc30239330ca591db870930b89c8723776f87adec8a621208d
                      • Opcode Fuzzy Hash: 64e0e2dd812779cb52a43bb7cc1d022f24e9c67f1e08d9797a8d513f425717a3
                      • Instruction Fuzzy Hash: B2B0129937C20EBC32485215BC07C77022CD0C0B10330A12BB105F414199404C4E5032
                      Function 00EDDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 3e718e7dc259e5a19d225fe56993bd8fa549fa720cb3839d15a8bea192175a78
                      • Instruction ID: 3c825bf09cc39d8f37a893886b67326b931a5f1727f9f704b26aabdafef22b82
                      • Opcode Fuzzy Hash: 3e718e7dc259e5a19d225fe56993bd8fa549fa720cb3839d15a8bea192175a78
                      • Instruction Fuzzy Hash: FCB0129936C109BC31489229BC07E76026CE0C0F10330A02BB10AF4241D9404C0E5031
                      Function 00EDDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 03c72cfb48b344217cc494a3c7ebc06a02a0363df0870662672bec4f6931e955
                      • Instruction ID: 8f9152a1482dfa57cd9a6425c4b74db3b6e33eaef59f864714820cbb90efafbb
                      • Opcode Fuzzy Hash: 03c72cfb48b344217cc494a3c7ebc06a02a0363df0870662672bec4f6931e955
                      • Instruction Fuzzy Hash: 11B012913AC2067C3148B205FC02E7A029CF0C0B10330B11BF009F0245D4404C065532
                      Function 00EDDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDC36
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: dc49a7da8e96724ede83267d1a97ec9ea979aac3238f65c3291c17dfce19a03c
                      • Instruction ID: 8fbf3d084f72206b6fbacba4eff967896b72dcf699bc21a29392da12daecd249
                      • Opcode Fuzzy Hash: dc49a7da8e96724ede83267d1a97ec9ea979aac3238f65c3291c17dfce19a03c
                      • Instruction Fuzzy Hash: 46B0129537C3057C314C6244FD02D76027CD1C0B10330651BB209F0242D6805C0A5032
                      Function 00EDDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDC36
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 8c12747e276725844de7f77cc2ad89a15837c26d7ec986c36332af650f7a369a
                      • Instruction ID: 2a7ef46ef18780cf1d02b16e696cb6975eb3d6b0f20865939229106d7356118a
                      • Opcode Fuzzy Hash: 8c12747e276725844de7f77cc2ad89a15837c26d7ec986c36332af650f7a369a
                      • Instruction Fuzzy Hash: 00B0129537C2057C314C6244FD02D76027CC1C4B10330A51BB609F0242D6805C0A5032
                      Function 00EDDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDC36
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 83ce481bc6a87bb0810e3c7a1a9e7a020946d5d99a1e8ecc3a6f939271353762
                      • Instruction ID: 6f53301100f798bec79155a469e6aa3d648e639e2119c3d9a433b7c2cb8b7022
                      • Opcode Fuzzy Hash: 83ce481bc6a87bb0810e3c7a1a9e7a020946d5d99a1e8ecc3a6f939271353762
                      • Instruction Fuzzy Hash: F0B0129537C3097C314C2240FF02C76423DC2C0B10330661BB205F014296805C4A6032
                      Function 00EDD8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 22dc958a8c3bffabf4a81a024a4615508181fd34f643cf70ba0cc37fd7e41024
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 22dc958a8c3bffabf4a81a024a4615508181fd34f643cf70ba0cc37fd7e41024
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: c55a188f2cce810606b94499ff4ae94a1bf5d2e2dfa24ebc2c5bcae3ab098ad0
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: c55a188f2cce810606b94499ff4ae94a1bf5d2e2dfa24ebc2c5bcae3ab098ad0
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 1b273da828d3f2d253decc8d86d29416eb8ceac5a2e382eb39c95139040e1efa
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 1b273da828d3f2d253decc8d86d29416eb8ceac5a2e382eb39c95139040e1efa
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 85e8b6082d949abe3fc0eed53196064a00be9eac47dc2a549e1ce797cdcf6ba1
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 85e8b6082d949abe3fc0eed53196064a00be9eac47dc2a549e1ce797cdcf6ba1
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e529b1393e946fd6911e2028968e3695013489478dda5d270ac45da00896e3a9
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: e529b1393e946fd6911e2028968e3695013489478dda5d270ac45da00896e3a9
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: b77c627ca7e905b84eb645dba483ed0b966147defb3b733bc268cab025f95e87
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: b77c627ca7e905b84eb645dba483ed0b966147defb3b733bc268cab025f95e87
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 09663f74b504d0cbefa9ec4f8790adb1c29b83cad20ed5aef6fcc9a917c18ad6
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 09663f74b504d0cbefa9ec4f8790adb1c29b83cad20ed5aef6fcc9a917c18ad6
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 91ea1ae145680a25a14144d8e1d838c1efe4c62e12db9eeb87fc0d4a4e0e406d
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 91ea1ae145680a25a14144d8e1d838c1efe4c62e12db9eeb87fc0d4a4e0e406d
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 3c945f969ebb5d270b01de3faa3a005cb6531eed5429676a9545434cfb71f135
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 3c945f969ebb5d270b01de3faa3a005cb6531eed5429676a9545434cfb71f135
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 5f031351dea5b55e11a41d89a02472448b035af466b8bda121579a22475cc14b
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 5f031351dea5b55e11a41d89a02472448b035af466b8bda121579a22475cc14b
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDD91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDD8A3
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 40b54cd51d289e8dc0bf7ef523f4c1256f2eaae31c19e7cb9bc8c003ccdd64a3
                      • Instruction ID: 41543f250118169225d02ec4fa203339e1c8c701967197faa0906ab15f741c0c
                      • Opcode Fuzzy Hash: 40b54cd51d289e8dc0bf7ef523f4c1256f2eaae31c19e7cb9bc8c003ccdd64a3
                      • Instruction Fuzzy Hash: 68A011EA2AC202BC300C2200EC02C3A022CC8C0B20330A80BF00AB02C0A880280A2832
                      Function 00EDDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: fc7f8c9f6b0b0c66aec2d8e2f4960a865a101a74da252166cf79fb4eb8088722
                      • Instruction ID: 107dfb087a55e233ab4cca01a2bf3cbef8797f723ef477ab4ade3c88a2d5d4b4
                      • Opcode Fuzzy Hash: fc7f8c9f6b0b0c66aec2d8e2f4960a865a101a74da252166cf79fb4eb8088722
                      • Instruction Fuzzy Hash: 6CA001A62AD207BC31187252ED16DBA02ACD4C4B61330BA5BF50AF4289A985584A5832
                      Function 00EDDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 576cc9394c068db5e6f7cc47d840a7d29a1a1a84161eac260c5a5befee01fd87
                      • Instruction ID: 107dfb087a55e233ab4cca01a2bf3cbef8797f723ef477ab4ade3c88a2d5d4b4
                      • Opcode Fuzzy Hash: 576cc9394c068db5e6f7cc47d840a7d29a1a1a84161eac260c5a5befee01fd87
                      • Instruction Fuzzy Hash: 6CA001A62AD207BC31187252ED16DBA02ACD4C4B61330BA5BF50AF4289A985584A5832
                      Function 00EDDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 9bee0ed2b65ad3b4a91d366a67ccd702c4a58c3f5f096fc51a822a4034c7b554
                      • Instruction ID: 107dfb087a55e233ab4cca01a2bf3cbef8797f723ef477ab4ade3c88a2d5d4b4
                      • Opcode Fuzzy Hash: 9bee0ed2b65ad3b4a91d366a67ccd702c4a58c3f5f096fc51a822a4034c7b554
                      • Instruction Fuzzy Hash: 6CA001A62AD207BC31187252ED16DBA02ACD4C4B61330BA5BF50AF4289A985584A5832
                      Function 00EDDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: a56261a6d84a8abf6ee4d578a185a8b889a10360a3a7cb8da2f8e80f45f34b7b
                      • Instruction ID: 107dfb087a55e233ab4cca01a2bf3cbef8797f723ef477ab4ade3c88a2d5d4b4
                      • Opcode Fuzzy Hash: a56261a6d84a8abf6ee4d578a185a8b889a10360a3a7cb8da2f8e80f45f34b7b
                      • Instruction Fuzzy Hash: 6CA001A62AD207BC31187252ED16DBA02ACD4C4B61330BA5BF50AF4289A985584A5832
                      Function 00EDDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 3be054804c3a4a90d9d88be4df2e18c4734c80d7aa954a9c9d17c9a27c4e6ddb
                      • Instruction ID: 107dfb087a55e233ab4cca01a2bf3cbef8797f723ef477ab4ade3c88a2d5d4b4
                      • Opcode Fuzzy Hash: 3be054804c3a4a90d9d88be4df2e18c4734c80d7aa954a9c9d17c9a27c4e6ddb
                      • Instruction Fuzzy Hash: 6CA001A62AD207BC31187252ED16DBA02ACD4C4B61330BA5BF50AF4289A985584A5832
                      Function 00EDDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDAB2
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e4bf5437e40e5be63f5675dab16484ed87cf7fd126938b341e7c62fe5c9486db
                      • Instruction ID: c1d09d4bac5d0e805fe233379bb5beb5ee2232e5a7a9e9ac887553d61bddd262
                      • Opcode Fuzzy Hash: e4bf5437e40e5be63f5675dab16484ed87cf7fd126938b341e7c62fe5c9486db
                      • Instruction Fuzzy Hash: E1A001A63AD6067C3158B252ED16DBA02ACE4D0B22330B65BF50AF4289A985584A5832
                      Function 00EDDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: bb33893acd184decd5090cf4687121b2a498f6136a74d1d09c770f69330c090b
                      • Instruction ID: b0825ea8e973ba04c5e4ff20862e57fa2613c5602772b2408a841fb26961f147
                      • Opcode Fuzzy Hash: bb33893acd184decd5090cf4687121b2a498f6136a74d1d09c770f69330c090b
                      • Instruction Fuzzy Hash: BEA0029936D10ABC31085255AD17D76026CD4C4B55331A51BB506B414559515C4A5431
                      Function 00EDDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDC36
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: c007f190951cf5da07c5c2549ab694e0a7939006c61690f69ee68f28d499f8fa
                      • Instruction ID: b6b035aaada93a00f6188fe4dc0f0d87a23f8c5cd815e9d47bb6e505e52bca56
                      • Opcode Fuzzy Hash: c007f190951cf5da07c5c2549ab694e0a7939006c61690f69ee68f28d499f8fa
                      • Instruction Fuzzy Hash: 3BA001AA6BD20ABC710C6291AE16DBA566DD4C4B61730A91BB60AB4291AA806C4A9431
                      Function 00EDDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDC36
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 89caa9531948603b3c705e9ca092775b7b256aaba47c4d2f9ad573e8b366471d
                      • Instruction ID: b6b035aaada93a00f6188fe4dc0f0d87a23f8c5cd815e9d47bb6e505e52bca56
                      • Opcode Fuzzy Hash: 89caa9531948603b3c705e9ca092775b7b256aaba47c4d2f9ad573e8b366471d
                      • Instruction Fuzzy Hash: 3BA001AA6BD20ABC710C6291AE16DBA566DD4C4B61730A91BB60AB4291AA806C4A9431
                      Function 00EDDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e2e154f819e48ad023d707d08f5f4ac2cd74a5e3aa8fb17f03971a178cd065fe
                      • Instruction ID: b0825ea8e973ba04c5e4ff20862e57fa2613c5602772b2408a841fb26961f147
                      • Opcode Fuzzy Hash: e2e154f819e48ad023d707d08f5f4ac2cd74a5e3aa8fb17f03971a178cd065fe
                      • Instruction Fuzzy Hash: BEA0029936D10ABC31085255AD17D76026CD4C4B55331A51BB506B414559515C4A5431
                      Function 00EDDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: ede214daa4d1131bfbd71f538ac04dfa16d9b361d94870a6d248acdf2c36a6ac
                      • Instruction ID: b0825ea8e973ba04c5e4ff20862e57fa2613c5602772b2408a841fb26961f147
                      • Opcode Fuzzy Hash: ede214daa4d1131bfbd71f538ac04dfa16d9b361d94870a6d248acdf2c36a6ac
                      • Instruction Fuzzy Hash: BEA0029936D10ABC31085255AD17D76026CD4C4B55331A51BB506B414559515C4A5431
                      Function 00EDDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EDDBD5
                        • Part of subcall function 00EDDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EDDFD6
                        • Part of subcall function 00EDDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EDDFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: ab7691c6b2d7d4eed10a4d664721359a39087de825922e4b52123389366815bb
                      • Instruction ID: b0825ea8e973ba04c5e4ff20862e57fa2613c5602772b2408a841fb26961f147
                      • Opcode Fuzzy Hash: ab7691c6b2d7d4eed10a4d664721359a39087de825922e4b52123389366815bb
                      • Instruction Fuzzy Hash: BEA0029936D10ABC31085255AD17D76026CD4C4B55331A51BB506B414559515C4A5431
                      Function 00EC9EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetEndOfFile.KERNELBASE(?,00EC9104,?,?,-00001964), ref: 00EC9EC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File
                      • String ID:
                      • API String ID: 749574446-0
                      • Opcode ID: 66a65974e2f5853e02be4a4bcaa24c8145db1b1c2f99014a462f53960c589720
                      • Instruction ID: bbff46c003a57726f43ba9bab0be760fc7133b43dcbf187256b78129d1f18886
                      • Opcode Fuzzy Hash: 66a65974e2f5853e02be4a4bcaa24c8145db1b1c2f99014a462f53960c589720
                      • Instruction Fuzzy Hash: 3AB011300A000A8A8E002B30CC088283A20EBA230A30082A0A00ACA0A0CF22C00AAA00
                      Function 00EDA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetCurrentDirectoryW.KERNELBASE(?,00EDA587,C:\Users\user\Desktop,00000000,00F0946A,00000006), ref: 00EDA326
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CurrentDirectory
                      • String ID:
                      • API String ID: 1611563598-0
                      • Opcode ID: e8a693df19da4527610db9a51619a792ef8e0102827895be31ac6a3173a5bd74
                      • Instruction ID: 784d607a95b12123abefd08b3ced52feafe4247736fe5d869eb951c140bd7411
                      • Opcode Fuzzy Hash: e8a693df19da4527610db9a51619a792ef8e0102827895be31ac6a3173a5bd74
                      • Instruction Fuzzy Hash: 86A012302950065A8A000B30CC09C25B65057A0702F0086207002C00A0CB318818E500
                      Function 00EC96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(000000FF,?,?,00EC968F,?,?,?,?,00EF1FA1,000000FF), ref: 00EC96EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 52f81b25cf7c6bc79a0d73d1d9789640a2f3a39a38320f12f89f09a98f096f86
                      • Instruction ID: 2857f2d8d8033a777951962a474def0e771ad4c557a8ae5a7783f509ff55f2d6
                      • Opcode Fuzzy Hash: 52f81b25cf7c6bc79a0d73d1d9789640a2f3a39a38320f12f89f09a98f096f86
                      • Instruction Fuzzy Hash: D9F05E30556B058FDB308A24D64CB92B7E49B12729F04AB1E91EB635E29B62694E9B00

                      Non-executed Functions

                      Function 00EDB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00EDB971
                      • EndDialog.USER32(?,00000006), ref: 00EDB984
                      • GetDlgItem.USER32(?,0000006C), ref: 00EDB9A0
                      • SetFocus.USER32(00000000), ref: 00EDB9A7
                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00EDB9E1
                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00EDBA18
                      • FindFirstFileW.KERNEL32(?,?), ref: 00EDBA2E
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDBA4C
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EDBA5C
                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00EDBA78
                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00EDBA94
                      • _swprintf.LIBCMT ref: 00EDBAC4
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00EDBAD7
                      • FindClose.KERNEL32(00000000), ref: 00EDBADE
                      • _swprintf.LIBCMT ref: 00EDBB37
                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00EDBB4A
                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00EDBB67
                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00EDBB87
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EDBB97
                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00EDBBB1
                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00EDBBC9
                      • _swprintf.LIBCMT ref: 00EDBBF5
                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00EDBC08
                      • _swprintf.LIBCMT ref: 00EDBC5C
                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00EDBC6F
                        • Part of subcall function 00EDA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00EDA662
                        • Part of subcall function 00EDA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00EFE600,?,?), ref: 00EDA6B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                      • API String ID: 797121971-1840816070
                      • Opcode ID: 7e037f5f188ca798cf926c4c896a0e3128f81429a171f612f075a757d46b8e96
                      • Instruction ID: d8599ed57e86eb0c9f2af8f97e6d9e26098ec1098ea2f9228403abd426e6bda0
                      • Opcode Fuzzy Hash: 7e037f5f188ca798cf926c4c896a0e3128f81429a171f612f075a757d46b8e96
                      • Instruction Fuzzy Hash: 6791B3B2248348BFD6319BA0DD49FFB77ECEB89704F05181AB749E2181E7719606C762
                      Function 00EC718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC7191
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00EC72F1
                      • CloseHandle.KERNEL32(00000000), ref: 00EC7301
                        • Part of subcall function 00EC7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00EC7C04
                        • Part of subcall function 00EC7BF5: GetLastError.KERNEL32 ref: 00EC7C4A
                        • Part of subcall function 00EC7BF5: CloseHandle.KERNEL32(?), ref: 00EC7C59
                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00EC730C
                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00EC741A
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00EC7446
                      • CloseHandle.KERNEL32(?), ref: 00EC7457
                      • GetLastError.KERNEL32 ref: 00EC7467
                      • RemoveDirectoryW.KERNEL32(?), ref: 00EC74B3
                      • DeleteFileW.KERNEL32(?), ref: 00EC74DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                      • API String ID: 3935142422-3508440684
                      • Opcode ID: 29ac91b49fd3df9aff1d49a642d88e84083ac07d7048e7e8a1e69cba73bf7ff8
                      • Instruction ID: f500c29e2916539b90fa3058cda594aef5fc947999c2a883600c6548f961fd64
                      • Opcode Fuzzy Hash: 29ac91b49fd3df9aff1d49a642d88e84083ac07d7048e7e8a1e69cba73bf7ff8
                      • Instruction Fuzzy Hash: 1DB1E171904218AADF24DB64CD45FEE7BB8BF04304F0450ADF999F7242DB35AA4ACB60
                      Function 00EC3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog_memcmp
                      • String ID: CMT$h%u$hc%u
                      • API String ID: 3004599000-3282847064
                      • Opcode ID: e180b2df2387b41622e17eb43479ae73c3fc3ab264bf1ec7f58e7765cdb61c8a
                      • Instruction ID: a0b245b7a35b44fa3173b5826a112fbfd7010ed4d29810a81c65b1f5c9e0ee5e
                      • Opcode Fuzzy Hash: e180b2df2387b41622e17eb43479ae73c3fc3ab264bf1ec7f58e7765cdb61c8a
                      • Instruction Fuzzy Hash: DC32B1715102849BDF14DF34CA85FEA37E5AF54304F04647EFD8AAB282DB72994ACB60
                      Function 00EED00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 72508c603140cdb437f8694e99d6ff931c7b9782302ac4d3d4454c26065a5e0f
                      • Instruction ID: 746050c44053f85c76b7f5c6a946fdaef7f13bd1ddfa9b72620deaaaa6d653f7
                      • Opcode Fuzzy Hash: 72508c603140cdb437f8694e99d6ff931c7b9782302ac4d3d4454c26065a5e0f
                      • Instruction Fuzzy Hash: 8FC23772E0866C8FDB25CE299D407EAB7B5EB88304F1551EAD84DF7240E775AE818F40
                      Function 00EC27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC27F1
                      • _strlen.LIBCMT ref: 00EC2D7F
                        • Part of subcall function 00ED137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00ECB652,00000000,?,?,?,0001044A), ref: 00ED1396
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC2EE0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                      • String ID: CMT
                      • API String ID: 1706572503-2756464174
                      • Opcode ID: f90b5b3793d085e6d240e79f3bca3d1d2536bbd516c19658542fd52a06f2f2ac
                      • Instruction ID: bdc8027ed5c3cb94003b8f0f360eac1dbd02fd93d20cb1273138ee0a12d4b934
                      • Opcode Fuzzy Hash: f90b5b3793d085e6d240e79f3bca3d1d2536bbd516c19658542fd52a06f2f2ac
                      • Instruction Fuzzy Hash: AC6204716002848FDF18DF34CA85FEA7BE1AF54304F08557DED9AAB282D672A946CB50
                      Function 00EE866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00EE8767
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EE8771
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00EE877E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: bab4ce6c8b9b882d76274ebac85f247f8479615ee4e5b729217fefb2e78891a9
                      • Instruction ID: 3f3fc9e1666a939773c9ac0dc3714483a24971f20e81cc7393510953d61f3867
                      • Opcode Fuzzy Hash: bab4ce6c8b9b882d76274ebac85f247f8479615ee4e5b729217fefb2e78891a9
                      • Instruction Fuzzy Hash: BC31B37590122CABCB21DF65D989B9CBBB8EF48310F5051EAE80CA7251EB309B85CF45
                      Function 00EEAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: 6fa30c898179242b1118cc8b47589d576d7c0c0fc22af11e56ff8ca780ae4faf
                      • Instruction ID: cc4e03af64b00bc7c5921d74c76b4002f8705f5959260605f0c1da5d8ea27b76
                      • Opcode Fuzzy Hash: 6fa30c898179242b1118cc8b47589d576d7c0c0fc22af11e56ff8ca780ae4faf
                      • Instruction Fuzzy Hash: CA31D47190028DAFDB249E7ACC84EFB7BBEDB85318F1811ACF519A7251E630AD45CB50
                      Function 00EECB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                      • Instruction ID: 4a67fd5c013444e4373627867f1a96e030eae81520a4c9c7570f1d73ea29c0bf
                      • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                      • Instruction Fuzzy Hash: E3021C72E002599FDF14CFA9D8806ADBBF1EF88314F25516AE919F7344D731A942CB90
                      Function 00EDA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00EDA662
                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00EFE600,?,?), ref: 00EDA6B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FormatInfoLocaleNumber
                      • String ID:
                      • API String ID: 2169056816-0
                      • Opcode ID: 4c09203048d8952d6976edf99112852df3dbf41504af15f2c3b028a64d42c3ff
                      • Instruction ID: fc3f9ca9ed0b68954a7e56249ed4e3391bcdd0ea7a36c1098dc19d200c975c5d
                      • Opcode Fuzzy Hash: 4c09203048d8952d6976edf99112852df3dbf41504af15f2c3b028a64d42c3ff
                      • Instruction Fuzzy Hash: 47014C36200208AED7108F65EC05FABB7BCEF99710F015422BA04E7261E370AA15C7A5
                      Function 00EC6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00ED117C,?,00000200), ref: 00EC6EC9
                      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00EC6EEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 161147bb324020b98c42aa917018d61cdeb79fe83ffe5a24e611c1bf15efa947
                      • Instruction ID: feea2525ed1c41418d6747b46338db105d0c12dd64340b81059d48acda3b99cd
                      • Opcode Fuzzy Hash: 161147bb324020b98c42aa917018d61cdeb79fe83ffe5a24e611c1bf15efa947
                      • Instruction Fuzzy Hash: B2D0A9753D8302BFEA100A35CC06F3B3BA1A795B82F20951AB312F80E0CA718119D62A
                      Function 00EF1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EF118F,?,?,00000008,?,?,00EF0E2F,00000000), ref: 00EF13C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: ffe77217d9f677bdd40fbc0beac5a259b94d9bab3a0797ccec16f74b73e6b664
                      • Instruction ID: 070975b2f0436e99f99e7c1eaf97d1c525d363c0554e0b0cae32a2039ee4a0ea
                      • Opcode Fuzzy Hash: ffe77217d9f677bdd40fbc0beac5a259b94d9bab3a0797ccec16f74b73e6b664
                      • Instruction Fuzzy Hash: 5DB16D3161060CDFD715CF28C48ABA57BE0FF45368F259698EAA9DF2A1C335E981CB40
                      Function 00EC407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: gj
                      • API String ID: 0-4203073231
                      • Opcode ID: 7eb253fe5741fba208e205dad5f2bc9ad5436724b20c4dde53177afed37ef2ec
                      • Instruction ID: 8da7fcea5bea27d8b5bb46f999de7028ec293a1bed9561f000f4d11d019041f5
                      • Opcode Fuzzy Hash: 7eb253fe5741fba208e205dad5f2bc9ad5436724b20c4dde53177afed37ef2ec
                      • Instruction Fuzzy Hash: 5AF1C4B1A083418FD748CF29D880A1AFBE1BFCC208F15896EF598D7711D634EA558B56
                      Function 00ECACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00ECAD1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Version
                      • String ID:
                      • API String ID: 1889659487-0
                      • Opcode ID: 40985fdbaa6f5f80513862a6836c569a04d3620d55c2291c88cd6fe6bb7c2a7a
                      • Instruction ID: 5bdcbd952f64a95ff220f1c7018e0d6b6eba82b5d3542b23b3bdddf8cc33d508
                      • Opcode Fuzzy Hash: 40985fdbaa6f5f80513862a6836c569a04d3620d55c2291c88cd6fe6bb7c2a7a
                      • Instruction Fuzzy Hash: 73F030B090020C8FC728DF18ED41BE977B5F79871AF2002A9E91663764DB71AD45EF52
                      Function 00EDF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00EDEAC5), ref: 00EDF068
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 51556119fda5ce5d295ca9706bdea9fd626f7e31b598e374106989d9e0b97738
                      • Instruction ID: 694e60bd1646fd18a62fabcf40ed72bede9c7aacdb26cf8e8f21d8fad0f17c86
                      • Opcode Fuzzy Hash: 51556119fda5ce5d295ca9706bdea9fd626f7e31b598e374106989d9e0b97738
                      • Instruction Fuzzy Hash:
                      Function 00EEB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 4776deec2dd6133ca2fa70c0d84917a6bce6da7a09b79f79110a8c67756f2f8d
                      • Instruction ID: 37a3de9a5682081f28d2f7e419f8d8f7c5c3fb4d866b77913127e95f1fe81a69
                      • Opcode Fuzzy Hash: 4776deec2dd6133ca2fa70c0d84917a6bce6da7a09b79f79110a8c67756f2f8d
                      • Instruction Fuzzy Hash: 86A011B02022088F83008F32AA0820E3AAABA802803088228A008C2020EA208020AF00
                      Function 00ED5C77 Relevance: .8, Instructions: 800COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                      • Instruction ID: 3e6495309607c9b5ea315a7b7c23c96562c03bac5609ba2860fdcc73866728db
                      • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                      • Instruction Fuzzy Hash: F8620871604B859FCB25CF38C9906F9BBE1EF55308F08956FD8AA9B346D630E946CB10
                      Function 00ED70BF Relevance: .8, Instructions: 773COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                      • Instruction ID: a98b252c4900c98bf4ed3fc6c7cfdb5c98d88b678550c4f23bdc87794424319e
                      • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                      • Instruction Fuzzy Hash: 5862237160878A9FC719CF28C8805A9FBE1FB45308F14966ED8E697742E730E956CB80
                      Function 00ECED14 Relevance: .7, Instructions: 694COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                      • Instruction ID: 4f4d78a3f8b148b688e02fe9375e57ef307ddedb366557f8be94f1f41fae8024
                      • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                      • Instruction Fuzzy Hash: DF523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
                      Function 00ED6A7B Relevance: .5, Instructions: 509COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f59aa84b6300092c42c7f914138ed2112a716f9fa1935b60edb45e33c2aa398
                      • Instruction ID: 41003ab74b45c4c1b4139ea71b626a4ecc7e55acfc24fb7818143be221f37961
                      • Opcode Fuzzy Hash: 3f59aa84b6300092c42c7f914138ed2112a716f9fa1935b60edb45e33c2aa398
                      • Instruction Fuzzy Hash: 1C12D0B17047068BC728CF28C9906B9B3E1FB54308F14992FE997DBB81D774A896CB45
                      Function 00ECBE13 Relevance: .4, Instructions: 449COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a32854cbb9e1e26da31c1ce1aa250d345e7f8c3013c27c89ac7ab11dea108ed6
                      • Instruction ID: 78d79cccaa5779048ecabd35047e4556185c42c80fd350e4030dbbc45740acb7
                      • Opcode Fuzzy Hash: a32854cbb9e1e26da31c1ce1aa250d345e7f8c3013c27c89ac7ab11dea108ed6
                      • Instruction Fuzzy Hash: 87F1A1716083418FC318CF29C680A6AB7E1FFC9718F245A2EF4D9A7351D732E9468B56
                      Function 00EE0B43 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: 02925404acb2b1674e2e1d3c343441251fa72652d9c6e26169e6a6299537a617
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: 0CC1C5362090D70ADF2D463B853403FFBA15AA17B531A276ED4B3DB1D8FE60D6A4D620
                      Function 00EE0F78 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: 71226b39f3470e9aec5ba0a405b196a7d84594ec041fd48db5b836138ba4a2bd
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: 95C1B8362091D70ADF2D463BC53403FFBA15A927B531A27AED4B2DB0D4FE20D6A4D610
                      Function 00EE070E Relevance: .3, Instructions: 331COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction ID: 0dd7db4bc6f3a7dd93fdff96bc349b7c541582e648969fb68aa5b526e72ae916
                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction Fuzzy Hash: 54C1D7362091D70ADF2D463B853403FBAA15EA17B531A236ED4B3DB1C5FE50D6A4DA20
                      Function 00ED6646 Relevance: .3, Instructions: 325COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 5e2a832449e4478217eeb9d0ff2a5d97324f56f87d89efe56eb436a934254f78
                      • Instruction ID: 77015785b53acb50aad2e5e3211a750d6e3e7c6d7ab1f72b3dc35f5acfb8b77c
                      • Opcode Fuzzy Hash: 5e2a832449e4478217eeb9d0ff2a5d97324f56f87d89efe56eb436a934254f78
                      • Instruction Fuzzy Hash: D8D1E7B1A043458FDB14CF28C88175BBBE0FF95308F04556EE885AB742D734E95ACB9A
                      Function 00EE02F6 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: 54fb48479827120b7cdf943cbd395dc0849e1bb36c8607fa0312361892e82d9c
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: F6C1E6362091D70ADF2D463BC53403FBBA15AA17B531A276ED4B3DB1C4FE60D6A4DA20
                      Function 00ECE2A0 Relevance: .3, Instructions: 318COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e697259b173e5f45c2e80430c8d40f6bf30118b0472f84798eece84d09099c1a
                      • Instruction ID: 54c27fd0b19fe22ef521a375c61f76f19ba54e05fae67a74f78f6f4f56dd166c
                      • Opcode Fuzzy Hash: e697259b173e5f45c2e80430c8d40f6bf30118b0472f84798eece84d09099c1a
                      • Instruction Fuzzy Hash: A1E126755183898FC304CF69D89096BBBF0BB8A300F89095EF5D597352C335EA19EB62
                      Function 00ED3A3C Relevance: .3, Instructions: 263COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                      • Instruction ID: d49a2cf5a92bcf87b6c55d478654312a64be417ba64cf6543b1520bf64623097
                      • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                      • Instruction Fuzzy Hash: AD9166B02043498BD724EB78D890BBAB3D5EB80304F14292FE597B7382DA359A46C753
                      Function 00EE4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b15472e93af2043785af9614cf9c27e8637ab112cc02ba1475093916f9ec109a
                      • Instruction ID: ec3490f167466d707eebb457356e410e66d5e12ac9baa96825fef077cadfa5cc
                      • Opcode Fuzzy Hash: b15472e93af2043785af9614cf9c27e8637ab112cc02ba1475093916f9ec109a
                      • Instruction Fuzzy Hash: A76158F16807CE56DA34996B4855BBF63C4DB8131CF103A29E586FB2C2E612DD428359
                      Function 00ED3D6D Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                      • Instruction ID: d74fe1c5cedc60712a0ef78010338ca7aed503b5511a0fe9abfdfc0339965046
                      • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                      • Instruction Fuzzy Hash: 3371E9717043494BDB24DF38C8D0BAD77E5EB90308F04592FE986AA3C2DA759A878753
                      Function 00EE473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                      • Instruction ID: 9940a4fe348ee057cc78b38a1193bdb0e311cb69f32f157e2d52aff49e2303be
                      • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                      • Instruction Fuzzy Hash: 1D5124F1600ACD56DB38896B8856BFE67C99B57308F18350AE982F72C2C315DE4183DA
                      Function 00ECDE6C Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 27fd3be50e847cdecfe8d5b0cbd93904adb6bc0723177c77d0541b242b806bc8
                      • Instruction ID: 0aad9b3f0ecbc2fb11130e8c336f7a2ec1533a3e20fd70606aca4c789751c83f
                      • Opcode Fuzzy Hash: 27fd3be50e847cdecfe8d5b0cbd93904adb6bc0723177c77d0541b242b806bc8
                      • Instruction Fuzzy Hash: 58818F9261E6D89DC7065F7C3CA46F63EA16733700BAC40FA84C6C62A3C1774669EB61
                      Function 00ECE8A0 Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c83ae33b16d077399ff2cf4d4f329e461d389bad8490ba068a33541a5b7a640
                      • Instruction ID: da4b0b03cf532c391fa2bc8512606375f6aa1b87bcc1c621ba85bcc79d553850
                      • Opcode Fuzzy Hash: 4c83ae33b16d077399ff2cf4d4f329e461d389bad8490ba068a33541a5b7a640
                      • Instruction Fuzzy Hash: B951D3715083D24EC712CF24928496EFFE0BFDA318F49589EE4D567212D231E64ADBA2
                      Function 00ECF968 Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2eeee51924c79ca6e1cdc68ddd10e096a4cb489e4b643da513f9bfc64ec4a6b8
                      • Instruction ID: 2f8fdca5d21c14eeb14c0880db8d69e347eb98fa147b55a7f350fa36ea9f82c2
                      • Opcode Fuzzy Hash: 2eeee51924c79ca6e1cdc68ddd10e096a4cb489e4b643da513f9bfc64ec4a6b8
                      • Instruction Fuzzy Hash: 8D512671A083118BC748CF19D48059AF7E2FFC8354F058A2EE899A7740DB34EA59CB96
                      Function 00ED37C1 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                      • Instruction ID: 37a84fd08fb5241017edc5a59c8d6df61908fbbc888e1578e67ad3d22aedc28f
                      • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                      • Instruction Fuzzy Hash: 443124B56047098FCB14DF28C85166ABBE0FB95308F14592FE4D5E7342C739EA4ACB92
                      Function 00EC5F3C Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 520c8b3a9bda15f7ed6aae4f808b0200f5b91ab7f49c5f7670900742ebe7eb53
                      • Instruction ID: b14ef5e1a4b96ace98cf7175fe04c6183232c9651923474d8996851631063ffe
                      • Opcode Fuzzy Hash: 520c8b3a9bda15f7ed6aae4f808b0200f5b91ab7f49c5f7670900742ebe7eb53
                      • Instruction Fuzzy Hash: 40210A32A201654FCB48CF2EED9093B7752A786311746812FEE42EB3D1C635F925C7A0
                      Function 00ECDA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                      Download Yara Rule
                      APIs
                      • _swprintf.LIBCMT ref: 00ECDABE
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                        • Part of subcall function 00ED1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00F00EE8,00000200,00ECD202,00000000,?,00000050,00F00EE8), ref: 00ED15B3
                      • _strlen.LIBCMT ref: 00ECDADF
                      • SetDlgItemTextW.USER32(?,00EFE154,?), ref: 00ECDB3F
                      • GetWindowRect.USER32(?,?), ref: 00ECDB79
                      • GetClientRect.USER32(?,?), ref: 00ECDB85
                      • GetWindowLongW.USER32(?,000000F0), ref: 00ECDC25
                      • GetWindowRect.USER32(?,?), ref: 00ECDC52
                      • SetWindowTextW.USER32(?,?), ref: 00ECDC95
                      • GetSystemMetrics.USER32(00000008), ref: 00ECDC9D
                      • GetWindow.USER32(?,00000005), ref: 00ECDCA8
                      • GetWindowRect.USER32(00000000,?), ref: 00ECDCD5
                      • GetWindow.USER32(00000000,00000002), ref: 00ECDD47
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                      • String ID: $%s:$CAPTION$T$d
                      • API String ID: 2407758923-3856749
                      • Opcode ID: 9c529021858ecc6544e5ae7bf4a58dd50ab6b2e6fced3fa0805d1144f6a1efdf
                      • Instruction ID: 7138ec381634ba6911d443f04da5a8f1a82092df6f4855959e74d1770f1ded32
                      • Opcode Fuzzy Hash: 9c529021858ecc6544e5ae7bf4a58dd50ab6b2e6fced3fa0805d1144f6a1efdf
                      • Instruction Fuzzy Hash: 7981B271508345AFD724DF68CD85F6BBBE9EBC8704F04192DFA84A3250D672E906CB52
                      Function 00EEC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 00EEC277
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE2F
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE41
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE53
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE65
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE77
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE89
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBE9B
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBEAD
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBEBF
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBED1
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBEE3
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBEF5
                        • Part of subcall function 00EEBE12: _free.LIBCMT ref: 00EEBF07
                      • _free.LIBCMT ref: 00EEC26C
                        • Part of subcall function 00EE84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958), ref: 00EE84F4
                        • Part of subcall function 00EE84DE: GetLastError.KERNEL32(00EF3958,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958,00EF3958), ref: 00EE8506
                      • _free.LIBCMT ref: 00EEC28E
                      • _free.LIBCMT ref: 00EEC2A3
                      • _free.LIBCMT ref: 00EEC2AE
                      • _free.LIBCMT ref: 00EEC2D0
                      • _free.LIBCMT ref: 00EEC2E3
                      • _free.LIBCMT ref: 00EEC2F1
                      • _free.LIBCMT ref: 00EEC2FC
                      • _free.LIBCMT ref: 00EEC334
                      • _free.LIBCMT ref: 00EEC33B
                      • _free.LIBCMT ref: 00EEC358
                      • _free.LIBCMT ref: 00EEC370
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: P
                      • API String ID: 161543041-1343716551
                      • Opcode ID: c55e39373f2d3390383df5c55a1875b80c5dc988e60381d5c1570ba25547f2af
                      • Instruction ID: 9d1ec3074e41f7b011c9a1f482f89d505ffc98b24912c9f44948a0e77a76b1b6
                      • Opcode Fuzzy Hash: c55e39373f2d3390383df5c55a1875b80c5dc988e60381d5c1570ba25547f2af
                      • Instruction Fuzzy Hash: 39319131600A8D9FEB20AA7AD945B5B73E9FF00314F24A469E558F75E1DF31AC41CB10
                      Function 00EDCD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindow.USER32(?,00000005), ref: 00EDCD51
                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00EDCD7D
                        • Part of subcall function 00ED17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00ECBB05,00000000,.exe,?,?,00000800,?,?,00ED85DF,?), ref: 00ED17C2
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EDCD99
                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00EDCDB0
                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00EDCDC4
                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00EDCDED
                      • DeleteObject.GDI32(00000000), ref: 00EDCDF4
                      • GetWindow.USER32(00000000,00000002), ref: 00EDCDFD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                      • String ID: STATIC
                      • API String ID: 3820355801-1882779555
                      • Opcode ID: cd9c30dc5300e577b1179eb351f0e4f84c35ccfa18816a690472cbc061d9032b
                      • Instruction ID: 1e9af0cfa9f6df1716a213772307bfcbebf9a8600b273b78939bc65e93aba7cb
                      • Opcode Fuzzy Hash: cd9c30dc5300e577b1179eb351f0e4f84c35ccfa18816a690472cbc061d9032b
                      • Instruction Fuzzy Hash: 8A1136725403157BE231AB60DC4AFAF379DFF45784F105022FA06B12E2CA748917D6B5
                      Function 00EE8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00EE8EC5
                        • Part of subcall function 00EE84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958), ref: 00EE84F4
                        • Part of subcall function 00EE84DE: GetLastError.KERNEL32(00EF3958,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958,00EF3958), ref: 00EE8506
                      • _free.LIBCMT ref: 00EE8ED1
                      • _free.LIBCMT ref: 00EE8EDC
                      • _free.LIBCMT ref: 00EE8EE7
                      • _free.LIBCMT ref: 00EE8EF2
                      • _free.LIBCMT ref: 00EE8EFD
                      • _free.LIBCMT ref: 00EE8F08
                      • _free.LIBCMT ref: 00EE8F13
                      • _free.LIBCMT ref: 00EE8F1E
                      • _free.LIBCMT ref: 00EE8F2C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d00b2332256432bd9f6f8005af400473975ab7614ffb575b2369a8148826f7ac
                      • Instruction ID: e8ba8d35504f13e551fca9295554b96611c0e9bc8c4f5283873d647116580554
                      • Opcode Fuzzy Hash: d00b2332256432bd9f6f8005af400473975ab7614ffb575b2369a8148826f7ac
                      • Instruction Fuzzy Hash: 0311D47610054DAFCB11EF56CA52CDA3BA9FF04350B0160A0FA1CAB6A2DB31EA519B80
                      Function 00EC2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: ;%u$x%u$xc%u
                      • API String ID: 0-2277559157
                      • Opcode ID: ba09cc631284a88e480eab3d1a2dce7566d260c15e15f4ecb6866290701970f6
                      • Instruction ID: 5d3398df7668cf3cfc6b212996ae12f9d02fe731dbfc8c88b9ec9081e036ffe6
                      • Opcode Fuzzy Hash: ba09cc631284a88e480eab3d1a2dce7566d260c15e15f4ecb6866290701970f6
                      • Instruction Fuzzy Hash: FEF127706042405BDB15EF388BD5FEE77D5AF90304F08246EFA85BB283DA269847C762
                      Function 00EDACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      • EndDialog.USER32(?,00000001), ref: 00EDAD20
                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00EDAD47
                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00EDAD60
                      • SetWindowTextW.USER32(?,?), ref: 00EDAD71
                      • GetDlgItem.USER32(?,00000065), ref: 00EDAD7A
                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00EDAD8E
                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00EDADA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: MessageSend$Item$TextWindow$Dialog
                      • String ID: LICENSEDLG
                      • API String ID: 3214253823-2177901306
                      • Opcode ID: 7c27ef7f25aa29bf4ca958cea62d4241c0f4a3db2eb10fbba8b745404ef61f02
                      • Instruction ID: 425688725091fa5f1d12af949eacfa06ceb60743041a9f6b812f2dc4eb033d18
                      • Opcode Fuzzy Hash: 7c27ef7f25aa29bf4ca958cea62d4241c0f4a3db2eb10fbba8b745404ef61f02
                      • Instruction Fuzzy Hash: AF21F63224410CBBD2219F31ED49E7B3B6EFB4674AF051025F600B26E0CB625A03F672
                      Function 00EC9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC9448
                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00EC946B
                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00EC948A
                        • Part of subcall function 00ED17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00ECBB05,00000000,.exe,?,?,00000800,?,?,00ED85DF,?), ref: 00ED17C2
                      • _swprintf.LIBCMT ref: 00EC9526
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                      • MoveFileW.KERNEL32(?,?), ref: 00EC9595
                      • MoveFileW.KERNEL32(?,?), ref: 00EC95D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                      • String ID: rtmp%d
                      • API String ID: 2111052971-3303766350
                      • Opcode ID: 49b9d40a2e6395378df06e333e9673501821883fb271fbfc51e107c054d72c34
                      • Instruction ID: 5ee322296ce4a227a0ce14ace0c594e4022933513d823ce2033d3d199a555411
                      • Opcode Fuzzy Hash: 49b9d40a2e6395378df06e333e9673501821883fb271fbfc51e107c054d72c34
                      • Instruction Fuzzy Hash: C7416971900258A6CF20EB60CD49FEE73BCAF55384F0464E9B559F3142EB758B8ACB64
                      Function 00ED8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00ED8F38
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00ED8F59
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00ED8F80
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                      • API String ID: 4094277203-4209811716
                      • Opcode ID: 045d9c4f3eb53382dbc4f60a6c66b9728b2bf86527738aa8e3abe01971aa33e0
                      • Instruction ID: fbdbcbe3795538dd0583cd001d2ce286f9525d011cb6c5db3df6b14075bb8a20
                      • Opcode Fuzzy Hash: 045d9c4f3eb53382dbc4f60a6c66b9728b2bf86527738aa8e3abe01971aa33e0
                      • Instruction Fuzzy Hash: AD3137322083497BD720AB719C06FAF7798DF81724F14201AF911B63C2EF649A0A83A1
                      Function 00EE8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00F00EE8,00EE3E14,00F00EE8,?,?,00EE3713,00000050,?,00F00EE8,00000200), ref: 00EE8FA9
                      • _free.LIBCMT ref: 00EE8FDC
                      • _free.LIBCMT ref: 00EE9004
                      • SetLastError.KERNEL32(00000000,?,00F00EE8,00000200), ref: 00EE9011
                      • SetLastError.KERNEL32(00000000,?,00F00EE8,00000200), ref: 00EE901D
                      • _abort.LIBCMT ref: 00EE9023
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID: X
                      • API String ID: 3160817290-1677210272
                      • Opcode ID: 6791c86c0dd5a9218a8e5675f70a8c2ccf1d7a54f43983dd6627834b3f37b4b1
                      • Instruction ID: cf57f3a59a58bbaa1cb19ba830dac4d9a0e3ab07c6513c42844e14ed3aea48b6
                      • Opcode Fuzzy Hash: 6791c86c0dd5a9218a8e5675f70a8c2ccf1d7a54f43983dd6627834b3f37b4b1
                      • Instruction Fuzzy Hash: 98F02871604A9D6FC61133376E0AB3B29EA9BD1774B252129F41DF22E3EF20DD05D015
                      Function 00ED0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                      Download Yara Rule
                      APIs
                      • __aulldiv.LIBCMT ref: 00ED0A9D
                        • Part of subcall function 00ECACF5: GetVersionExW.KERNEL32(?), ref: 00ECAD1A
                      • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00ED0AC0
                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00ED0AD2
                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00ED0AE3
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED0AF3
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED0B03
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED0B3D
                      • __aullrem.LIBCMT ref: 00ED0BCB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                      • String ID:
                      • API String ID: 1247370737-0
                      • Opcode ID: 82a471a409deb667a557a285e0bf91c9467f87e1ff68308a8110c8caf2c29edc
                      • Instruction ID: cafcece45faf073d4abcd15451486d2b6c47cadc9b4dc6cc66231bd25d6c0930
                      • Opcode Fuzzy Hash: 82a471a409deb667a557a285e0bf91c9467f87e1ff68308a8110c8caf2c29edc
                      • Instruction Fuzzy Hash: F8413AB5408305AFC310DF65C884A6BFBF8FB88718F044A2FF596A2650E775E549CB51
                      Function 00EEEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00EEF5A2,?,00000000,?,00000000,00000000), ref: 00EEEE6F
                      • __fassign.LIBCMT ref: 00EEEEEA
                      • __fassign.LIBCMT ref: 00EEEF05
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00EEEF2B
                      • WriteFile.KERNEL32(?,?,00000000,00EEF5A2,00000000,?,?,?,?,?,?,?,?,?,00EEF5A2,?), ref: 00EEEF4A
                      • WriteFile.KERNEL32(?,?,00000001,00EEF5A2,00000000,?,?,?,?,?,?,?,?,?,00EEF5A2,?), ref: 00EEEF83
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: 061fd1fb0cfe1bb84239019b2eddfc039de0f017671d20f111c5e95f7be0564d
                      • Instruction ID: 892aecfab28e0b8a4eca66dda492f92b743df3634e7e9020a468cebbce988294
                      • Opcode Fuzzy Hash: 061fd1fb0cfe1bb84239019b2eddfc039de0f017671d20f111c5e95f7be0564d
                      • Instruction Fuzzy Hash: B151A1B1A0028D9FDB10CFA9D885AEEBBF9EF08310F24511AE555F7391D730A941CB64
                      Function 00EDC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000800,?), ref: 00EDC54A
                      • _swprintf.LIBCMT ref: 00EDC57E
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                      • SetDlgItemTextW.USER32(?,00000066,00F0946A), ref: 00EDC59E
                      • _wcschr.LIBVCRUNTIME ref: 00EDC5D1
                      • EndDialog.USER32(?,00000001), ref: 00EDC6B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                      • String ID: %s%s%u
                      • API String ID: 2892007947-1360425832
                      • Opcode ID: 76ad15f2a0c4608569815534d918237be3cc9e93ad53617de9f501a6dc5e6ab0
                      • Instruction ID: d87cb48f6dfbb4f6856bd4a45d4795ca4fb7941d9f323e2629adab61bdd3db83
                      • Opcode Fuzzy Hash: 76ad15f2a0c4608569815534d918237be3cc9e93ad53617de9f501a6dc5e6ab0
                      • Instruction Fuzzy Hash: 0641007590060CAADF22DBA0CC45FEA77BCEB08745F1060A7E509F61A1E7719BC6CB51
                      Function 00ED9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(?,00000000), ref: 00ED964E
                      • GetWindowRect.USER32(?,00000000), ref: 00ED9693
                      • ShowWindow.USER32(?,00000005,00000000), ref: 00ED972A
                      • SetWindowTextW.USER32(?,00000000), ref: 00ED9732
                      • ShowWindow.USER32(00000000,00000005), ref: 00ED9748
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Window$Show$RectText
                      • String ID: RarHtmlClassName
                      • API String ID: 3937224194-1658105358
                      • Opcode ID: 9b00747736fb949d3962d7d89411d4033b6c3d7de717bd6ef03e588a73b19f8c
                      • Instruction ID: 1c74b481c6f6ed5d28ef1e2c1f993a84e71ee776cd1758bfd0313641a002c597
                      • Opcode Fuzzy Hash: 9b00747736fb949d3962d7d89411d4033b6c3d7de717bd6ef03e588a73b19f8c
                      • Instruction Fuzzy Hash: 9131AE31104308AFCBA19F64DC48F6B7BA8EF48705F00455AFE49AA267CB34D966DB61
                      Function 00EEBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EEBF79: _free.LIBCMT ref: 00EEBFA2
                      • _free.LIBCMT ref: 00EEC003
                        • Part of subcall function 00EE84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958), ref: 00EE84F4
                        • Part of subcall function 00EE84DE: GetLastError.KERNEL32(00EF3958,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958,00EF3958), ref: 00EE8506
                      • _free.LIBCMT ref: 00EEC00E
                      • _free.LIBCMT ref: 00EEC019
                      • _free.LIBCMT ref: 00EEC06D
                      • _free.LIBCMT ref: 00EEC078
                      • _free.LIBCMT ref: 00EEC083
                      • _free.LIBCMT ref: 00EEC08E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                      • Instruction ID: 5c6187a13db730bb4978fd90f1e0ad0009e20feee53703aaf052be6f6addf62d
                      • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                      • Instruction Fuzzy Hash: 2611FC71650B9CFAD620BBB2CD06FCBB7DDAF04700F409855B2AD76492DB65F904CA90
                      Function 00EE20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00EE20C1,00EDFB12), ref: 00EE20D8
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EE20E6
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EE20FF
                      • SetLastError.KERNEL32(00000000,?,00EE20C1,00EDFB12), ref: 00EE2151
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 5cbeee9aacec2755325a91d89679ba7ae1c8266a2231e13abc7bdd85b874a51f
                      • Instruction ID: 6d0ff5e87890b66054e03f1024cbf2b11f4398d5b7f2d01aa7bec696f31108d4
                      • Opcode Fuzzy Hash: 5cbeee9aacec2755325a91d89679ba7ae1c8266a2231e13abc7bdd85b874a51f
                      • Instruction Fuzzy Hash: 7401F53210A75D6EE6142FB77C899362A8DEB91734722162EF320B51F0EF515F049144
                      Function 00EE9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00F00EE8,00000200,00EE895F,00EE58FE,?,?,?,?,00ECD25E,?,03643560,00000063,00000004,00ECCFE0,?), ref: 00EE902E
                      • _free.LIBCMT ref: 00EE9063
                      • _free.LIBCMT ref: 00EE908A
                      • SetLastError.KERNEL32(00000000,00EF3958,00000050,00F00EE8), ref: 00EE9097
                      • SetLastError.KERNEL32(00000000,00EF3958,00000050,00F00EE8), ref: 00EE90A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID: X
                      • API String ID: 3170660625-1677210272
                      • Opcode ID: a94afd6e36948c33eceef8b1d1e2fc821bc6a15d47a8cd83f9c35ef9a4d11c8c
                      • Instruction ID: 57ac619d860097275ab04b151bd10c17c06e96afe174167b18779b4e7ceafdad
                      • Opcode Fuzzy Hash: a94afd6e36948c33eceef8b1d1e2fc821bc6a15d47a8cd83f9c35ef9a4d11c8c
                      • Instruction Fuzzy Hash: 6F014472100A8C6F832223376D8597B36EE9BC13753252029F419F22A3EF60CC059061
                      Function 00EDDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                      • API String ID: 0-1718035505
                      • Opcode ID: 6cc2ef84da502f875b805dcf1f65c0dad9fefb952170a009dc574df0c63991c9
                      • Instruction ID: 60401a34831eee179ecf3b7a09e6b8c3eeffb522777236219dde51f2b5a01c06
                      • Opcode Fuzzy Hash: 6cc2ef84da502f875b805dcf1f65c0dad9fefb952170a009dc574df0c63991c9
                      • Instruction Fuzzy Hash: 3301F9727993225B4F305FB95C856B67394DB4131A724363BE602F3340DE91C847E690
                      Function 00EE8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00EE807E
                        • Part of subcall function 00EE84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958), ref: 00EE84F4
                        • Part of subcall function 00EE84DE: GetLastError.KERNEL32(00EF3958,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958,00EF3958), ref: 00EE8506
                      • _free.LIBCMT ref: 00EE8090
                      • _free.LIBCMT ref: 00EE80A3
                      • _free.LIBCMT ref: 00EE80B4
                      • _free.LIBCMT ref: 00EE80C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-3162483948
                      • Opcode ID: 7b49b1d8092bd68e39a7374baa6f77dfa445b12acd85f4579a0cb30ceb132bfb
                      • Instruction ID: 2e50538625cdc465766c1586b8b171b584f7c46b975b2469c25b29e6783459a5
                      • Opcode Fuzzy Hash: 7b49b1d8092bd68e39a7374baa6f77dfa445b12acd85f4579a0cb30ceb132bfb
                      • Instruction Fuzzy Hash: DFF0307480165DCF87216F27BD114193BA6F724720309A626F418B7BF0CB311853AFDA
                      Function 00ED0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED0D0D
                        • Part of subcall function 00ECACF5: GetVersionExW.KERNEL32(?), ref: 00ECAD1A
                      • LocalFileTimeToFileTime.KERNEL32(?,00ED0CB8), ref: 00ED0D31
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED0D47
                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00ED0D56
                      • SystemTimeToFileTime.KERNEL32(?,00ED0CB8), ref: 00ED0D64
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED0D72
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Time$File$System$Local$SpecificVersion
                      • String ID:
                      • API String ID: 2092733347-0
                      • Opcode ID: 8647c643839f63a64e49fc0ac7963e22299017a9d16ee0370c6b7b07bee81e2a
                      • Instruction ID: d41075197970efef832fa6cc8443df88d0ec43706ce6bd8de8a1503471532bdb
                      • Opcode Fuzzy Hash: 8647c643839f63a64e49fc0ac7963e22299017a9d16ee0370c6b7b07bee81e2a
                      • Instruction Fuzzy Hash: E831D87A90020AEFCB00DFE5D8859EFBBB9FF58700B04455BE955E3210E7309645CB64
                      Function 00ED91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: a2d5b427b7f2afefddc76e1d1c82dddb0e4f807f66b311112ef2d4707dde22c4
                      • Instruction ID: 6750860cd90c5c79f269a074af0967953d504de29439075be464703d66947653
                      • Opcode Fuzzy Hash: a2d5b427b7f2afefddc76e1d1c82dddb0e4f807f66b311112ef2d4707dde22c4
                      • Instruction Fuzzy Hash: 7E21977260020EBBD7049E14DC41F7B77ADDFA0758B10A526FD09BB316E270DD479690
                      Function 00EDD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00EDD2F2
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EDD30C
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EDD31D
                      • TranslateMessage.USER32(?), ref: 00EDD327
                      • DispatchMessageW.USER32(?), ref: 00EDD331
                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00EDD33C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                      • String ID:
                      • API String ID: 2148572870-0
                      • Opcode ID: ddb07f34b8e8beb1dd1311cca849ecd6e29577c6b714ca3dc70f178214ea3288
                      • Instruction ID: 36b0eadc5ee92c1438ed86ea541c84219616cf3bc87c0af3f0e78e818ecec446
                      • Opcode Fuzzy Hash: ddb07f34b8e8beb1dd1311cca849ecd6e29577c6b714ca3dc70f178214ea3288
                      • Instruction Fuzzy Hash: 07F03C72A0111DBBCB209BA1DC4CEEBBF6DEF51791F008012FA06E2110D6348542C7A1
                      Function 00EDC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • _wcschr.LIBVCRUNTIME ref: 00EDC435
                        • Part of subcall function 00ED17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00ECBB05,00000000,.exe,?,?,00000800,?,?,00ED85DF,?), ref: 00ED17C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CompareString_wcschr
                      • String ID: <$HIDE$MAX$MIN
                      • API String ID: 2548945186-3358265660
                      • Opcode ID: 4cfc82401dd8648e3d64248b91b2c1ba9fa421b2e9b329dc409c59392dbebac3
                      • Instruction ID: 169615fd508c9ec37b749b6273769d21670540bfe739fc396c6ac2f4d2163700
                      • Opcode Fuzzy Hash: 4cfc82401dd8648e3d64248b91b2c1ba9fa421b2e9b329dc409c59392dbebac3
                      • Instruction Fuzzy Hash: 0131817290020EAADF21DA94CC51EEBB7BCEB14344F1050A7FA19F6250EBB19FC5CA50
                      Function 00EDADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadBitmapW.USER32(00000065), ref: 00EDADFD
                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00EDAE22
                      • DeleteObject.GDI32(00000000), ref: 00EDAE54
                      • DeleteObject.GDI32(00000000), ref: 00EDAE77
                        • Part of subcall function 00ED9E1C: FindResourceW.KERNEL32(00EDAE4D,PNG,?,?,?,00EDAE4D,00000066), ref: 00ED9E2E
                        • Part of subcall function 00ED9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E46
                        • Part of subcall function 00ED9E1C: LoadResource.KERNEL32(00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E59
                        • Part of subcall function 00ED9E1C: LockResource.KERNEL32(00000000,?,?,?,00EDAE4D,00000066), ref: 00ED9E64
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                      • String ID: ]
                      • API String ID: 142272564-3352871620
                      • Opcode ID: ae487a67ee25086a3fa6db91f66b593a79900f773530e82427e2f9132ddcac2c
                      • Instruction ID: a41dc0992b9f8f5daaa977dade55dd66ff4c04693aba11fcaa3bb5b98a395b7a
                      • Opcode Fuzzy Hash: ae487a67ee25086a3fa6db91f66b593a79900f773530e82427e2f9132ddcac2c
                      • Instruction Fuzzy Hash: 64018036540219A7C721BB649C05A7F7BAAEF81B52F081126FD00B7392DB718D17E6B2
                      Function 00EDCC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      • EndDialog.USER32(?,00000001), ref: 00EDCCDB
                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00EDCCF1
                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00EDCD05
                      • SetDlgItemTextW.USER32(?,00000068), ref: 00EDCD14
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: RENAMEDLG
                      • API String ID: 445417207-3299779563
                      • Opcode ID: 4be556686055b62c1c3c03959673b3723da87747ba8f8633f1614d539a22e592
                      • Instruction ID: 215e7bdb8346bb320e9eb6402cede0f6434e0764fc0ed5c294b7e7d9d523f4ee
                      • Opcode Fuzzy Hash: 4be556686055b62c1c3c03959673b3723da87747ba8f8633f1614d539a22e592
                      • Instruction Fuzzy Hash: 8701683238431A7BD1208F24AC08FAB7B5DEB9A786F305012F34AB21E0C6725803D775
                      Function 00EE2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00EE251A
                        • Part of subcall function 00EE2B52: ___AdjustPointer.LIBCMT ref: 00EE2B9C
                      • _UnwindNestedFrames.LIBCMT ref: 00EE2531
                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00EE2543
                      • CallCatchBlock.LIBVCRUNTIME ref: 00EE2567
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                      • String ID: /)
                      • API String ID: 2633735394-750405031
                      • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                      • Instruction ID: 798107b07ff19c0fd4d2cecbde97c740696d49ee814b024d912aa3f29887b20c
                      • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                      • Instruction Fuzzy Hash: 1101173200014DBBCF129FA6DD01EDA3BBAEF58714F159419FA1876120C336E962EBA1
                      Function 00EE75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EE7573,00000000,?,00EE7513,00000000,00EFBAD8,0000000C,00EE766A,00000000,00000002), ref: 00EE75E2
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EE75F5
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00EE7573,00000000,?,00EE7513,00000000,00EFBAD8,0000000C,00EE766A,00000000,00000002), ref: 00EE7618
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 085890c558224deb46726c7d9d30f4b0af734061e145aa503bad84904d305b7a
                      • Instruction ID: 532ebb52ccc83a83b279994cba4a778eaf2f58c8dc7d929f927f8284a014f6e3
                      • Opcode Fuzzy Hash: 085890c558224deb46726c7d9d30f4b0af734061e145aa503bad84904d305b7a
                      • Instruction Fuzzy Hash: 37F0A43160460DBFDB119B66DC09BADBFB8EF44715F000059F805B6260DF709A44CA50
                      Function 00ECEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ED0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00ED00A0
                        • Part of subcall function 00ED0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00ECEB86,Crypt32.dll,00000000,00ECEC0A,?,?,00ECEBEC,?,?,?), ref: 00ED00C2
                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00ECEB92
                      • GetProcAddress.KERNEL32(00F081C0,CryptUnprotectMemory), ref: 00ECEBA2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                      • API String ID: 2141747552-1753850145
                      • Opcode ID: ec1211d2074a49a3da4a6ec0b60f66465cf4b4ffdc1d5c7cb6c1e5bd906adecc
                      • Instruction ID: 7104b08966bd4bfa63e7c0fb2ba4c83a459f40e8538d1841be2347f135399924
                      • Opcode Fuzzy Hash: ec1211d2074a49a3da4a6ec0b60f66465cf4b4ffdc1d5c7cb6c1e5bd906adecc
                      • Instruction Fuzzy Hash: 96E04F70400741AECB309F359809B62BAE45B54704F04A81EE5D6F3644DAF5D6458B60
                      Function 00EE7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 185c8b27358d993128d9865b7c243b1c483232d117bb61591f0b807205e1930e
                      • Instruction ID: 97ebbf8f49834d329c610bdce0ed2fcac0d4a04c0963395127e07199fbe1c4d8
                      • Opcode Fuzzy Hash: 185c8b27358d993128d9865b7c243b1c483232d117bb61591f0b807205e1930e
                      • Instruction Fuzzy Hash: 3341E132A003089FDB24DF79C881A6EB7E5EF89314F1555A9E955FB391DB30AD01CB80
                      Function 00EEB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 00EEB619
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EEB63C
                        • Part of subcall function 00EE8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EEC13D,00000000,?,00EE67E2,?,00000008,?,00EE89AD,?,?,?), ref: 00EE854A
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EEB662
                      • _free.LIBCMT ref: 00EEB675
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EEB684
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: 16f18494f296b56804a5e0226d7205ab6280a31fb1d95977255e69a58a2987a2
                      • Instruction ID: 576e893222d733e64257ec5275239229413fa90349098934cd958c78817d8070
                      • Opcode Fuzzy Hash: 16f18494f296b56804a5e0226d7205ab6280a31fb1d95977255e69a58a2987a2
                      • Instruction Fuzzy Hash: CD0184726026AABF6321167B6C8CC7B6A6DDFC6BA43151229B905F3151DF60CD01D1B0
                      Function 00ED075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ED0A41: ResetEvent.KERNEL32(?), ref: 00ED0A53
                        • Part of subcall function 00ED0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00ED0A67
                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00ED078F
                      • CloseHandle.KERNEL32(?,?), ref: 00ED07A9
                      • DeleteCriticalSection.KERNEL32(?), ref: 00ED07C2
                      • CloseHandle.KERNEL32(?), ref: 00ED07CE
                      • CloseHandle.KERNEL32(?), ref: 00ED07DA
                        • Part of subcall function 00ED084E: WaitForSingleObject.KERNEL32(?,000000FF,00ED0A78,?), ref: 00ED0854
                        • Part of subcall function 00ED084E: GetLastError.KERNEL32(?), ref: 00ED0860
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                      • String ID:
                      • API String ID: 1868215902-0
                      • Opcode ID: 8736d3aa9ed8db7410f242f7930ba36aa92c28dc0a1c4e4c3bdf1155eab7002c
                      • Instruction ID: 5c1621477bd1ef3603263468ba54f5db31a2dc18234c93ba0de030b90f52a4e6
                      • Opcode Fuzzy Hash: 8736d3aa9ed8db7410f242f7930ba36aa92c28dc0a1c4e4c3bdf1155eab7002c
                      • Instruction Fuzzy Hash: E2019272540704EFC721AB65DC84F96BBE9FB88710F04055AF15E62161CB756A49CB90
                      Function 00EEBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00EEBF28
                        • Part of subcall function 00EE84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958), ref: 00EE84F4
                        • Part of subcall function 00EE84DE: GetLastError.KERNEL32(00EF3958,?,00EEBFA7,00EF3958,00000000,00EF3958,00000000,?,00EEBFCE,00EF3958,00000007,00EF3958,?,00EEC3CB,00EF3958,00EF3958), ref: 00EE8506
                      • _free.LIBCMT ref: 00EEBF3A
                      • _free.LIBCMT ref: 00EEBF4C
                      • _free.LIBCMT ref: 00EEBF5E
                      • _free.LIBCMT ref: 00EEBF70
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: ac95e83d6c738ec814cbeef69746f07293b7d80e73bd40d631e1523b1113223c
                      • Instruction ID: 7b5c0c1c531f502aa1112c4a970e0c4bf997f151528d29ff24f6fc057f52b0d6
                      • Opcode Fuzzy Hash: ac95e83d6c738ec814cbeef69746f07293b7d80e73bd40d631e1523b1113223c
                      • Instruction Fuzzy Hash: D9F01232604699AB8620EB67FE86C2773D9FB407147646805F01CF7EA0CB31FC84CA54
                      Function 00EC7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC7579
                        • Part of subcall function 00EC3B3D: __EH_prolog.LIBCMT ref: 00EC3B42
                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00EC7640
                        • Part of subcall function 00EC7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00EC7C04
                        • Part of subcall function 00EC7BF5: GetLastError.KERNEL32 ref: 00EC7C4A
                        • Part of subcall function 00EC7BF5: CloseHandle.KERNEL32(?), ref: 00EC7C59
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                      • API String ID: 3813983858-639343689
                      • Opcode ID: 11f68a096dfc7b35e92c4476772117462e3d5246c2351ae12686fee1b79b82b7
                      • Instruction ID: 79dda29ad327b864a3f58b25fb02563c44b7d388415a3a57242f491beb09ae59
                      • Opcode Fuzzy Hash: 11f68a096dfc7b35e92c4476772117462e3d5246c2351ae12686fee1b79b82b7
                      • Instruction Fuzzy Hash: 2131D371A04248AEDF20EB64DE02FFE7BA9EF55348F00505EF485B7292DB714A46CB60
                      Function 00EDA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      • EndDialog.USER32(?,00000001), ref: 00EDA4B8
                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00EDA4CD
                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00EDA4E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: ASKNEXTVOL
                      • API String ID: 445417207-3402441367
                      • Opcode ID: 8193bccde93e4e839cd8055e4a171b2644c3b842edd55986027bf73f35af09ec
                      • Instruction ID: a5d8b0d095f5ef539e7188751d87024681121aa94e558b9bdada53d4a2009a81
                      • Opcode Fuzzy Hash: 8193bccde93e4e839cd8055e4a171b2644c3b842edd55986027bf73f35af09ec
                      • Instruction Fuzzy Hash: 5111E9332442147FD6318F68DD0DF6A37A9FB46304F181026F211B72A1CBA29A03E722
                      Function 00ECD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: __fprintf_l_strncpy
                      • String ID: $%s$@%s
                      • API String ID: 1857242416-834177443
                      • Opcode ID: 43a23dc64c9204a7697e47de5fbdd3dae21c7254ab0e0ff6068dc391d2082b45
                      • Instruction ID: 15fb571b1115e3641ed5f747e1d08ec185c6d3bc1a965e7adcc1f7c1bd94753a
                      • Opcode Fuzzy Hash: 43a23dc64c9204a7697e47de5fbdd3dae21c7254ab0e0ff6068dc391d2082b45
                      • Instruction Fuzzy Hash: 25219F3240434CAADB21DEA4CE06FEE7BE8EB04304F04152AFE15A61A1D373EA56CB51
                      Function 00EDA990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EC130B: GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                        • Part of subcall function 00EC130B: SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      • EndDialog.USER32(?,00000001), ref: 00EDA9DE
                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00EDA9F6
                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00EDAA24
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: GETPASSWORD1
                      • API String ID: 445417207-3292211884
                      • Opcode ID: 17c2ce8172a4960a2b4eb8028b882bacb72297e84bdd23539bc559c3739405b5
                      • Instruction ID: 2e783b0b9da1542da676c430e7598d93c3872f667776efea41e1ca95fa4941cb
                      • Opcode Fuzzy Hash: 17c2ce8172a4960a2b4eb8028b882bacb72297e84bdd23539bc559c3739405b5
                      • Instruction Fuzzy Hash: FA1144339401187ADB319A64AE09FFB7B6CEB49304F042036FA45B2280C2619E53E672
                      Function 00ECB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • _swprintf.LIBCMT ref: 00ECB51E
                        • Part of subcall function 00EC400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC401D
                      • _wcschr.LIBVCRUNTIME ref: 00ECB53C
                      • _wcschr.LIBVCRUNTIME ref: 00ECB54C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                      • String ID: %c:\
                      • API String ID: 525462905-3142399695
                      • Opcode ID: e9a1981cf1bf285f1d9cce64aaabd8aee32c641b4651fd8cdacc588ac90b0b6a
                      • Instruction ID: 825fd483392e04596321eda28bf84fd7fbde9097a6e5f9492d77babd821b3d84
                      • Opcode Fuzzy Hash: e9a1981cf1bf285f1d9cce64aaabd8aee32c641b4651fd8cdacc588ac90b0b6a
                      • Instruction Fuzzy Hash: 57016D63A04311BACB206BB59D43E6BB7EDEE953A0F40641EF844F7081FB32D845C2A1
                      Function 00ED06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00ECABC5,00000008,?,00000000,?,00ECCB88,?,00000000), ref: 00ED06F3
                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00ECABC5,00000008,?,00000000,?,00ECCB88,?,00000000), ref: 00ED06FD
                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00ECABC5,00000008,?,00000000,?,00ECCB88,?,00000000), ref: 00ED070D
                      Strings
                      • Thread pool initialization failed., xrefs: 00ED0725
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                      • String ID: Thread pool initialization failed.
                      • API String ID: 3340455307-2182114853
                      • Opcode ID: 83c6630d43448f8e68969a623b4952c2deb3f968aede2fad284b10485bcd5faf
                      • Instruction ID: 43eb649612e80d0fdb2a9871e85c2ba4ad96c29953f984604a8d48afa7f92262
                      • Opcode Fuzzy Hash: 83c6630d43448f8e68969a623b4952c2deb3f968aede2fad284b10485bcd5faf
                      • Instruction Fuzzy Hash: B111A3B1500708AFC3205F76C884AA7FBECEB94755F10582FF1DA96200DA716981CB50
                      Function 00EDD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: RENAMEDLG$REPLACEFILEDLG
                      • API String ID: 0-56093855
                      • Opcode ID: a422e696d4262fbac5873bacb90de442bce2ee85f5f5df7939147bd1c2be13cb
                      • Instruction ID: 149c973eece089babbdf067c4c0b84b6903944ae01099612745500cfc025c7e8
                      • Opcode Fuzzy Hash: a422e696d4262fbac5873bacb90de442bce2ee85f5f5df7939147bd1c2be13cb
                      • Instruction Fuzzy Hash: D701B17560424DAFCB11CF18EC44EAA7BA9F704394F006422F545F3370CA719852FBA1
                      Function 00EE91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: __alldvrm$_strrchr
                      • String ID:
                      • API String ID: 1036877536-0
                      • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                      • Instruction ID: 8396b7817605696fae2908f04de92bb7b39cb65fc35a432ebb516509ac4c537e
                      • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                      • Instruction Fuzzy Hash: AFA166729003CA9FEB21CE6AC8817AEBBE5EF55314F18516DE595AB3C3C2389C42C750
                      Function 00ECA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00EC80B7,?,?,?), ref: 00ECA351
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00EC80B7,?,?), ref: 00ECA395
                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00EC80B7,?,?,?,?,?,?,?,?), ref: 00ECA416
                      • CloseHandle.KERNEL32(?,?,00000000,?,00EC80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECA41D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File$Create$CloseHandleTime
                      • String ID:
                      • API String ID: 2287278272-0
                      • Opcode ID: cce18200317a6759a7c3cd534f71390f60fb4b40c1c0f68677192b64328b6159
                      • Instruction ID: ca4188723f86348257586a560e1739ed4466008f1f134f2184090574e8998462
                      • Opcode Fuzzy Hash: cce18200317a6759a7c3cd534f71390f60fb4b40c1c0f68677192b64328b6159
                      • Instruction Fuzzy Hash: 6F41E1302483885ED731DF24DD55FEEBBE4AB81708F08092DB5E0E3291D666DA4ADB13
                      Function 00EEC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EE89AD,?,00000000,?,00000001,?,?,00000001,00EE89AD,?), ref: 00EEC0E6
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EEC16F
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00EE67E2,?), ref: 00EEC181
                      • __freea.LIBCMT ref: 00EEC18A
                        • Part of subcall function 00EE8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EEC13D,00000000,?,00EE67E2,?,00000008,?,00EE89AD,?,?,?), ref: 00EE854A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 0ca84278972d5b99d7dcf2cd325c3295f3f0f225876251842e17be16fa3c35fe
                      • Instruction ID: 6f94da322ee6cfcb5e72cc4a1afe95d15b748212e11081c8e3955239f258b186
                      • Opcode Fuzzy Hash: 0ca84278972d5b99d7dcf2cd325c3295f3f0f225876251842e17be16fa3c35fe
                      • Instruction Fuzzy Hash: A731ED72A0124AABDB249F76CC45DAE7BB9EB40310F250168FC04EB251EB35DD56CBA0
                      Function 00ED9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00ED9DBE
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00ED9DCD
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED9DDB
                      • ReleaseDC.USER32(00000000,00000000), ref: 00ED9DE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: 87cb1113657711a0fe56c687abb5b53432e5a5320b3e7daa5ac0cb28fe97157a
                      • Instruction ID: c67740c29ccec501c39eeb005bbc012f7850d1241dc592caa457bd9deccbabab
                      • Opcode Fuzzy Hash: 87cb1113657711a0fe56c687abb5b53432e5a5320b3e7daa5ac0cb28fe97157a
                      • Instruction Fuzzy Hash: 6DE0EC31985625B7D3B09BB4AC0DB8F3B54FB09752F050015F605A6190DA704407EB94
                      Function 00EE2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00EE2016
                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00EE201B
                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00EE2020
                        • Part of subcall function 00EE310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00EE311F
                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00EE2035
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                      • String ID:
                      • API String ID: 1761009282-0
                      • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                      • Instruction ID: 9a83fced953aa411328c64c1caa2b96505fd043bec8570f072ab03f2e2451b4c
                      • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                      • Instruction Fuzzy Hash: 22C04C250056CCD41C513EB3210A1BD07C81C627C8B9274DEFA90372C7DE06070A9432
                      Function 00ED9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ED9DF1: GetDC.USER32(00000000), ref: 00ED9DF5
                        • Part of subcall function 00ED9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ED9E00
                        • Part of subcall function 00ED9DF1: ReleaseDC.USER32(00000000,00000000), ref: 00ED9E0B
                      • GetObjectW.GDI32(?,00000018,?), ref: 00ED9F8D
                        • Part of subcall function 00EDA1E5: GetDC.USER32(00000000), ref: 00EDA1EE
                        • Part of subcall function 00EDA1E5: GetObjectW.GDI32(?,00000018,?), ref: 00EDA21D
                        • Part of subcall function 00EDA1E5: ReleaseDC.USER32(00000000,?), ref: 00EDA2B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ObjectRelease$CapsDevice
                      • String ID: (
                      • API String ID: 1061551593-3887548279
                      • Opcode ID: ead10b48e0e850001c3cbdc63963dedf3c10ccdd397fbb54d8ee45b12a06b60c
                      • Instruction ID: 399426e0f66ec1eabbdf997e77d8faa690c5940cbe64e578904d934fb9ad46ab
                      • Opcode Fuzzy Hash: ead10b48e0e850001c3cbdc63963dedf3c10ccdd397fbb54d8ee45b12a06b60c
                      • Instruction Fuzzy Hash: 95810571208214AFD614DF69C84492ABBE9FFC8704F14492EF986E7260DB31AE06DB52
                      Function 00ED0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _swprintf
                      • String ID: %ls$%s: %s
                      • API String ID: 589789837-2259941744
                      • Opcode ID: 9a10ae37dbd6ed5be7ebfb264a2bb662d2e36760e45799bef5f491b720187c8e
                      • Instruction ID: 5ba0b2f8f13e4ab3d9502c82f1668b1c3e04ea6c2e12ffa1b3aad46bbba5cd44
                      • Opcode Fuzzy Hash: 9a10ae37dbd6ed5be7ebfb264a2bb662d2e36760e45799bef5f491b720187c8e
                      • Instruction Fuzzy Hash: 9751FD3168C700FDEE312BA4DD02FB67B96E708B00F2C6917FB8B746D5C6A255936612
                      Function 00EEA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00EEAA84
                        • Part of subcall function 00EE8849: IsProcessorFeaturePresent.KERNEL32(00000017,00EE8838,00000050,00EF3958,?,00ECCFE0,00000004,00F00EE8,?,?,00EE8845,00000000,00000000,00000000,00000000,00000000), ref: 00EE884B
                        • Part of subcall function 00EE8849: GetCurrentProcess.KERNEL32(C0000417,00EF3958,00000050,00F00EE8), ref: 00EE886D
                        • Part of subcall function 00EE8849: TerminateProcess.KERNEL32(00000000), ref: 00EE8874
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                      • String ID: *?$.
                      • API String ID: 2667617558-3972193922
                      • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                      • Instruction ID: 9d58a6d319c1bb30e3338b5ce15d805e09bce61ef6f36a686ec10e493fb49eff
                      • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                      • Instruction Fuzzy Hash: DD51BF71D0024E9FDB14CFA9C9819ADB7F5EF98314F29807DE458B7341E631AA01CB51
                      Function 00EC772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00EC7730
                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00EC78CC
                        • Part of subcall function 00ECA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00ECA27A,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA458
                        • Part of subcall function 00ECA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00ECA27A,?,?,?,00ECA113,?,00000001,00000000,?,?), ref: 00ECA489
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: File$Attributes$H_prologTime
                      • String ID: :
                      • API String ID: 1861295151-336475711
                      • Opcode ID: 0d3fb21b42662fcedee58b13810ae7702d695fb452509c04193448929e39ffb6
                      • Instruction ID: f97f72343a906ddb98662acf43a4f571f49a6042f011e230e45f1b1831bdf611
                      • Opcode Fuzzy Hash: 0d3fb21b42662fcedee58b13810ae7702d695fb452509c04193448929e39ffb6
                      • Instruction Fuzzy Hash: 1E417571804268AADB24EB50CE49FEEB3BDAF41304F00509EB645B3192DB765F86CF61
                      Function 00ECB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: UNC$\\?\
                      • API String ID: 0-253988292
                      • Opcode ID: 60b911a0979be9b69fda8f9352bd39177f42a7456cec9381a38f1a52dea1190b
                      • Instruction ID: 1717f2062e7bde56aee1cf77b5dd3fd7b340523d63ed43b53c439ab7d1d0b5c8
                      • Opcode Fuzzy Hash: 60b911a0979be9b69fda8f9352bd39177f42a7456cec9381a38f1a52dea1190b
                      • Instruction Fuzzy Hash: 0C41C735800259BACF20AF21DD46FEB77ADAF45394F10612EFC14B7152E772D952C650
                      Function 00ED4230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00ED43D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Exception@8Throw
                      • String ID: HC$XC
                      • API String ID: 2005118841-2964754326
                      • Opcode ID: 85a488049e8d55a16ccd0c76b9c8d9fadc05e177f21658ffea62b34a6394d5db
                      • Instruction ID: 1062b69445db5363407aba46047eb73673351ffb7e40e6ef883d3c4cdaa1b993
                      • Opcode Fuzzy Hash: 85a488049e8d55a16ccd0c76b9c8d9fadc05e177f21658ffea62b34a6394d5db
                      • Instruction Fuzzy Hash: 314170B06047058FD314DF28C891BAAB7E5FFA8304F05592EE59AD7391EB72E809CB41
                      Function 00ED8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID:
                      • String ID: Shell.Explorer$about:blank
                      • API String ID: 0-874089819
                      • Opcode ID: 3f13ea43bb38fa576998f5e0226ed823bd67ab38cb07a7e0d1d49a5fc3f7d53a
                      • Instruction ID: fec2bcab4aedb9ff7cd51d13c9a1bf42013330c1beecc7ddf3f13c0912617e02
                      • Opcode Fuzzy Hash: 3f13ea43bb38fa576998f5e0226ed823bd67ab38cb07a7e0d1d49a5fc3f7d53a
                      • Instruction Fuzzy Hash: 712182712043049FDB08AF64DC95A2A77A8FF84711B14955FF909AF396DB70EC02CB60
                      Function 00ECEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ECEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00ECEB92
                        • Part of subcall function 00ECEB73: GetProcAddress.KERNEL32(00F081C0,CryptUnprotectMemory), ref: 00ECEBA2
                      • GetCurrentProcessId.KERNEL32(?,?,?,00ECEBEC), ref: 00ECEC84
                      Strings
                      • CryptProtectMemory failed, xrefs: 00ECEC3B
                      • CryptUnprotectMemory failed, xrefs: 00ECEC7C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: AddressProc$CurrentProcess
                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                      • API String ID: 2190909847-396321323
                      • Opcode ID: 689f21d1b05e8796fe27279022e5168aa17b06d9f66044bc635b3fc2a8ffc31f
                      • Instruction ID: 22a4a09debf29ad8334b95eebc6096529b4a669195198f3c86be26cecd294e30
                      • Opcode Fuzzy Hash: 689f21d1b05e8796fe27279022e5168aa17b06d9f66044bc635b3fc2a8ffc31f
                      • Instruction Fuzzy Hash: 78115131A01368AFDB109B34CE02FAE7744EF00724B04901EF8017B382CA36AE4396D0
                      Function 00EE9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: _free
                      • String ID: X
                      • API String ID: 269201875-1677210272
                      • Opcode ID: 3ed6f0cdbf074c41a4ef4077fc5a2b4bb64c9589feb75049487ff977062afa01
                      • Instruction ID: 7646364a56f10d372bb7b5e4b6334379329697ffaf7ac82583ff865815b83938
                      • Opcode Fuzzy Hash: 3ed6f0cdbf074c41a4ef4077fc5a2b4bb64c9589feb75049487ff977062afa01
                      • Instruction Fuzzy Hash: D8110871A0025DDBEB30AB3AAC45B5633D5B761334F142326F525EB2E1E770D8435688
                      Function 00ED0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00010000,00ED09D0,?,00000000,00000000), ref: 00ED08AD
                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00ED08F4
                        • Part of subcall function 00EC6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC6EAF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: Thread$CreatePriority__vswprintf_c_l
                      • String ID: CreateThread failed
                      • API String ID: 2655393344-3849766595
                      • Opcode ID: e909e0f1ef0040002709cc886b03fa1a3d266ea3db255677b0df61ea6adc76d4
                      • Instruction ID: f0628a9aff7891d017a51188742f0fc56134da769f51c758353a859e8075a2dd
                      • Opcode Fuzzy Hash: e909e0f1ef0040002709cc886b03fa1a3d266ea3db255677b0df61ea6adc76d4
                      • Instruction Fuzzy Hash: DD01F9B53443066FE724AF64EC81FB77398EB80756F14103FF686722C1CEA1A842B664
                      Function 00EEB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00EE8FA5: GetLastError.KERNEL32(?,00F00EE8,00EE3E14,00F00EE8,?,?,00EE3713,00000050,?,00F00EE8,00000200), ref: 00EE8FA9
                        • Part of subcall function 00EE8FA5: _free.LIBCMT ref: 00EE8FDC
                        • Part of subcall function 00EE8FA5: SetLastError.KERNEL32(00000000,?,00F00EE8,00000200), ref: 00EE901D
                        • Part of subcall function 00EE8FA5: _abort.LIBCMT ref: 00EE9023
                      • _abort.LIBCMT ref: 00EEB2E0
                      • _free.LIBCMT ref: 00EEB314
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLast_abort_free
                      • String ID:
                      • API String ID: 289325740-3162483948
                      • Opcode ID: f0d32c49898b74e27f470e6e5e979d1310abc7ec6f0069ccd20444c46f37fa6a
                      • Instruction ID: 678f08520c85184524bcdb8fd3f331307bab3b3d2ccaa40d60a4a840ea000023
                      • Opcode Fuzzy Hash: f0d32c49898b74e27f470e6e5e979d1310abc7ec6f0069ccd20444c46f37fa6a
                      • Instruction Fuzzy Hash: 27018431D01769DFC721AF6B980226EB3A1BF48B21B19650AE56477791CB707D42CFC2
                      Function 00EC130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00ECDA98: _swprintf.LIBCMT ref: 00ECDABE
                        • Part of subcall function 00ECDA98: _strlen.LIBCMT ref: 00ECDADF
                        • Part of subcall function 00ECDA98: SetDlgItemTextW.USER32(?,00EFE154,?), ref: 00ECDB3F
                        • Part of subcall function 00ECDA98: GetWindowRect.USER32(?,?), ref: 00ECDB79
                        • Part of subcall function 00ECDA98: GetClientRect.USER32(?,?), ref: 00ECDB85
                      • GetDlgItem.USER32(00000000,00003021), ref: 00EC134F
                      • SetWindowTextW.USER32(00000000,00EF35B4), ref: 00EC1365
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                      • String ID: 0
                      • API String ID: 2622349952-4108050209
                      • Opcode ID: 373810a1568d99c62e584486c067cfa167c079af7df030f704438722f3d49bcc
                      • Instruction ID: f58579dc461bef4f4d30aa2bff5b45c70efb8c43a1b933d8b1b29c9d418dc1f0
                      • Opcode Fuzzy Hash: 373810a1568d99c62e584486c067cfa167c079af7df030f704438722f3d49bcc
                      • Instruction Fuzzy Hash: 7DF0813010438CA6DF250F64CF09FE93B98BB1234DF096098FD45B46A2CB76C5A7AA90
                      Function 00ED084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF,00ED0A78,?), ref: 00ED0854
                      • GetLastError.KERNEL32(?), ref: 00ED0860
                        • Part of subcall function 00EC6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00EC6EAF
                      Strings
                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00ED0869
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                      • API String ID: 1091760877-2248577382
                      • Opcode ID: 2953d7d90cbacf0610a86b6ff4472474052b7ff87356b6239965148d15000c03
                      • Instruction ID: 0b64ae17bd75b303ab8a61a7b778ca133474f64490196dfec198b8a3b175cc91
                      • Opcode Fuzzy Hash: 2953d7d90cbacf0610a86b6ff4472474052b7ff87356b6239965148d15000c03
                      • Instruction Fuzzy Hash: 1FD05E759081212ADA102738AC0AFBF7A059F92731F64172BF239792F5DE220A52A2D5
                      Function 00ECDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00ECD32F,?), ref: 00ECDA53
                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00ECD32F,?), ref: 00ECDA61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2042194832.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                      • Associated: 00000000.00000002.2042166638.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042227385.0000000000EF3000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F04000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042246130.0000000000F21000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F2C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F56000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2042350097.0000000000F58000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ec0000_1Ta6ojwHc6.jbxd
                      Similarity
                      • API ID: FindHandleModuleResource
                      • String ID: RTL
                      • API String ID: 3537982541-834975271
                      • Opcode ID: 07c569a5c949e3378cbd4bddda8521d036d5fc587415d56db5b493fd0061853c
                      • Instruction ID: ac30153302539ef7a1ceb66fa4304cdb2c172d0a07d6696cc407fef9c8bcbda1
                      • Opcode Fuzzy Hash: 07c569a5c949e3378cbd4bddda8521d036d5fc587415d56db5b493fd0061853c
                      • Instruction Fuzzy Hash: 1EC012313893507AD73017356D0DB6769485B50B11F05145DB245FA5D4D9E6CA45C650

                      Executed Functions

                      Function 00007FF848E735EA Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3e9865368394c1999454af8f909997b9802cb8b5c00b8c0d29e678e4d823fe9
                      • Instruction ID: 2eec92b1b8f8fe7b751e681f55460073edec172026ff68ab2277d63dfbf235c9
                      • Opcode Fuzzy Hash: a3e9865368394c1999454af8f909997b9802cb8b5c00b8c0d29e678e4d823fe9
                      • Instruction Fuzzy Hash: 4251A071A2C94DCFE798EB6CD8143E9BBE1FB96254F9402BAC00DD32C6DBB918058745
                      Function 00007FF848E71658 Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction ID: 4dacc9d31690e4ee22af6331c16c91d5325855681becc286c12aa11729cecad6
                      • Opcode Fuzzy Hash: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction Fuzzy Hash: 5881AC31E0CB8A8FDB99EE1888555B977E2FF99750F14017AE44EC3286CE35AC028785
                      Function 00007FF848E71C8D Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction ID: 7527d7fb2be728c8985a5516191ac55b3025b497e8f44b560bf686d60f234c2b
                      • Opcode Fuzzy Hash: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction Fuzzy Hash: 1151B031A1CB898FDB4CEE1888655BA77E2FF98755F14057EE44AC7282CE35E802C785
                      Function 00007FF848E720A5 Relevance: .1, Instructions: 144COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8b348ac517c73371810f87fde8bf5c694eb66b0c1b36105e7494cabd4535087d
                      • Instruction ID: 23d6438da40a24afc651aa611c8f38b6f064a077ece71e7ac9440009f995c2e0
                      • Opcode Fuzzy Hash: 8b348ac517c73371810f87fde8bf5c694eb66b0c1b36105e7494cabd4535087d
                      • Instruction Fuzzy Hash: A541E131A0DA8A4FE355EB3898591B9BBE0FF86390F0545BAD44EC7193DF28A8418356
                      Function 00007FF848E73105 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d4f320b287d6b1b7ab85c024807e2cf337c491cca89790411c8d35590822e6c3
                      • Instruction ID: ff8469b42455ce905ac65a27a3ae3aa7c015d5d921a0090750ec10d6c1d6000a
                      • Opcode Fuzzy Hash: d4f320b287d6b1b7ab85c024807e2cf337c491cca89790411c8d35590822e6c3
                      • Instruction Fuzzy Hash: 6F511530D1D50E8FEB94EBA8C8586EDB7F1FF59340F90017AD00AE7292DB38A9448B55
                      Function 00007FF848E723A4 Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 278a34c720e5c78ccc89853c99d38e1c30aa433f8bebad79898bafe772d5ccdc
                      • Instruction ID: 77d2a4050301573c2e73fe0015b10e4bbdccab1ec924deaf4c3f708e18c6144d
                      • Opcode Fuzzy Hash: 278a34c720e5c78ccc89853c99d38e1c30aa433f8bebad79898bafe772d5ccdc
                      • Instruction Fuzzy Hash: C3313770D0C22ACFEB64AB14C8457F9B2B0BF45350F1051BAD45EA6292DF386A84DF99
                      Function 00007FF848E732F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction ID: cfcce872a25392b70751b16b697ec768095c8dfe0181662ce4686d35effedf86
                      • Opcode Fuzzy Hash: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction Fuzzy Hash: 6121883080D68A9FE782AB7888585A97FF0FF5B300F4905FBD058CB0A2DA38A446C711
                      Function 00007FF848E70A01 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7920de3e76cff83680edfbe454adc68e831eaef81b1aa731eccd6b9401e07d5
                      • Instruction ID: 8542d8144155f93b3f0c94db41ca2f07345656b556346acc8b858231876bfa1e
                      • Opcode Fuzzy Hash: a7920de3e76cff83680edfbe454adc68e831eaef81b1aa731eccd6b9401e07d5
                      • Instruction Fuzzy Hash: AF116630E1C94E9FEB90FBA888492B97BE0FF58390F4005B6D408C61A6EF38A8448744
                      Function 00007FF848E71F59 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction ID: 6c87dd9d7111ecbaf30c569d7fa0fb8457195708a7b79acf92279cab065629a0
                      • Opcode Fuzzy Hash: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction Fuzzy Hash: 1D115A1180E7C25FEB1BA77908650616F906F13264F2D45FBE0D8CA0E3DA2A5849C306
                      Function 00007FF848E711BD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction ID: 9fe3ad229035a1598f0f74e6ecac3711dd5dab8ccc967076696f305df108936e
                      • Opcode Fuzzy Hash: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction Fuzzy Hash: 16116D70D0D68A8EEB99EB6888696B97BF0FF19345F0404BEC41AC7092EF3A6440C704
                      Function 00007FF848E73481 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction ID: 890722afc5b7b63396223e03d52950c2f8a2a28abfabf0a434bc402e9878cd64
                      • Opcode Fuzzy Hash: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction Fuzzy Hash: 6A113C70D1D64E8FDB9AEF68C4592B97BE0FF19341F8005BED41AC6191EB35A5408704
                      Function 00007FF848E70F40 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 053c73653ceba121c3210a0d52c2507440a223d9c86bc1b03120ef8ada25fab3
                      • Instruction ID: 02da556189f91bcdd313170f6893427cb0b36cfd1d551a0fea5291b40308760e
                      • Opcode Fuzzy Hash: 053c73653ceba121c3210a0d52c2507440a223d9c86bc1b03120ef8ada25fab3
                      • Instruction Fuzzy Hash: E211FE3090990D8FEB58FB94C854BEEB7B1FB58344F1042B5D009E7295DF38A9458B94
                      Function 00007FF848E705D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction ID: ee36df097f0f338dc5f1997a5a48a49a98ed4cff9997d4e9b4ab21171b7190cc
                      • Opcode Fuzzy Hash: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction Fuzzy Hash: 38018C30908A0E9FEB48EF64C0456BA77A1FF58385F5004BAD40EC2194CF36A551CB48
                      Function 00007FF848E72E99 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction ID: 05411d82e007968f98aeffd7ea6e89a72a68db3022e96ace70077ea547f7c4ca
                      • Opcode Fuzzy Hash: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction Fuzzy Hash: AC017C3095D6895FE742FB3888495A97BF0FF4A350F0549F2D40DC70A3EB38A4448714
                      Function 00007FF848E71C05 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction ID: 9581290d8e236c89c99c761ede2a83102100fb16ae82c054bfff9004e7384628
                      • Opcode Fuzzy Hash: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction Fuzzy Hash: 0201817090DB8E8FEB9DEF6484596B97BA0FF55341F5400BAD808C7192DB369590C744
                      Function 00007FF848E727FD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction ID: dbe062344ee56f21153e397b8c87f7c8ae4f199234164363b3c07376f8f299f5
                      • Opcode Fuzzy Hash: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction Fuzzy Hash: 8901787091D64A8FF751FB2888896A97BE0FF19380F4545BAD409C60A2EF39E4448704
                      Function 00007FF848E70608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction ID: cb8b71d4fa4e2ba85a6b2288200b2681ef7e4a9c9dc8e3a5804420c1bd55df03
                      • Opcode Fuzzy Hash: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction Fuzzy Hash: BC01693091860E9EEB48FF2485592BA72A1FF18345F5008BEE81FC6192DF35A150C604
                      Function 00007FF848E70610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction ID: 3441a8a0a44c128208eb6d910a646e9078c753c09f393d9c78a732a709af7252
                      • Opcode Fuzzy Hash: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction Fuzzy Hash: 1E01463091990E9EEB48FB3484592BA72A1FF18345F5008BEE80BC2192DF39A590CB14
                      Function 00007FF848E711D0 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction ID: 3fc7e5cc97b47b776425056b953d2895a28b811d8d2d84f4c866b7b9a5b9a84a
                      • Opcode Fuzzy Hash: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction Fuzzy Hash: 09F0AF30D1DA9E8EEB98AA6888283FA7BE4FF15385F00047AD41EC20C1EF3455509605
                      Function 00007FF848E705D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction ID: 629d1030a7e3504414357978be06efe68e6c6a2ac25f4e8b38475da503b842aa
                      • Opcode Fuzzy Hash: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction Fuzzy Hash: 5BF0CD3080EA4E9FEB4CEE6484462FA77A0FF09384F40047AE80DC2181CB36A560CB88
                      Function 00007FF848E7278D Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction ID: 77d9a63d44715073f8ca7a0d8039a0498b2a8f83b25d9b3431596eceeaf438d4
                      • Opcode Fuzzy Hash: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction Fuzzy Hash: E9F0B430C0D78E8FEB59AF3488152B93BA0FF06341F4404BEE80AC61D2EB38A450C701
                      Function 00007FF848E72719 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction ID: a8e310d27b4c0a6490317e0a02b6ca4d31f5a37a657cd9aec8c3b290397e1167
                      • Opcode Fuzzy Hash: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction Fuzzy Hash: 61F0C23080E3894FEB5AAF3088292A93BB0FF06340F4405BAD80AC61D3DB789454C301
                      Function 00007FF848E76CA6 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f3d2af1c31550725c430c7c361bbfcb6eae85c0ee8734921a4cafe1290a90b55
                      • Instruction ID: df0bc9c157b53ee825ac0cab1e349f7340d741c773128722fab332ec508e6c6e
                      • Opcode Fuzzy Hash: f3d2af1c31550725c430c7c361bbfcb6eae85c0ee8734921a4cafe1290a90b55
                      • Instruction Fuzzy Hash: 73F08230E0D9698FEBA1DB188894B76B7F1FB15350F1402F6C45CD7182DA3419C28F05
                      Function 00007FF848E716C0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.2300072683.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7ff848e70000_blockwin.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 03fc9a6113d5c347a2dd79660478c04db12532e2162860a140adc2184049cd19
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 96E0ED20E0DA474EEB6876598485674A1D1BF44394FB88675F02DCA2E1EB3AEC86D309

                      Executed Functions

                      Function 00007FF848E635EA Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de00e12ab17247d3de35a11f9d9132db5765085284c208ba5920cd139901d6cd
                      • Instruction ID: efd2f24d7dae76435857b1feefe71f32ebfefbeac233aed83e0f383b253fedb8
                      • Opcode Fuzzy Hash: de00e12ab17247d3de35a11f9d9132db5765085284c208ba5920cd139901d6cd
                      • Instruction Fuzzy Hash: 4D519F71A1C9498FE758DB6CD8143EDBFE1FB96294F9401B9C00DD72CADBB424068751
                      Function 00007FF848E61658 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2EH
                      • API String ID: 0-17899816
                      • Opcode ID: 297a7681e2f9d84c59124616f974d007ce42bd7545908ea2aeac06ff35edc81d
                      • Instruction ID: 74dafbb35ee935a5964040ff5b2547b1947481d6ed0b89916a6843aa0b2b4312
                      • Opcode Fuzzy Hash: 297a7681e2f9d84c59124616f974d007ce42bd7545908ea2aeac06ff35edc81d
                      • Instruction Fuzzy Hash: 5581AF31E0CA498FDB4AEE1C88555B977E2FF98754F54017AE44EE3286CE35EC028785
                      Function 00007FF848E61C8D Relevance: .2, Instructions: 193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 77b6e9ef476804b921fb1ce481f1fbafd79cf493b41157390ae5fbaea21f17e1
                      • Instruction ID: e8b213e5ba8154e5d6b6196f598ff0ee123636ebbc9b6a45b5cfb5b1bdc5cf0f
                      • Opcode Fuzzy Hash: 77b6e9ef476804b921fb1ce481f1fbafd79cf493b41157390ae5fbaea21f17e1
                      • Instruction Fuzzy Hash: C951F131A0CA8A8FDB4DEE1888545BA77E2FF98741F14017ED44AD3282CE35E802C785
                      Function 00007FF848E620A5 Relevance: .1, Instructions: 145COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d5c8e8a5c8e2708d951d3d4658dd46525725eb1168df48df33949019d00ccf3
                      • Instruction ID: 9b89ca985e6570d09204953ac48b7f5720760f1f9b37d5d72686bb8f4f82c4cc
                      • Opcode Fuzzy Hash: 5d5c8e8a5c8e2708d951d3d4658dd46525725eb1168df48df33949019d00ccf3
                      • Instruction Fuzzy Hash: B9412231E0DA8A5FE395EB3898591B9BBE0FF96390F8441BAD408D3193DF38B8418355
                      Function 00007FF848E63105 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c117d5a27fd2e3ac68651c3413dc070b251f16d44697dd5f60e7655f88dfb475
                      • Instruction ID: fd23c8723be055d17c99ee7b88468be3aacb9981b270b873b63e542f15eae5c3
                      • Opcode Fuzzy Hash: c117d5a27fd2e3ac68651c3413dc070b251f16d44697dd5f60e7655f88dfb475
                      • Instruction Fuzzy Hash: EA512670D0D60E8FEB54EB98C8586EDB7F1FF59350F90017AD00AE7292DB38A9458B54
                      Function 00007FF848E623A4 Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 278a34c720e5c78ccc89853c99d38e1c30aa433f8bebad79898bafe772d5ccdc
                      • Instruction ID: 38054a80368490074273ddde2b3628f1d5c1584e9fb6aef48d31943420211a3d
                      • Opcode Fuzzy Hash: 278a34c720e5c78ccc89853c99d38e1c30aa433f8bebad79898bafe772d5ccdc
                      • Instruction Fuzzy Hash: 74314830D0C22ACEEB64AF14C8447F9B2B0BF41351F8051B9D45EA6292DF387A849F98
                      Function 00007FF848E632F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5099fd867968c4b9181df924fe18b161dcf1d590dd66242c1525633413c86c14
                      • Instruction ID: 9ae4f14604554744783672e5d5faaad0e8871af5e329d5d64b1079577f6458c3
                      • Opcode Fuzzy Hash: 5099fd867968c4b9181df924fe18b161dcf1d590dd66242c1525633413c86c14
                      • Instruction Fuzzy Hash: 43219A3084D78A8FE742AB7888585A97FF0FF1B350F4905EBD058CB0A3DA38A446C711
                      Function 00007FF848E60A01 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25ef8f2796e35d80d1d0930f5d0bf2f4006914eb08ffd839480f7e5a47781a19
                      • Instruction ID: 50821e42bb67b62ba4f1491f89e238b8f636a915a9e55ac648d0e9021a39ec8a
                      • Opcode Fuzzy Hash: 25ef8f2796e35d80d1d0930f5d0bf2f4006914eb08ffd839480f7e5a47781a19
                      • Instruction Fuzzy Hash: 24116D30E1C55E9FE791FB6888492B97BE0FF59390F8005B6D409E61A6EF38B9448744
                      Function 00007FF848E61F59 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 483954c00878cb0261f8b68b20096e96ffe2499071a10e615188537f2d256b97
                      • Instruction ID: 300bcbe5ee4a5a00d1e07850680f21582cf3b3c4be4549a3257df065662bafd8
                      • Opcode Fuzzy Hash: 483954c00878cb0261f8b68b20096e96ffe2499071a10e615188537f2d256b97
                      • Instruction Fuzzy Hash: E0115E1180E6C65EEB53777918650616FE06F132A4F6D45FBD0D8DA0E3DA2A6489C306
                      Function 00007FF848E63481 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 53cf2e385b7559d79fa744ba5a4236d4f1ed925c3d35eff0bd0ff510c6fef537
                      • Instruction ID: 8b2e0ab101beb24acaa954b347e6d8db5ca21247b3e5978695e17a536ebec892
                      • Opcode Fuzzy Hash: 53cf2e385b7559d79fa744ba5a4236d4f1ed925c3d35eff0bd0ff510c6fef537
                      • Instruction Fuzzy Hash: 0F115A30D1D68E8FDB5AEB28C8582B9BBA0FF19341F8404BED419E6192DB79A541CB04
                      Function 00007FF848E611BD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0875dec91947cdbd58c35416c0e2b7ed9117b34992cd0e66c495d7aab85c0327
                      • Instruction ID: 6a95fb39ac1681ced8263800fdccf496db1e6e86fe03a78f4d797a8ad0802ee2
                      • Opcode Fuzzy Hash: 0875dec91947cdbd58c35416c0e2b7ed9117b34992cd0e66c495d7aab85c0327
                      • Instruction Fuzzy Hash: 74119030D0D58A8EEB9AEB2888692B97BE0FF19341F4004BEC019D7092EF396440C714
                      Function 00007FF848E60F40 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59225297625685829db0cc4fb7cd2e515ea982887324dba7c7ebdbb5e4adbd7d
                      • Instruction ID: 546a3c6eca0ddf65b2454a772d031161dc58b75d4f31e795692e6ba71faa2e13
                      • Opcode Fuzzy Hash: 59225297625685829db0cc4fb7cd2e515ea982887324dba7c7ebdbb5e4adbd7d
                      • Instruction Fuzzy Hash: 9C111930A099198FEB54FB58C844BEDB3B1FB58340F5042B5D00AF7295DF38B9458B88
                      Function 00007FF848E605D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 84409fb2db0a5cac5d059fa40f07405c3b295b37a1629fff83d455380bdf30e8
                      • Instruction ID: 92ba73daad68299c29e97893e48f4ab1c33655448146864c46d52c97c9853760
                      • Opcode Fuzzy Hash: 84409fb2db0a5cac5d059fa40f07405c3b295b37a1629fff83d455380bdf30e8
                      • Instruction Fuzzy Hash: F3018C3090890E9FEB49EF24C0556BE77A1FF58385F90047AD40ED2191CF36B550CB48
                      Function 00007FF848E62E21 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1ca102e2aa52001420d2c01f8a2d799cd61cb0811968ce22164d2cca85747a3
                      • Instruction ID: 6f566ceda987cf983b7a3ab0b2182a69c83501830b74c54960e2dde18405bfae
                      • Opcode Fuzzy Hash: d1ca102e2aa52001420d2c01f8a2d799cd61cb0811968ce22164d2cca85747a3
                      • Instruction Fuzzy Hash: 02018B30E1D60E8FEB42FB2484492A97BE4FF19380F4105B6D40CD60A2EF38F0408704
                      Function 00007FF848E62E99 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4604063581d675318cc3b823d3565349f96aa9312cd486ab881fe0aaed64220e
                      • Instruction ID: ed9dbf0b9ff585bed77042941846bc393a472234fb9920f6dc7c906159f64db6
                      • Opcode Fuzzy Hash: 4604063581d675318cc3b823d3565349f96aa9312cd486ab881fe0aaed64220e
                      • Instruction Fuzzy Hash: 6D015630D1D6499FEB42FB2888496A97BE0FF4A390F8549B2D418D70A3EB38A4448715
                      Function 00007FF848E61C05 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 300d9b450d82eadffc46d61c22a64f619a36b67c6cc3010c61ed75b8d7f08305
                      • Instruction ID: 8c2ba59c0923b990d27f00932b689c7d9d6c8d64311593fd9f1392629d7917e7
                      • Opcode Fuzzy Hash: 300d9b450d82eadffc46d61c22a64f619a36b67c6cc3010c61ed75b8d7f08305
                      • Instruction Fuzzy Hash: 3501863090D68E8FEB5DEF2484596BD7BA1FF55341F8400BED808C6192DB36E550C744
                      Function 00007FF848E627FD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0043cce8e97bda274ce83097db88085f3d96db7ef540e2d77c3a538004ae53a7
                      • Instruction ID: a59cfc57229210021e4fed6a875e5149949721b1e768430e73625f3f06b66415
                      • Opcode Fuzzy Hash: 0043cce8e97bda274ce83097db88085f3d96db7ef540e2d77c3a538004ae53a7
                      • Instruction Fuzzy Hash: 69017C7091D64D8FE751FB6488496B97BE0FF69341F8545B6D408D60A2EF38B4548704
                      Function 00007FF848E60608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b0f57d3ea6b08d9437189df6d532044198d66d4e4d9fc8e443138f657d1a28f8
                      • Instruction ID: 0c2f651bb015b7eb159cd488b4feb68d18f7c429eb0bafaf2089b7bedaeebf93
                      • Opcode Fuzzy Hash: b0f57d3ea6b08d9437189df6d532044198d66d4e4d9fc8e443138f657d1a28f8
                      • Instruction Fuzzy Hash: A001693091860E9EEB48FF248458ABA76A1FF18355F9008BEE81EE61D2DF35B150C604
                      Function 00007FF848E60610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31d29ea3d782545ce8efd06b8f49af75b925c3c49c0ca4bc2b23f251fdb85d6c
                      • Instruction ID: 89a0d4cf9f4492ddf110206139432ea43214b6ada80464592620a7f2844f226c
                      • Opcode Fuzzy Hash: 31d29ea3d782545ce8efd06b8f49af75b925c3c49c0ca4bc2b23f251fdb85d6c
                      • Instruction Fuzzy Hash: 18016D3091950D9EEB48FB24C4586BA72A1FF18355F9008BEE81ED21D2DF35B590C614
                      Function 00007FF848E611D0 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b98f6aad73b7deb44180a896c1d579574ba4069856e941503a61e36d62e4b1cb
                      • Instruction ID: 80327f3e90c9780ae45a596bd3ee27f04c05402be781a4c47359e5a3ea66f562
                      • Opcode Fuzzy Hash: b98f6aad73b7deb44180a896c1d579574ba4069856e941503a61e36d62e4b1cb
                      • Instruction Fuzzy Hash: 43F0AF30D0D99E8EEF99AB6888192FA77E4FF15385F40147AD41DE20D1EF3464508645
                      Function 00007FF848E605D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1880435236a021e214821b228b8498e40ba037b3cd3561bdda180b7fb1fe2117
                      • Instruction ID: 9acde84d93b60c9a6a78028e2522f08bc31140d61997565f9e95ad20ef28020b
                      • Opcode Fuzzy Hash: 1880435236a021e214821b228b8498e40ba037b3cd3561bdda180b7fb1fe2117
                      • Instruction Fuzzy Hash: 4BF0AF3080DA4E9FEB49EE2484552FE77A0FF05384F80047AE80DD2191CB36A550CA88
                      Function 00007FF848E6278D Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 497f76f4a064b2d0ce3073866d9b3a7fa2ccd0be6c36d132b90ba00de38617c5
                      • Instruction ID: 370760242822b3833245b91ff50c81fedc198d25b58a316d9a2a5d36c299c63e
                      • Opcode Fuzzy Hash: 497f76f4a064b2d0ce3073866d9b3a7fa2ccd0be6c36d132b90ba00de38617c5
                      • Instruction Fuzzy Hash: E9F09030D0D68A8FEB59BF3488192B93BA1FF16391F8404BEE809C61D2EB39B450C701
                      Function 00007FF848E62719 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a97c38aa53bfd9265ac36b25c72876c8b479eae2e1a63dde43f8c9876f31a155
                      • Instruction ID: f8aa0bfc319f5e1f9875590ab311111d93495411e8115bd68e12da8c7aa8c79d
                      • Opcode Fuzzy Hash: a97c38aa53bfd9265ac36b25c72876c8b479eae2e1a63dde43f8c9876f31a155
                      • Instruction Fuzzy Hash: FAF0C23080E3C94FEB5AAF3488291A93FA0FF06350F8405BAD809C61D3DB78B414C301
                      Function 00007FF848E66CA6 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48b60dfce968201d66c84b64790c8dc45edd7864be78e002a23f446adcf339b6
                      • Instruction ID: d3cee424b023490f87940b6637ec8cc4364935e1281f64affadfdd726ee0d30e
                      • Opcode Fuzzy Hash: 48b60dfce968201d66c84b64790c8dc45edd7864be78e002a23f446adcf339b6
                      • Instruction Fuzzy Hash: C0F01230E0D9698FEBA1DB188894B7AB7F1FB05341F5402F6C45DE7182DA3469829F41
                      Function 00007FF848E616C0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001B.00000002.2335299323.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_27_2_7ff848e60000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 74ec17838b56e42aa1fbb9e25ba891077f0d86f556b96acbe52962385abda74d
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 44E0ED20E0D4064EEA6576598485675A1D1BF44394FF8C675F02DD62E1EB3AFC82D209

                      Executed Functions

                      Function 00007FF848E735EA Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52244ed490d9d441a1b3ec0e726a34a0a5473f4d77263b044d2fbabe5166eb3b
                      • Instruction ID: 3e1faa196ae9f36cbe41f55dec9c4f6a62fdef89a7e318c00f633b8283beb688
                      • Opcode Fuzzy Hash: 52244ed490d9d441a1b3ec0e726a34a0a5473f4d77263b044d2fbabe5166eb3b
                      • Instruction Fuzzy Hash: BE519E71A1C94D8FE798EB6CD8543ADBFE1FB96250F9402BAC00DD72CADBB518058B41
                      Function 00007FF848E7F81D Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e7f000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0$d
                      • API String ID: 0-1612544101
                      • Opcode ID: c77c4633843c8584348606582dfcb26ec3220977ced4bb2252a9333938d739c7
                      • Instruction ID: d623b3fa6f5defafb38629a51285ab1372a06d48588d527b3a7aaf6052c8ce96
                      • Opcode Fuzzy Hash: c77c4633843c8584348606582dfcb26ec3220977ced4bb2252a9333938d739c7
                      • Instruction Fuzzy Hash: 58510B70D18A2D8FEBA8EB189C997A9B7B1FF58341F1041E9D41DE3281DF346A818F45
                      Function 00007FF848E7CC7D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID: ;xM
                      • API String ID: 0-3974809044
                      • Opcode ID: e9b97070394c21fbaa24af75e1ae7f587971c1bf0fb9385a44c1354860e9ed17
                      • Instruction ID: 1284ff6727ea8eb310875a7f578ea4d7b9f4e2d5da18d4f2d000ba1f7cc1c018
                      • Opcode Fuzzy Hash: e9b97070394c21fbaa24af75e1ae7f587971c1bf0fb9385a44c1354860e9ed17
                      • Instruction Fuzzy Hash: 9E514867A4C66AADE7157A7DF8100FD7B54FF812B1F0841B7D248CA0C3DB24744986A8
                      Function 00007FF848E839B8 Relevance: .5, Instructions: 485COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80087b93bd4e9c1813daa43a535e76992cda9296b4ad887c357f553bd82971a3
                      • Instruction ID: 8e0ef9fc7d2f7110bdcd9290e828ad114c273236e9b7601b5c6acfb2e7a2eb17
                      • Opcode Fuzzy Hash: 80087b93bd4e9c1813daa43a535e76992cda9296b4ad887c357f553bd82971a3
                      • Instruction Fuzzy Hash: 8031B321C0EACA9FE756F77888591B97FB0FF16640F4914F7C048CB0A7EA38A9448756
                      Function 00007FF848E84215 Relevance: .3, Instructions: 335COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 218f5b9842af4e1dddeb1ff9c749392b18efb11b7de9e2af548515b0b0a7fa3b
                      • Instruction ID: 5bb397c6370c9477360a9c47f8ca920e294987bfa84dc70fc55e8182180de109
                      • Opcode Fuzzy Hash: 218f5b9842af4e1dddeb1ff9c749392b18efb11b7de9e2af548515b0b0a7fa3b
                      • Instruction Fuzzy Hash: EDD19170D18A2D8FEBA4EB58C8557ECB7B1FF58345F9041AAD00DE3291DB346A848F49
                      Function 00007FF848E71658 Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction ID: 4dacc9d31690e4ee22af6331c16c91d5325855681becc286c12aa11729cecad6
                      • Opcode Fuzzy Hash: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction Fuzzy Hash: 5881AC31E0CB8A8FDB99EE1888555B977E2FF99750F14017AE44EC3286CE35AC028785
                      Function 00007FF848E86296 Relevance: .2, Instructions: 204COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 94ed6ca352e8d122b130194d66d7c6a0bde221950cc15da0052b23910dceea93
                      • Instruction ID: e7f61767bb0a117449a1ebea5e5d391f10fdb5b554eb86469a65b55672a0535b
                      • Opcode Fuzzy Hash: 94ed6ca352e8d122b130194d66d7c6a0bde221950cc15da0052b23910dceea93
                      • Instruction Fuzzy Hash: 3551B030A1C9498FDB99EB28D458AB9B7E1FF98350F4405BAD04EC72A6CF39E845C744
                      Function 00007FF848E71C8D Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction ID: 7527d7fb2be728c8985a5516191ac55b3025b497e8f44b560bf686d60f234c2b
                      • Opcode Fuzzy Hash: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction Fuzzy Hash: 1151B031A1CB898FDB4CEE1888655BA77E2FF98755F14057EE44AC7282CE35E802C785
                      Function 00007FF848E7CD70 Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7bea44135966d3537e1ba2e19f44cb166200167ff98060d9b567106a5d01c834
                      • Instruction ID: a5e78ae88e1c656da47e02b81a0d124b4f60f55131130e47a0d83577ffcddfa1
                      • Opcode Fuzzy Hash: 7bea44135966d3537e1ba2e19f44cb166200167ff98060d9b567106a5d01c834
                      • Instruction Fuzzy Hash: 4341E272A4D96AAEE759BA7DE8040FD77A4FF453A1F080177D50CC60C2DF2478458BA8
                      Function 00007FF848E720A5 Relevance: .1, Instructions: 144COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: baa475d669d7687c3943538d2ce3c36b20d29ce10006ed99c9d6fa003a92df49
                      • Instruction ID: 0339ba0d963146f6d3c39ea517958ed6ff4f291cacd2d6bc4b3b226a723d7990
                      • Opcode Fuzzy Hash: baa475d669d7687c3943538d2ce3c36b20d29ce10006ed99c9d6fa003a92df49
                      • Instruction Fuzzy Hash: 9F41F231E0DA8A4FE355EB3898551B9BBE0FF86390F0545BAD44EC7193DF38A8418356
                      Function 00007FF848E73105 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d75543bfe1b0ee0eb093f375de6aac27441a1fcc09aa5d2da88667aa2b7fefda
                      • Instruction ID: 094fdcc5d607655b9e4070b2535d200632c0427c884796801ce7d4a829444b75
                      • Opcode Fuzzy Hash: d75543bfe1b0ee0eb093f375de6aac27441a1fcc09aa5d2da88667aa2b7fefda
                      • Instruction Fuzzy Hash: 33513770D1D50E8FEB94EBA8C4586EDB7F1FF59340F90017AC009E7292DB38A9448B54
                      Function 00007FF848E85997 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f597109b6f429cd87eb510920e9f995987cbbec2b95ca954c5cc713dbf487e6
                      • Instruction ID: f06110591896f25488f5344142c40b179928bb99c79d4d7bf4bb2a5a6d0371f0
                      • Opcode Fuzzy Hash: 1f597109b6f429cd87eb510920e9f995987cbbec2b95ca954c5cc713dbf487e6
                      • Instruction Fuzzy Hash: 9541E970D1895D9FDF94EBA8D889AACBBF1FF58341F5001AAD00DE7256CF34A8818B40
                      Function 00007FF848E840FA Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1adb06b66f1819aaaedb4b90a51f39cc75ac71fc717fd8ea10ab669f77a1417
                      • Instruction ID: 159aa7f507313e96e3a52e72951abb110c92d030e5936914a703159c77205e90
                      • Opcode Fuzzy Hash: a1adb06b66f1819aaaedb4b90a51f39cc75ac71fc717fd8ea10ab669f77a1417
                      • Instruction Fuzzy Hash: 8C41FF32A0D5999FE705FBACE8985E97BA0FF163A5F4801B7D808CB143DB34A4448750
                      Function 00007FF848E82E1D Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd07b75e8e775824bb2dd0c1efce06dc641bb26a5dd020cff6f6f3625616c22f
                      • Instruction ID: 2fe585dcac562d9a1a4f7b80a8b326eb341a83ef324ea1197d2893d05643d72f
                      • Opcode Fuzzy Hash: dd07b75e8e775824bb2dd0c1efce06dc641bb26a5dd020cff6f6f3625616c22f
                      • Instruction Fuzzy Hash: 76415F70E19A1D9FDB88EBA8D855AEDB7B1FF48340F54017AD009E3292CF346841CB54
                      Function 00007FF848E7C6E5 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2c42a2da9837e4541036f4827e81ffcff1bab7767762d30231c8b51445bab0a
                      • Instruction ID: 59d9957ca784c1064a5bba05a03adc333ea6e28f578629977965e40d015ddc81
                      • Opcode Fuzzy Hash: e2c42a2da9837e4541036f4827e81ffcff1bab7767762d30231c8b51445bab0a
                      • Instruction Fuzzy Hash: D331B471E1C95D8EEB94EBA8D895AADB7B5FFA8340F901139D40DE7282DF3468418B04
                      Function 00007FF848E87A65 Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de5d07633deef91e873a9065c65f4c27d04a993337d0646b3d0eb3234561a62e
                      • Instruction ID: e7a57415c368e747ef11624871be066f038dbb85d3b40798feb824fd55887d9d
                      • Opcode Fuzzy Hash: de5d07633deef91e873a9065c65f4c27d04a993337d0646b3d0eb3234561a62e
                      • Instruction Fuzzy Hash: B9314930D1D90E8EEB91FB6988486BE7BE1FF18381F4009B6D418C70A1EF34E6808744
                      Function 00007FF848E831D1 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12634f1d2553654d3de28ab9732e4c1607fc2c8096cb412c176d40c58a4fe679
                      • Instruction ID: 09030321c379d8a0911a6bbe2cf70bb522d3bacdeb98fd57ada398e828fc7f01
                      • Opcode Fuzzy Hash: 12634f1d2553654d3de28ab9732e4c1607fc2c8096cb412c176d40c58a4fe679
                      • Instruction Fuzzy Hash: E041A270E1896E8EEBA4FB58C8557ECB7B1FB58341F5041BAD00DE3295DF34A9818B44
                      Function 00007FF848E8307B Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9400a917d1af01a95f66c695f267562938eeafb763fb41a70af405f274a100bb
                      • Instruction ID: c65d2532b718e960ce16d869b88f5a1b0406f984e65c1f51b78aa6be070b7ebe
                      • Opcode Fuzzy Hash: 9400a917d1af01a95f66c695f267562938eeafb763fb41a70af405f274a100bb
                      • Instruction Fuzzy Hash: 2A41C370E186299FEB58EBA8C8957EDB7B1FF58341F20416AD40DA3292CF3469418F54
                      Function 00007FF848E7B35D Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e3983890557adc0697022927e28ee1cecd0977d57444afb1a47f8e49742435f4
                      • Instruction ID: ee0cabef13ea43097c633d440dd396de3b60e53ba28d0ba4225a4d71827cfe91
                      • Opcode Fuzzy Hash: e3983890557adc0697022927e28ee1cecd0977d57444afb1a47f8e49742435f4
                      • Instruction Fuzzy Hash: 5A21DF71E1C94AEFF744FB3888581E97BE0FF96391F0845B6C408C6092EF3468828354
                      Function 00007FF848E7CDFB Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 134046bcdd6dfe633e684fb7da5c9058b25d85df34277822032c1f2703885622
                      • Instruction ID: 8233c4ef417b00ffa3e2624a10c0ec47a48d70a1371fe473d963bb8d1bf2a729
                      • Opcode Fuzzy Hash: 134046bcdd6dfe633e684fb7da5c9058b25d85df34277822032c1f2703885622
                      • Instruction Fuzzy Hash: 9631C1A2E8EA5A6EEB5A76A9A4051FC3764FF423B1F085277D40CC90C3CF3824418769
                      Function 00007FF848E7C1D9 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebb573ae717020c43c5228949bd1beea7479271c527002998a201ff48bc1e413
                      • Instruction ID: b246884e3ef4463bae4d5a8a6f674b594316447466cbd376b98fca7a2ababf14
                      • Opcode Fuzzy Hash: ebb573ae717020c43c5228949bd1beea7479271c527002998a201ff48bc1e413
                      • Instruction Fuzzy Hash: 8731257090DA898FDB58EFA8D8646ED77B1FF19340F10017ED40AE7292DB386944CB59
                      Function 00007FF848E7A9D1 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ea9fef8970c2b1f0b0294fd9388c6d5de79ad5c07a1ecdd289cff522227071e
                      • Instruction ID: 6bc6b43b940e5762372ebe888af38af748dff0cc14e79dbff1054f6c3c456bb0
                      • Opcode Fuzzy Hash: 8ea9fef8970c2b1f0b0294fd9388c6d5de79ad5c07a1ecdd289cff522227071e
                      • Instruction Fuzzy Hash: C3214A7091864D8FDB88EF18C889AE93BF0FF69345F0101AAE809C7291DB34E491CB80
                      Function 00007FF848E87515 Relevance: .1, Instructions: 73COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 971d79f7984ad956ceb2bb68e5bd107fd26233f63059356ee549b352ce146666
                      • Instruction ID: d26db591e757a8ee512c0a1c92eb2ac605a338f17b329402ebe9e936326d0b65
                      • Opcode Fuzzy Hash: 971d79f7984ad956ceb2bb68e5bd107fd26233f63059356ee549b352ce146666
                      • Instruction Fuzzy Hash: EE117F70D1CA4E9FEB98EF6888592BD7BA1FF58381F5005BED409C32A2DB34A544C741
                      Function 00007FF848E732F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction ID: cfcce872a25392b70751b16b697ec768095c8dfe0181662ce4686d35effedf86
                      • Opcode Fuzzy Hash: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction Fuzzy Hash: 6121883080D68A9FE782AB7888585A97FF0FF5B300F4905FBD058CB0A2DA38A446C711
                      Function 00007FF848E82D80 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18cf22a27ef18f5960b8dd526f0b1f05fd3a55e8084480aad239407c2ebebebf
                      • Instruction ID: 67fdf70420ded354ee58931e154af461b142aa843aea477025b415b2f9987f4d
                      • Opcode Fuzzy Hash: 18cf22a27ef18f5960b8dd526f0b1f05fd3a55e8084480aad239407c2ebebebf
                      • Instruction Fuzzy Hash: 2421CD3084D6894FDB06AB3088292A93FF0FF16304F5604EBC409CB0E3DA795855CB11
                      Function 00007FF848E70A01 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f05d0a4277acdb85f9614f8552a15b0a6c40f75efe01258100c972a4f5ce0f0d
                      • Instruction ID: 62ab4aa75ba18933ac2c1785a2cc5703a0c8739148dd5359f0dba329b64bf999
                      • Opcode Fuzzy Hash: f05d0a4277acdb85f9614f8552a15b0a6c40f75efe01258100c972a4f5ce0f0d
                      • Instruction Fuzzy Hash: AC116A30E1894E9FE790FBA888492B97BE0FF58391F4005B6D408C61A6EF38A5448740
                      Function 00007FF848E87471 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ed6eeee8a9914b9dd80d4e5f2a577ae4efea93974942f100ced3e16944ed5a9
                      • Instruction ID: defe81596133ada72fd2403743515ef84f6538db161b93854b7af68f960efcd1
                      • Opcode Fuzzy Hash: 9ed6eeee8a9914b9dd80d4e5f2a577ae4efea93974942f100ced3e16944ed5a9
                      • Instruction Fuzzy Hash: 24119D3090DA4E8FEB98FF6888592BD7FA0FF68341F4001BAD409C3192DB38A480C740
                      Function 00007FF848E84DE5 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6479cbf4855e826b5dd2e180f6f1f2c521aa97c216fd3757d8e752df601f6885
                      • Instruction ID: 8b2d1761d378ff9d4997f928d467b044be53dc698aea84629b40604028e83e52
                      • Opcode Fuzzy Hash: 6479cbf4855e826b5dd2e180f6f1f2c521aa97c216fd3757d8e752df601f6885
                      • Instruction Fuzzy Hash: 4E116A3090DA4E9FEB98EF6884592BD7BA0FF68345F4005BAD419C7192DB38A490C740
                      Function 00007FF848E83859 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 10b24c35bf4bef8a9b08ecced3058a1dcce9c12a88f4e83a8e252c24d4f83197
                      • Instruction ID: 10776cb9a77fbfe7f2f1f0b29701376a94b2fece6c79f14db1f12a3cb9159335
                      • Opcode Fuzzy Hash: 10b24c35bf4bef8a9b08ecced3058a1dcce9c12a88f4e83a8e252c24d4f83197
                      • Instruction Fuzzy Hash: EE11B13090D68A9FE742EB78C8596AA7BF0FF1A341F0445F6D448C71A2DA389548C761
                      Function 00007FF848E7C25F Relevance: .1, Instructions: 66COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction ID: 421678793b0c3b999c7d74dddd4e03d790778bb78b8646a2350b7611aff54d69
                      • Opcode Fuzzy Hash: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction Fuzzy Hash: 7321CE70C0965E8FEB44EFD9D8986EDB7F1BF48340F10052AE409A6291DB386984CB58
                      Function 00007FF848E71F59 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction ID: 6c87dd9d7111ecbaf30c569d7fa0fb8457195708a7b79acf92279cab065629a0
                      • Opcode Fuzzy Hash: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction Fuzzy Hash: 1D115A1180E7C25FEB1BA77908650616F906F13264F2D45FBE0D8CA0E3DA2A5849C306
                      Function 00007FF848E82B61 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07f09cc58a7f7b2e9cedef758ca47025d7447d6bfce941f429e241502931b3e9
                      • Instruction ID: 202da09bc775373271d55d7946477a6ff1db10ca0f29c224bf03753987b39023
                      • Opcode Fuzzy Hash: 07f09cc58a7f7b2e9cedef758ca47025d7447d6bfce941f429e241502931b3e9
                      • Instruction Fuzzy Hash: 84118B7091D6498FDB48EF18C4955FD7BE1FF59344F5102BEE80A83282CB38A450CB85
                      Function 00007FF848E84D49 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9cc4f53c435f7258ff407ec0c57fe1a975b8ffa39bc81ea4d37ec4c1810349df
                      • Instruction ID: 05425820132a32b0eeb79d247deaf49879d6c87c4bafa9fa7c67b9e099e95789
                      • Opcode Fuzzy Hash: 9cc4f53c435f7258ff407ec0c57fe1a975b8ffa39bc81ea4d37ec4c1810349df
                      • Instruction Fuzzy Hash: 1A21AE3090DA8E9FDB99EF2884592BD3BE0FF19345F4001FAD409C7192DB38A440CB41
                      Function 00007FF848E85305 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3c060ae6004f3deffbcdb35933475b320d8d5a22c4ed1672dce19736d8e7c7be
                      • Instruction ID: 5353fbd08593bf11597758a4b4119f223c0b2f9bf0cc4f29c79342a1740d16b7
                      • Opcode Fuzzy Hash: 3c060ae6004f3deffbcdb35933475b320d8d5a22c4ed1672dce19736d8e7c7be
                      • Instruction Fuzzy Hash: E011BF31D0DA898FEB49EB6498992BC3BA0FF14340F4401BED009C3196DF786440C605
                      Function 00007FF848E82F71 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a132143ddf912b653fee2121a6bd0f67a0905fe88967dddf97a7a366483f192
                      • Instruction ID: 8aa0172cace7db2a83689d946379e94ccc7314a2333febfa83cbc543063af142
                      • Opcode Fuzzy Hash: 6a132143ddf912b653fee2121a6bd0f67a0905fe88967dddf97a7a366483f192
                      • Instruction Fuzzy Hash: C0115B3091C55E9EE782FB6884486F97BE0FF59341F4409B6D418D7056EB38A185C744
                      Function 00007FF848E876CD Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 79de9e262c6501b02e760650eb0e2fd7b8dd09ed3bffb9c80f1a9614f0fed17c
                      • Instruction ID: dec504f1c104abd230e9b5ae2b3925740af9ac2e5f8533ca0f688d60db1bde7f
                      • Opcode Fuzzy Hash: 79de9e262c6501b02e760650eb0e2fd7b8dd09ed3bffb9c80f1a9614f0fed17c
                      • Instruction Fuzzy Hash: 1811B230D0E54E8FEB49EF2888552BD3BA1FF69341F8405BAD809C7192DF36A454C741
                      Function 00007FF848E87639 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c60776970be5c7b4e4af0a55beac057da81cfb2a9a90d63a3f4bf267060add6d
                      • Instruction ID: c55ef4953a00e642c3aea8ff479f18a5ad1b09836f56b3cbd55b82f4ddfab35f
                      • Opcode Fuzzy Hash: c60776970be5c7b4e4af0a55beac057da81cfb2a9a90d63a3f4bf267060add6d
                      • Instruction Fuzzy Hash: C311DD3090EA8A8FEB99AA2888692BC7BA0FF16340F4500FEC019C71A2CF395444D706
                      Function 00007FF848E7CDD7 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30a9fcf9c54f0989783167e520f066a563f8715f3f6084a5256e8c4c6ad6313d
                      • Instruction ID: 1f4e53fd244049c50f078cfd972dcc4fc64a34a4e3a1d40b5aa81210572848f6
                      • Opcode Fuzzy Hash: 30a9fcf9c54f0989783167e520f066a563f8715f3f6084a5256e8c4c6ad6313d
                      • Instruction Fuzzy Hash: A211A03190D79A8EEB56FF2898241FA7BB4FF06351F0405BBD849CA0E2DB345854C794
                      Function 00007FF848E711BD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction ID: 9fe3ad229035a1598f0f74e6ecac3711dd5dab8ccc967076696f305df108936e
                      • Opcode Fuzzy Hash: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction Fuzzy Hash: 16116D70D0D68A8EEB99EB6888696B97BF0FF19345F0404BEC41AC7092EF3A6440C704
                      Function 00007FF848E87BF1 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d8aec5f29d6a4ba1ed268c6fdfb354cda43825451d997a254e63434e8d16fcb9
                      • Instruction ID: 3c7e5ea70bbb11e93f7d617e2ce9eb8f66a7041998d978b7a218e6af86d03819
                      • Opcode Fuzzy Hash: d8aec5f29d6a4ba1ed268c6fdfb354cda43825451d997a254e63434e8d16fcb9
                      • Instruction Fuzzy Hash: 49112A3090D54A9FEB41EB788C496AE7BF0FF1A341F4409B6D419C7061DB38A1848755
                      Function 00007FF848E85679 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ddaea1a2f0eb5b239a910f54c54f958898907e0840b26a90c569cca6e32451ed
                      • Instruction ID: 34563901d0937beb855900e2eac5f637ce69801512cb1dea072ecacbc37a9d58
                      • Opcode Fuzzy Hash: ddaea1a2f0eb5b239a910f54c54f958898907e0840b26a90c569cca6e32451ed
                      • Instruction Fuzzy Hash: 5F118B3090DA8A8FEB59EB2488692BD7BB0FF19340F4404BBC419C7192DF3864408B02
                      Function 00007FF848E8542D Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e4caadadc858b646ef761553c977e7435daa879f6461d977cd6c70b7ee9ab056
                      • Instruction ID: 1980c6dc063e59a96b7d11596ec5cca5b259f5aee581f988cd6a611b8ad0535d
                      • Opcode Fuzzy Hash: e4caadadc858b646ef761553c977e7435daa879f6461d977cd6c70b7ee9ab056
                      • Instruction Fuzzy Hash: B0118C30D0D94E9FEB58EB2488596BD7BF0FF28342F4405BAD40AC32A2DF38A5448751
                      Function 00007FF848E7C155 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dcb59e4f02aa1c330dec6d3c5aa2dbed3dbef591381fa35e5db305aafdc09c30
                      • Instruction ID: 8554d2421fd0b619f31ce739223611dce9c6958f95ac6e5794ace12ec253f570
                      • Opcode Fuzzy Hash: dcb59e4f02aa1c330dec6d3c5aa2dbed3dbef591381fa35e5db305aafdc09c30
                      • Instruction Fuzzy Hash: CE115770918A4E8FEB88FF6888592BE7BB0FF18341F5005BAD41AC6192DF35A540CB04
                      Function 00007FF848E73481 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction ID: 890722afc5b7b63396223e03d52950c2f8a2a28abfabf0a434bc402e9878cd64
                      • Opcode Fuzzy Hash: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction Fuzzy Hash: 6A113C70D1D64E8FDB9AEF68C4592B97BE0FF19341F8005BED41AC6191EB35A5408704
                      Function 00007FF848E86719 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34d8700b495b4dc1081d26cc64d0d32356e92d79bc65e1d06ea855b40440e975
                      • Instruction ID: 03d39f2c9da0655f63374d7e0fa4f599aa14ea4ee078145896253efeed16b9fe
                      • Opcode Fuzzy Hash: 34d8700b495b4dc1081d26cc64d0d32356e92d79bc65e1d06ea855b40440e975
                      • Instruction Fuzzy Hash: 83116A70D0D68A9FE781FB24885D6A97BF0FF19340F4409B6D808C71A2EF38A5848755
                      Function 00007FF848E81411 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f08e916eff9ed275a84fd120527907473f5206406670371768d75c189340fbf
                      • Instruction ID: 370e454fea5fde2a5b7551abf1e57663877e2e39fae8a2686aada25cccd98168
                      • Opcode Fuzzy Hash: 1f08e916eff9ed275a84fd120527907473f5206406670371768d75c189340fbf
                      • Instruction Fuzzy Hash: E9113970919A4E8FEB84FB68C4592BD7BA0FF19345F8004BED419D7192DF3AA5808744
                      Function 00007FF848E70F40 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12430ef2aa658ebca556f60c7cd4ba377e685afbc249ed8964a2c34977e086e8
                      • Instruction ID: d53a5e1ed8919ae20811d960d86134d5742423c0f293ee4b413ce87fc1b44b3a
                      • Opcode Fuzzy Hash: 12430ef2aa658ebca556f60c7cd4ba377e685afbc249ed8964a2c34977e086e8
                      • Instruction Fuzzy Hash: C611FE31D0990D8FEB58FB94C854BEDB7B1FB58344F1042B5D009E7295DF38A9458B94
                      Function 00007FF848E855ED Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d14de2e673de52e5008f369ffc2ea37f01a61e58d2cdef43524ce8f220786ce
                      • Instruction ID: 69f61fe921f7952d7c2a662ea3b80cd4ba29167f64d7ed3c9644a380dc035361
                      • Opcode Fuzzy Hash: 3d14de2e673de52e5008f369ffc2ea37f01a61e58d2cdef43524ce8f220786ce
                      • Instruction Fuzzy Hash: 0D118C3090DA8E8FEB88EF2488596BD7BB1FF18341F8404BAD429C7192DF38A544CB41
                      Function 00007FF848E7DB3D Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b96a8855d40e5d8a865eda2e09ee7c1b24100330734efc4c88c3ab8d299ebe44
                      • Instruction ID: 71c440137daa40a77ab161d36dbcadcfcbea3c018ec5145c41f2bb9fc0128b68
                      • Opcode Fuzzy Hash: b96a8855d40e5d8a865eda2e09ee7c1b24100330734efc4c88c3ab8d299ebe44
                      • Instruction Fuzzy Hash: 76113970A1DA8D8FEB99EB6488592BD7BA0FF18351F4004BBD419C61A2DF35A580C704
                      Function 00007FF848E829F1 Relevance: .1, Instructions: 52COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 997521ca59c114f53add8869110a2200ba2858758b7923294d0f2f1c5de1ff4c
                      • Instruction ID: 9d9ff33066872ac9dd59fdded0c6c7a7494e39fb7084988d6c40423b41c1a1a1
                      • Opcode Fuzzy Hash: 997521ca59c114f53add8869110a2200ba2858758b7923294d0f2f1c5de1ff4c
                      • Instruction Fuzzy Hash: DC0188309096498FEB68EB2484596BD7BA0FF19340F8108FAD40AD70A2DF39A540C640
                      Function 00007FF848E7C989 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8690a240daa06f6a632e58e3344cf8ebda13c954bcd4498b4f2711fbd28c91bc
                      • Instruction ID: a3d36173b4ed67e1b07731cf010addfa8505f24fc6959ea5b5b3682e1a14cfc3
                      • Opcode Fuzzy Hash: 8690a240daa06f6a632e58e3344cf8ebda13c954bcd4498b4f2711fbd28c91bc
                      • Instruction Fuzzy Hash: 8B11CB3190D68E8FDB89FF24C4592B97BB1FF69340F5040BED409C6096DB39A550C785
                      Function 00007FF848E7BF05 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e317422469fb1ada6387f16d1cef5d94fb286617c43617bba3f95e6c32e6f96
                      • Instruction ID: 699b350dac162c91c5a1e7064c137b123dacefbdda38aeba71f836565b49fe26
                      • Opcode Fuzzy Hash: 8e317422469fb1ada6387f16d1cef5d94fb286617c43617bba3f95e6c32e6f96
                      • Instruction Fuzzy Hash: 0F019A3091C64E8FE795FF2488496E97BE0FF99340F0148B6E808C70A2EF38A580CB04
                      Function 00007FF848E705D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction ID: ee36df097f0f338dc5f1997a5a48a49a98ed4cff9997d4e9b4ab21171b7190cc
                      • Opcode Fuzzy Hash: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction Fuzzy Hash: 38018C30908A0E9FEB48EF64C0456BA77A1FF58385F5004BAD40EC2194CF36A551CB48
                      Function 00007FF848E72E21 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 672adf1bfc187ec2b5c54610c94237c731282cc8369a3bae41e9545f9f5752f5
                      • Instruction ID: 2ca3a13b768007f2d673ed0f29fca507c425469059787e96b6e45815922939f1
                      • Opcode Fuzzy Hash: 672adf1bfc187ec2b5c54610c94237c731282cc8369a3bae41e9545f9f5752f5
                      • Instruction Fuzzy Hash: 93018B30D1D64E8FEB52FB2484486A97BE0FF19380F0115B6D40DC61A2EF38E4848704
                      Function 00007FF848E72E99 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction ID: 05411d82e007968f98aeffd7ea6e89a72a68db3022e96ace70077ea547f7c4ca
                      • Opcode Fuzzy Hash: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction Fuzzy Hash: AC017C3095D6895FE742FB3888495A97BF0FF4A350F0549F2D40DC70A3EB38A4448714
                      Function 00007FF848E71C05 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction ID: 9581290d8e236c89c99c761ede2a83102100fb16ae82c054bfff9004e7384628
                      • Opcode Fuzzy Hash: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction Fuzzy Hash: 0201817090DB8E8FEB9DEF6484596B97BA0FF55341F5400BAD808C7192DB369590C744
                      Function 00007FF848E8839D Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b96ceda3c7f144462f1213a242b6cb6f919bc54ac1901e17385910b59e4682a
                      • Instruction ID: 48d2c37366748c9eefb32fb0e0f83ead80d0e3979ae48c2ffd45dbc8fa416ef7
                      • Opcode Fuzzy Hash: 1b96ceda3c7f144462f1213a242b6cb6f919bc54ac1901e17385910b59e4682a
                      • Instruction Fuzzy Hash: 5301B13094D64A8FEB4AEB2488592BE7BA0FF19385F4004BED409C7192DF35A551C740
                      Function 00007FF848E88329 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0cf8a8bd7d6d992788118856ab1c666304c3d19e551daddb8b618fe57ff7f52
                      • Instruction ID: c9f8a24e69bf8bc60b555c8f35dd5c1c414036a63546cdfcde21b04f8c3ce871
                      • Opcode Fuzzy Hash: d0cf8a8bd7d6d992788118856ab1c666304c3d19e551daddb8b618fe57ff7f52
                      • Instruction Fuzzy Hash: B1019E3095D6898FEB49EB2488692BD7BB0FF19380F4504FED809C7192DF39A541D701
                      Function 00007FF848E727FD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction ID: dbe062344ee56f21153e397b8c87f7c8ae4f199234164363b3c07376f8f299f5
                      • Opcode Fuzzy Hash: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction Fuzzy Hash: 8901787091D64A8FF751FB2888896A97BE0FF19380F4545BAD409C60A2EF39E4448704
                      Function 00007FF848E87D79 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08b1895df3e0d5b5f9cdfdae71f61c0e1b238c385a51dd5d94594ae9756bbaba
                      • Instruction ID: 3d2ddb4136559fc4329905fd84c7c3bea0c1fd06f64d6d2d9e577978bcff787f
                      • Opcode Fuzzy Hash: 08b1895df3e0d5b5f9cdfdae71f61c0e1b238c385a51dd5d94594ae9756bbaba
                      • Instruction Fuzzy Hash: B0017C3095E6899FE742BB3488595BD7BE0FF5A340F5508F2D008C70A2EF38A4448B15
                      Function 00007FF848E70608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction ID: cb8b71d4fa4e2ba85a6b2288200b2681ef7e4a9c9dc8e3a5804420c1bd55df03
                      • Opcode Fuzzy Hash: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction Fuzzy Hash: BC01693091860E9EEB48FF2485592BA72A1FF18345F5008BEE81FC6192DF35A150C604
                      Function 00007FF848E70610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction ID: 3441a8a0a44c128208eb6d910a646e9078c753c09f393d9c78a732a709af7252
                      • Opcode Fuzzy Hash: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction Fuzzy Hash: 1E01463091990E9EEB48FB3484592BA72A1FF18345F5008BEE80BC2192DF39A590CB14
                      Function 00007FF848E7BC39 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34982e1c9fa97b556fb65deeeaf90550bf5199921647414dd09b23dac13ed710
                      • Instruction ID: 635ca57571068126e250108005e583de7474030e522ac5bc39d4cbffa27d654b
                      • Opcode Fuzzy Hash: 34982e1c9fa97b556fb65deeeaf90550bf5199921647414dd09b23dac13ed710
                      • Instruction Fuzzy Hash: F8019770D1891D9EEBA5EB18C854BECB6F1FB98341F4045BAD40EE2292DF346980CF54
                      Function 00007FF848E87AE1 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 06274ab7f6d2a27e2a8c696fea23b00d05ab4267934a264c4ee446df3c70c218
                      • Instruction ID: a65cf14fb4cda5d755b90c9c869198ada3435d683db476365f76ff0a5f5f3938
                      • Opcode Fuzzy Hash: 06274ab7f6d2a27e2a8c696fea23b00d05ab4267934a264c4ee446df3c70c218
                      • Instruction Fuzzy Hash: F3F04470D1D68A8EEB91BB7888482BE7AB0FF15381F4009B6D818C60A2EB3891948745
                      Function 00007FF848E711D0 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction ID: 3fc7e5cc97b47b776425056b953d2895a28b811d8d2d84f4c866b7b9a5b9a84a
                      • Opcode Fuzzy Hash: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction Fuzzy Hash: 09F0AF30D1DA9E8EEB98AA6888283FA7BE4FF15385F00047AD41EC20C1EF3455509605
                      Function 00007FF848E7AF2A Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff0ac0e5febe51e5d4c7cb56ba982ca35baabe78d05886562ac7eeeb74f0b969
                      • Instruction ID: 2d63a5a5651824f65cbf7231e7309520336cd893e90a2049c10246d52c6e54d4
                      • Opcode Fuzzy Hash: ff0ac0e5febe51e5d4c7cb56ba982ca35baabe78d05886562ac7eeeb74f0b969
                      • Instruction Fuzzy Hash: E5F0A974D1C90E9FE754FB3888492B97AE0FF08380F0108B6E40CC30A2EF34A4909604
                      Function 00007FF848E705D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction ID: 629d1030a7e3504414357978be06efe68e6c6a2ac25f4e8b38475da503b842aa
                      • Opcode Fuzzy Hash: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction Fuzzy Hash: 5BF0CD3080EA4E9FEB4CEE6484462FA77A0FF09384F40047AE80DC2181CB36A560CB88
                      Function 00007FF848E7C26E Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction ID: 8082f6df51c2869d4071892669792638ee28b8900fa8b82b4d6011a5d5fb8a2c
                      • Opcode Fuzzy Hash: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction Fuzzy Hash: 8001C071D0864ACFDB08EF89C8909FDB7B5FB5D350F20052AD40AB2291DB386940CB69
                      Function 00007FF848E8332B Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction ID: ec1ac209b118a63ed62ef9beb7a4603d394e33b17393fc99597a557c1fc42db1
                      • Opcode Fuzzy Hash: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction Fuzzy Hash: AF011630E0C2598FEB54EB98C8447ECB3B2FB84341F40427AC009A3295CF38A985CB59
                      Function 00007FF848E7278D Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction ID: 77d9a63d44715073f8ca7a0d8039a0498b2a8f83b25d9b3431596eceeaf438d4
                      • Opcode Fuzzy Hash: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction Fuzzy Hash: E9F0B430C0D78E8FEB59AF3488152B93BA0FF06341F4404BEE80AC61D2EB38A450C701
                      Function 00007FF848E72719 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction ID: a8e310d27b4c0a6490317e0a02b6ca4d31f5a37a657cd9aec8c3b290397e1167
                      • Opcode Fuzzy Hash: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction Fuzzy Hash: 61F0C23080E3894FEB5AAF3088292A93BB0FF06340F4405BAD80AC61D3DB789454C301
                      Function 00007FF848E7BCE0 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e79000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 83babec1ff016c177629535cdbf23f5c50435e36b84c12804081442b2c04903e
                      • Instruction ID: fc30df287114c2c37beb76d7252712af763c9f64a77b884c37422a0ea4e2873e
                      • Opcode Fuzzy Hash: 83babec1ff016c177629535cdbf23f5c50435e36b84c12804081442b2c04903e
                      • Instruction Fuzzy Hash: A0F0E77091892E9EEBA4EB18C445BA9B3B1FF68740F1046FAC40DE3156DB349A819B44
                      Function 00007FF848E81430 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70c47cd5f0985953916415279320b88190e2507b4871ce040217f33f36a22fbe
                      • Instruction ID: d282c3e7d0f83222f7a166ad86084de38325252c89a08faa4ba5a77f6dbd2fcd
                      • Opcode Fuzzy Hash: 70c47cd5f0985953916415279320b88190e2507b4871ce040217f33f36a22fbe
                      • Instruction Fuzzy Hash: 04F0F870D18A4ECEEF84EF6898083FE76A4FF19345F80093AE82DD2191DB3465548644
                      Function 00007FF848E716C0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e70000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 03fc9a6113d5c347a2dd79660478c04db12532e2162860a140adc2184049cd19
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 96E0ED20E0DA474EEB6876598485674A1D1BF44394FB88675F02DCA2E1EB3AEC86D309
                      Function 00007FF848E8193E Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 716b365ef1ff19c5a3de64b68d6f583db6026905f4ee1c7f72522c46e290dbcf
                      • Instruction ID: 0feaf110f79148fadf4a16766f506d1c15aebcc0585f4adbb4048f60d15ed26a
                      • Opcode Fuzzy Hash: 716b365ef1ff19c5a3de64b68d6f583db6026905f4ee1c7f72522c46e290dbcf
                      • Instruction Fuzzy Hash: B6E0BD70C0D21A8AEB28AE90D4543EDB7A0BB01340F90553AD04D2B2D0DBBA2A48DB54
                      Function 00007FF848E81E8B Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e81000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9212f30504755f3aee7a5d32cfe9e6b95c0e8c750514e285ca7346557cf05570
                      • Instruction ID: 6fffb49aad988d0ad2ab530a82c54c2e9d1ffdeccc1c14cf026aa579d8de4f1d
                      • Opcode Fuzzy Hash: 9212f30504755f3aee7a5d32cfe9e6b95c0e8c750514e285ca7346557cf05570
                      • Instruction Fuzzy Hash: ECD0C974D0D2598FD7199F6089587ED7BA0FF41340F1410BEE04D5B2E6DBB81548DB29

                      Non-executed Functions

                      Function 00007FF848E7F272 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000001E.00000002.2331200289.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_30_2_7ff848e7f000_DwPKagqBqZ.jbxd
                      Similarity
                      • API ID:
                      • String ID: '$2$J$[
                      • API String ID: 0-2410032399
                      • Opcode ID: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction ID: 9307ea2fa49f9cc9d592b7a0e93341c49c93d64e255a61aa2a98fc789892303b
                      • Opcode Fuzzy Hash: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction Fuzzy Hash: EF318270D0826A8FEB68EF64D8987EDB6B1BF48345F4041EAD44D66281CB782AC5CF54

                      Executed Functions

                      Function 00007FF848E735EA Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aaf112abebc481b0caac2683013c38cd495a45d330fbbcea8dc7571399b8dbe3
                      • Instruction ID: 47af0993df1956462e3e8ea5976f5601c30d468fca38e92943c1e1afa999046a
                      • Opcode Fuzzy Hash: aaf112abebc481b0caac2683013c38cd495a45d330fbbcea8dc7571399b8dbe3
                      • Instruction Fuzzy Hash: 5751B171A1C94D8FE798DB6CD8193E9BFE1FB86250F9442B9C00DD32CADBB514068745
                      Function 00007FF848E7F81D Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e7f000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0$d
                      • API String ID: 0-1612544101
                      • Opcode ID: c77c4633843c8584348606582dfcb26ec3220977ced4bb2252a9333938d739c7
                      • Instruction ID: d623b3fa6f5defafb38629a51285ab1372a06d48588d527b3a7aaf6052c8ce96
                      • Opcode Fuzzy Hash: c77c4633843c8584348606582dfcb26ec3220977ced4bb2252a9333938d739c7
                      • Instruction Fuzzy Hash: 58510B70D18A2D8FEBA8EB189C997A9B7B1FF58341F1041E9D41DE3281DF346A818F45
                      Function 00007FF848E7CC7D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: ;xM
                      • API String ID: 0-3974809044
                      • Opcode ID: e9b97070394c21fbaa24af75e1ae7f587971c1bf0fb9385a44c1354860e9ed17
                      • Instruction ID: 1284ff6727ea8eb310875a7f578ea4d7b9f4e2d5da18d4f2d000ba1f7cc1c018
                      • Opcode Fuzzy Hash: e9b97070394c21fbaa24af75e1ae7f587971c1bf0fb9385a44c1354860e9ed17
                      • Instruction Fuzzy Hash: 9E514867A4C66AADE7157A7DF8100FD7B54FF812B1F0841B7D248CA0C3DB24744986A8
                      Function 00007FF848E839B8 Relevance: .5, Instructions: 485COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80087b93bd4e9c1813daa43a535e76992cda9296b4ad887c357f553bd82971a3
                      • Instruction ID: 8e0ef9fc7d2f7110bdcd9290e828ad114c273236e9b7601b5c6acfb2e7a2eb17
                      • Opcode Fuzzy Hash: 80087b93bd4e9c1813daa43a535e76992cda9296b4ad887c357f553bd82971a3
                      • Instruction Fuzzy Hash: 8031B321C0EACA9FE756F77888591B97FB0FF16640F4914F7C048CB0A7EA38A9448756
                      Function 00007FF848E84215 Relevance: .3, Instructions: 335COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f86fe9869a775af8ece051e26f157580b5d5ba673f34f68133da3f933c4500d
                      • Instruction ID: 5e7bc1aa2d563f77256518b38f8b00bd2b94d3f63710569f9299f3ec415d432c
                      • Opcode Fuzzy Hash: 5f86fe9869a775af8ece051e26f157580b5d5ba673f34f68133da3f933c4500d
                      • Instruction Fuzzy Hash: BED1A270D18A298FEBA4EB58C8557ECB7B1FF58345F9041BAD00DE3291DB346A848F09
                      Function 00007FF848E71658 Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction ID: 4dacc9d31690e4ee22af6331c16c91d5325855681becc286c12aa11729cecad6
                      • Opcode Fuzzy Hash: aac2eab5ff4275079787f46d6efac3a122266dd5bdac8947a6152c0f41db6e6f
                      • Instruction Fuzzy Hash: 5881AC31E0CB8A8FDB99EE1888555B977E2FF99750F14017AE44EC3286CE35AC028785
                      Function 00007FF848E71C8D Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction ID: 7527d7fb2be728c8985a5516191ac55b3025b497e8f44b560bf686d60f234c2b
                      • Opcode Fuzzy Hash: f0a31f1320705bf56bd2612de4f169ed58561f1759deb92573d551f4580e02f4
                      • Instruction Fuzzy Hash: 1151B031A1CB898FDB4CEE1888655BA77E2FF98755F14057EE44AC7282CE35E802C785
                      Function 00007FF848E7CD70 Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7bea44135966d3537e1ba2e19f44cb166200167ff98060d9b567106a5d01c834
                      • Instruction ID: a5e78ae88e1c656da47e02b81a0d124b4f60f55131130e47a0d83577ffcddfa1
                      • Opcode Fuzzy Hash: 7bea44135966d3537e1ba2e19f44cb166200167ff98060d9b567106a5d01c834
                      • Instruction Fuzzy Hash: 4341E272A4D96AAEE759BA7DE8040FD77A4FF453A1F080177D50CC60C2DF2478458BA8
                      Function 00007FF848E720A5 Relevance: .1, Instructions: 144COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ee6fe42d3b2542ead2a79725d46e3dbc9793a76417a9e1c746c0e96a224c419b
                      • Instruction ID: 4ceb0d1dfd900095abf611094dc4c37e505b296a84b9e0e45db4a9b1215e8804
                      • Opcode Fuzzy Hash: ee6fe42d3b2542ead2a79725d46e3dbc9793a76417a9e1c746c0e96a224c419b
                      • Instruction Fuzzy Hash: A541F231E0DA8A4FE355EB3898591B9BBE0FF86390F0545BAD44EC7193DF38A8418356
                      Function 00007FF848E73105 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80c4f966fa47238f6ffca55150e04b6fca98fc8cc2ae190edc5630550456f818
                      • Instruction ID: 51ee07777da99bac0c339401c86a5d980647340fe1f48abd2c1f796d7505af9b
                      • Opcode Fuzzy Hash: 80c4f966fa47238f6ffca55150e04b6fca98fc8cc2ae190edc5630550456f818
                      • Instruction Fuzzy Hash: 19511570D1960E8FEB94EBA8C4586EDB7B1FF59340F90017AD009E7292DB38A9458B54
                      Function 00007FF848E85997 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 658467db8ef22a12a43b51d6ffdd80c64fac56f8224cc7eb74b7025f7c061019
                      • Instruction ID: 4db90f9d689bdda5a4bcfca688c4c6354bced3d997e5ac4c5dfc61a71d0ecfb3
                      • Opcode Fuzzy Hash: 658467db8ef22a12a43b51d6ffdd80c64fac56f8224cc7eb74b7025f7c061019
                      • Instruction Fuzzy Hash: 5241EC70E1895D9FDF94EBA8D889AACB7F1FF58341F5001AAD00DE7256CF34A8818B40
                      Function 00007FF848E840FA Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1adb06b66f1819aaaedb4b90a51f39cc75ac71fc717fd8ea10ab669f77a1417
                      • Instruction ID: 159aa7f507313e96e3a52e72951abb110c92d030e5936914a703159c77205e90
                      • Opcode Fuzzy Hash: a1adb06b66f1819aaaedb4b90a51f39cc75ac71fc717fd8ea10ab669f77a1417
                      • Instruction Fuzzy Hash: 8C41FF32A0D5999FE705FBACE8985E97BA0FF163A5F4801B7D808CB143DB34A4448750
                      Function 00007FF848E82E1D Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1cbac6f98cef772ba6739e2280925c9db1f285b840454e4ac0361b8254eac515
                      • Instruction ID: fc1a1a690b8fbd9de40c34a049529ba1dc9ee1202442f0646d4caf2ef283d437
                      • Opcode Fuzzy Hash: 1cbac6f98cef772ba6739e2280925c9db1f285b840454e4ac0361b8254eac515
                      • Instruction Fuzzy Hash: A1414C70E19A1E9FEB88EBA8D8556EDB7B1FF48340F54017AE009E3296CF346841CB54
                      Function 00007FF848E7C6E5 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2c42a2da9837e4541036f4827e81ffcff1bab7767762d30231c8b51445bab0a
                      • Instruction ID: 59d9957ca784c1064a5bba05a03adc333ea6e28f578629977965e40d015ddc81
                      • Opcode Fuzzy Hash: e2c42a2da9837e4541036f4827e81ffcff1bab7767762d30231c8b51445bab0a
                      • Instruction Fuzzy Hash: D331B471E1C95D8EEB94EBA8D895AADB7B5FFA8340F901139D40DE7282DF3468418B04
                      Function 00007FF848E87A65 Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de5d07633deef91e873a9065c65f4c27d04a993337d0646b3d0eb3234561a62e
                      • Instruction ID: e7a57415c368e747ef11624871be066f038dbb85d3b40798feb824fd55887d9d
                      • Opcode Fuzzy Hash: de5d07633deef91e873a9065c65f4c27d04a993337d0646b3d0eb3234561a62e
                      • Instruction Fuzzy Hash: B9314930D1D90E8EEB91FB6988486BE7BE1FF18381F4009B6D418C70A1EF34E6808744
                      Function 00007FF848E831D1 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12634f1d2553654d3de28ab9732e4c1607fc2c8096cb412c176d40c58a4fe679
                      • Instruction ID: 09030321c379d8a0911a6bbe2cf70bb522d3bacdeb98fd57ada398e828fc7f01
                      • Opcode Fuzzy Hash: 12634f1d2553654d3de28ab9732e4c1607fc2c8096cb412c176d40c58a4fe679
                      • Instruction Fuzzy Hash: E041A270E1896E8EEBA4FB58C8557ECB7B1FB58341F5041BAD00DE3295DF34A9818B44
                      Function 00007FF848E8307B Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9400a917d1af01a95f66c695f267562938eeafb763fb41a70af405f274a100bb
                      • Instruction ID: c65d2532b718e960ce16d869b88f5a1b0406f984e65c1f51b78aa6be070b7ebe
                      • Opcode Fuzzy Hash: 9400a917d1af01a95f66c695f267562938eeafb763fb41a70af405f274a100bb
                      • Instruction Fuzzy Hash: 2A41C370E186299FEB58EBA8C8957EDB7B1FF58341F20416AD40DA3292CF3469418F54
                      Function 00007FF848E7B35D Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e9fe571a4bec64b8d180374deea3db6d9cd08094c234c96f63d45246847bd22a
                      • Instruction ID: e272ba379e8b10bd167f784bd5299c87848753044a4b3aabb038bc8bba0819c7
                      • Opcode Fuzzy Hash: e9fe571a4bec64b8d180374deea3db6d9cd08094c234c96f63d45246847bd22a
                      • Instruction Fuzzy Hash: 4D21DF71E1C94AEFF744FB3888591E97BE0FF96391F0845B2C408C6092EF3468828354
                      Function 00007FF848E7CDFB Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 134046bcdd6dfe633e684fb7da5c9058b25d85df34277822032c1f2703885622
                      • Instruction ID: 8233c4ef417b00ffa3e2624a10c0ec47a48d70a1371fe473d963bb8d1bf2a729
                      • Opcode Fuzzy Hash: 134046bcdd6dfe633e684fb7da5c9058b25d85df34277822032c1f2703885622
                      • Instruction Fuzzy Hash: 9631C1A2E8EA5A6EEB5A76A9A4051FC3764FF423B1F085277D40CC90C3CF3824418769
                      Function 00007FF848E7C1D9 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebb573ae717020c43c5228949bd1beea7479271c527002998a201ff48bc1e413
                      • Instruction ID: b246884e3ef4463bae4d5a8a6f674b594316447466cbd376b98fca7a2ababf14
                      • Opcode Fuzzy Hash: ebb573ae717020c43c5228949bd1beea7479271c527002998a201ff48bc1e413
                      • Instruction Fuzzy Hash: 8731257090DA898FDB58EFA8D8646ED77B1FF19340F10017ED40AE7292DB386944CB59
                      Function 00007FF848E87515 Relevance: .1, Instructions: 73COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 971d79f7984ad956ceb2bb68e5bd107fd26233f63059356ee549b352ce146666
                      • Instruction ID: d26db591e757a8ee512c0a1c92eb2ac605a338f17b329402ebe9e936326d0b65
                      • Opcode Fuzzy Hash: 971d79f7984ad956ceb2bb68e5bd107fd26233f63059356ee549b352ce146666
                      • Instruction Fuzzy Hash: EE117F70D1CA4E9FEB98EF6888592BD7BA1FF58381F5005BED409C32A2DB34A544C741
                      Function 00007FF848E732F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction ID: cfcce872a25392b70751b16b697ec768095c8dfe0181662ce4686d35effedf86
                      • Opcode Fuzzy Hash: 2004b09fa8da520f2c9f88df2af49d914b89a055eb069f1dafc98f23e5cbd5e2
                      • Instruction Fuzzy Hash: 6121883080D68A9FE782AB7888585A97FF0FF5B300F4905FBD058CB0A2DA38A446C711
                      Function 00007FF848E82D80 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18cf22a27ef18f5960b8dd526f0b1f05fd3a55e8084480aad239407c2ebebebf
                      • Instruction ID: 67fdf70420ded354ee58931e154af461b142aa843aea477025b415b2f9987f4d
                      • Opcode Fuzzy Hash: 18cf22a27ef18f5960b8dd526f0b1f05fd3a55e8084480aad239407c2ebebebf
                      • Instruction Fuzzy Hash: 2421CD3084D6894FDB06AB3088292A93FF0FF16304F5604EBC409CB0E3DA795855CB11
                      Function 00007FF848E70A01 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 36675b2a8a9012fa5ee23095ab7ffad09057ca72c902fc911734df3b2e5e52cc
                      • Instruction ID: 3c795bc2fbd4d7a21ad1a55086d55c3248602800a6263a15048af3494345c536
                      • Opcode Fuzzy Hash: 36675b2a8a9012fa5ee23095ab7ffad09057ca72c902fc911734df3b2e5e52cc
                      • Instruction Fuzzy Hash: 65116630E1894E9FEB90FBA888492B97BE0FF58390F4045B6D408C61A6EF38A9458744
                      Function 00007FF848E87471 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ed6eeee8a9914b9dd80d4e5f2a577ae4efea93974942f100ced3e16944ed5a9
                      • Instruction ID: defe81596133ada72fd2403743515ef84f6538db161b93854b7af68f960efcd1
                      • Opcode Fuzzy Hash: 9ed6eeee8a9914b9dd80d4e5f2a577ae4efea93974942f100ced3e16944ed5a9
                      • Instruction Fuzzy Hash: 24119D3090DA4E8FEB98FF6888592BD7FA0FF68341F4001BAD409C3192DB38A480C740
                      Function 00007FF848E84DE5 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6479cbf4855e826b5dd2e180f6f1f2c521aa97c216fd3757d8e752df601f6885
                      • Instruction ID: 8b2d1761d378ff9d4997f928d467b044be53dc698aea84629b40604028e83e52
                      • Opcode Fuzzy Hash: 6479cbf4855e826b5dd2e180f6f1f2c521aa97c216fd3757d8e752df601f6885
                      • Instruction Fuzzy Hash: 4E116A3090DA4E9FEB98EF6884592BD7BA0FF68345F4005BAD419C7192DB38A490C740
                      Function 00007FF848E83859 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 10b24c35bf4bef8a9b08ecced3058a1dcce9c12a88f4e83a8e252c24d4f83197
                      • Instruction ID: 10776cb9a77fbfe7f2f1f0b29701376a94b2fece6c79f14db1f12a3cb9159335
                      • Opcode Fuzzy Hash: 10b24c35bf4bef8a9b08ecced3058a1dcce9c12a88f4e83a8e252c24d4f83197
                      • Instruction Fuzzy Hash: EE11B13090D68A9FE742EB78C8596AA7BF0FF1A341F0445F6D448C71A2DA389548C761
                      Function 00007FF848E7C25F Relevance: .1, Instructions: 66COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction ID: 421678793b0c3b999c7d74dddd4e03d790778bb78b8646a2350b7611aff54d69
                      • Opcode Fuzzy Hash: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction Fuzzy Hash: 7321CE70C0965E8FEB44EFD9D8986EDB7F1BF48340F10052AE409A6291DB386984CB58
                      Function 00007FF848E71F59 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction ID: 6c87dd9d7111ecbaf30c569d7fa0fb8457195708a7b79acf92279cab065629a0
                      • Opcode Fuzzy Hash: f6fd446dde780b24e7162b1bfa01845b4c83617b653b1bdf8a701fc354b2a785
                      • Instruction Fuzzy Hash: 1D115A1180E7C25FEB1BA77908650616F906F13264F2D45FBE0D8CA0E3DA2A5849C306
                      Function 00007FF848E82B61 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07f09cc58a7f7b2e9cedef758ca47025d7447d6bfce941f429e241502931b3e9
                      • Instruction ID: 202da09bc775373271d55d7946477a6ff1db10ca0f29c224bf03753987b39023
                      • Opcode Fuzzy Hash: 07f09cc58a7f7b2e9cedef758ca47025d7447d6bfce941f429e241502931b3e9
                      • Instruction Fuzzy Hash: 84118B7091D6498FDB48EF18C4955FD7BE1FF59344F5102BEE80A83282CB38A450CB85
                      Function 00007FF848E84D49 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9cc4f53c435f7258ff407ec0c57fe1a975b8ffa39bc81ea4d37ec4c1810349df
                      • Instruction ID: 05425820132a32b0eeb79d247deaf49879d6c87c4bafa9fa7c67b9e099e95789
                      • Opcode Fuzzy Hash: 9cc4f53c435f7258ff407ec0c57fe1a975b8ffa39bc81ea4d37ec4c1810349df
                      • Instruction Fuzzy Hash: 1A21AE3090DA8E9FDB99EF2884592BD3BE0FF19345F4001FAD409C7192DB38A440CB41
                      Function 00007FF848E85305 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3c060ae6004f3deffbcdb35933475b320d8d5a22c4ed1672dce19736d8e7c7be
                      • Instruction ID: 5353fbd08593bf11597758a4b4119f223c0b2f9bf0cc4f29c79342a1740d16b7
                      • Opcode Fuzzy Hash: 3c060ae6004f3deffbcdb35933475b320d8d5a22c4ed1672dce19736d8e7c7be
                      • Instruction Fuzzy Hash: E011BF31D0DA898FEB49EB6498992BC3BA0FF14340F4401BED009C3196DF786440C605
                      Function 00007FF848E82F71 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a132143ddf912b653fee2121a6bd0f67a0905fe88967dddf97a7a366483f192
                      • Instruction ID: 8aa0172cace7db2a83689d946379e94ccc7314a2333febfa83cbc543063af142
                      • Opcode Fuzzy Hash: 6a132143ddf912b653fee2121a6bd0f67a0905fe88967dddf97a7a366483f192
                      • Instruction Fuzzy Hash: C0115B3091C55E9EE782FB6884486F97BE0FF59341F4409B6D418D7056EB38A185C744
                      Function 00007FF848E876CD Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 79de9e262c6501b02e760650eb0e2fd7b8dd09ed3bffb9c80f1a9614f0fed17c
                      • Instruction ID: dec504f1c104abd230e9b5ae2b3925740af9ac2e5f8533ca0f688d60db1bde7f
                      • Opcode Fuzzy Hash: 79de9e262c6501b02e760650eb0e2fd7b8dd09ed3bffb9c80f1a9614f0fed17c
                      • Instruction Fuzzy Hash: 1811B230D0E54E8FEB49EF2888552BD3BA1FF69341F8405BAD809C7192DF36A454C741
                      Function 00007FF848E87639 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c60776970be5c7b4e4af0a55beac057da81cfb2a9a90d63a3f4bf267060add6d
                      • Instruction ID: c55ef4953a00e642c3aea8ff479f18a5ad1b09836f56b3cbd55b82f4ddfab35f
                      • Opcode Fuzzy Hash: c60776970be5c7b4e4af0a55beac057da81cfb2a9a90d63a3f4bf267060add6d
                      • Instruction Fuzzy Hash: C311DD3090EA8A8FEB99AA2888692BC7BA0FF16340F4500FEC019C71A2CF395444D706
                      Function 00007FF848E7CDD7 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30a9fcf9c54f0989783167e520f066a563f8715f3f6084a5256e8c4c6ad6313d
                      • Instruction ID: 1f4e53fd244049c50f078cfd972dcc4fc64a34a4e3a1d40b5aa81210572848f6
                      • Opcode Fuzzy Hash: 30a9fcf9c54f0989783167e520f066a563f8715f3f6084a5256e8c4c6ad6313d
                      • Instruction Fuzzy Hash: A211A03190D79A8EEB56FF2898241FA7BB4FF06351F0405BBD849CA0E2DB345854C794
                      Function 00007FF848E711BD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction ID: 9fe3ad229035a1598f0f74e6ecac3711dd5dab8ccc967076696f305df108936e
                      • Opcode Fuzzy Hash: f48527e2c7ec04ace19b0c6cb590b89e0bc37c550be181cb8f8c8a83d48d38ed
                      • Instruction Fuzzy Hash: 16116D70D0D68A8EEB99EB6888696B97BF0FF19345F0404BEC41AC7092EF3A6440C704
                      Function 00007FF848E87BF1 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d8aec5f29d6a4ba1ed268c6fdfb354cda43825451d997a254e63434e8d16fcb9
                      • Instruction ID: 3c7e5ea70bbb11e93f7d617e2ce9eb8f66a7041998d978b7a218e6af86d03819
                      • Opcode Fuzzy Hash: d8aec5f29d6a4ba1ed268c6fdfb354cda43825451d997a254e63434e8d16fcb9
                      • Instruction Fuzzy Hash: 49112A3090D54A9FEB41EB788C496AE7BF0FF1A341F4409B6D419C7061DB38A1848755
                      Function 00007FF848E85679 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ddaea1a2f0eb5b239a910f54c54f958898907e0840b26a90c569cca6e32451ed
                      • Instruction ID: 34563901d0937beb855900e2eac5f637ce69801512cb1dea072ecacbc37a9d58
                      • Opcode Fuzzy Hash: ddaea1a2f0eb5b239a910f54c54f958898907e0840b26a90c569cca6e32451ed
                      • Instruction Fuzzy Hash: 5F118B3090DA8A8FEB59EB2488692BD7BB0FF19340F4404BBC419C7192DF3864408B02
                      Function 00007FF848E8542D Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e4caadadc858b646ef761553c977e7435daa879f6461d977cd6c70b7ee9ab056
                      • Instruction ID: 1980c6dc063e59a96b7d11596ec5cca5b259f5aee581f988cd6a611b8ad0535d
                      • Opcode Fuzzy Hash: e4caadadc858b646ef761553c977e7435daa879f6461d977cd6c70b7ee9ab056
                      • Instruction Fuzzy Hash: B0118C30D0D94E9FEB58EB2488596BD7BF0FF28342F4405BAD40AC32A2DF38A5448751
                      Function 00007FF848E7C155 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dcb59e4f02aa1c330dec6d3c5aa2dbed3dbef591381fa35e5db305aafdc09c30
                      • Instruction ID: 8554d2421fd0b619f31ce739223611dce9c6958f95ac6e5794ace12ec253f570
                      • Opcode Fuzzy Hash: dcb59e4f02aa1c330dec6d3c5aa2dbed3dbef591381fa35e5db305aafdc09c30
                      • Instruction Fuzzy Hash: CE115770918A4E8FEB88FF6888592BE7BB0FF18341F5005BAD41AC6192DF35A540CB04
                      Function 00007FF848E73481 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction ID: 890722afc5b7b63396223e03d52950c2f8a2a28abfabf0a434bc402e9878cd64
                      • Opcode Fuzzy Hash: e59acf7d48b68620228170a936418149dc4fd565aa53f1a947a28dfe8be7635e
                      • Instruction Fuzzy Hash: 6A113C70D1D64E8FDB9AEF68C4592B97BE0FF19341F8005BED41AC6191EB35A5408704
                      Function 00007FF848E86719 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34d8700b495b4dc1081d26cc64d0d32356e92d79bc65e1d06ea855b40440e975
                      • Instruction ID: 03d39f2c9da0655f63374d7e0fa4f599aa14ea4ee078145896253efeed16b9fe
                      • Opcode Fuzzy Hash: 34d8700b495b4dc1081d26cc64d0d32356e92d79bc65e1d06ea855b40440e975
                      • Instruction Fuzzy Hash: 83116A70D0D68A9FE781FB24885D6A97BF0FF19340F4409B6D808C71A2EF38A5848755
                      Function 00007FF848E81411 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f08e916eff9ed275a84fd120527907473f5206406670371768d75c189340fbf
                      • Instruction ID: 370e454fea5fde2a5b7551abf1e57663877e2e39fae8a2686aada25cccd98168
                      • Opcode Fuzzy Hash: 1f08e916eff9ed275a84fd120527907473f5206406670371768d75c189340fbf
                      • Instruction Fuzzy Hash: E9113970919A4E8FEB84FB68C4592BD7BA0FF19345F8004BED419D7192DF3AA5808744
                      Function 00007FF848E70F40 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2054b281aade96fd483d3cec227dd078efd6cd04a8bb33ac0f298ccf303b48ea
                      • Instruction ID: 6b13bab60299f59dccc2ab5ded8cca0d09850677d5ad5848659b037f7e5e78c6
                      • Opcode Fuzzy Hash: 2054b281aade96fd483d3cec227dd078efd6cd04a8bb33ac0f298ccf303b48ea
                      • Instruction Fuzzy Hash: 3F112E30A0990D8FEB58FB94C894BEDB7B1FB58340F1042B5D009E7295DF38A9458B84
                      Function 00007FF848E855ED Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d14de2e673de52e5008f369ffc2ea37f01a61e58d2cdef43524ce8f220786ce
                      • Instruction ID: 69f61fe921f7952d7c2a662ea3b80cd4ba29167f64d7ed3c9644a380dc035361
                      • Opcode Fuzzy Hash: 3d14de2e673de52e5008f369ffc2ea37f01a61e58d2cdef43524ce8f220786ce
                      • Instruction Fuzzy Hash: 0D118C3090DA8E8FEB88EF2488596BD7BB1FF18341F8404BAD429C7192DF38A544CB41
                      Function 00007FF848E7DB3D Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b96a8855d40e5d8a865eda2e09ee7c1b24100330734efc4c88c3ab8d299ebe44
                      • Instruction ID: 71c440137daa40a77ab161d36dbcadcfcbea3c018ec5145c41f2bb9fc0128b68
                      • Opcode Fuzzy Hash: b96a8855d40e5d8a865eda2e09ee7c1b24100330734efc4c88c3ab8d299ebe44
                      • Instruction Fuzzy Hash: 76113970A1DA8D8FEB99EB6488592BD7BA0FF18351F4004BBD419C61A2DF35A580C704
                      Function 00007FF848E829F1 Relevance: .1, Instructions: 52COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 997521ca59c114f53add8869110a2200ba2858758b7923294d0f2f1c5de1ff4c
                      • Instruction ID: 9d9ff33066872ac9dd59fdded0c6c7a7494e39fb7084988d6c40423b41c1a1a1
                      • Opcode Fuzzy Hash: 997521ca59c114f53add8869110a2200ba2858758b7923294d0f2f1c5de1ff4c
                      • Instruction Fuzzy Hash: DC0188309096498FEB68EB2484596BD7BA0FF19340F8108FAD40AD70A2DF39A540C640
                      Function 00007FF848E7C989 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8690a240daa06f6a632e58e3344cf8ebda13c954bcd4498b4f2711fbd28c91bc
                      • Instruction ID: a3d36173b4ed67e1b07731cf010addfa8505f24fc6959ea5b5b3682e1a14cfc3
                      • Opcode Fuzzy Hash: 8690a240daa06f6a632e58e3344cf8ebda13c954bcd4498b4f2711fbd28c91bc
                      • Instruction Fuzzy Hash: 8B11CB3190D68E8FDB89FF24C4592B97BB1FF69340F5040BED409C6096DB39A550C785
                      Function 00007FF848E7BF05 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e317422469fb1ada6387f16d1cef5d94fb286617c43617bba3f95e6c32e6f96
                      • Instruction ID: 699b350dac162c91c5a1e7064c137b123dacefbdda38aeba71f836565b49fe26
                      • Opcode Fuzzy Hash: 8e317422469fb1ada6387f16d1cef5d94fb286617c43617bba3f95e6c32e6f96
                      • Instruction Fuzzy Hash: 0F019A3091C64E8FE795FF2488496E97BE0FF99340F0148B6E808C70A2EF38A580CB04
                      Function 00007FF848E705D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction ID: ee36df097f0f338dc5f1997a5a48a49a98ed4cff9997d4e9b4ab21171b7190cc
                      • Opcode Fuzzy Hash: 6ebb203611f1de74e2ab293d6f28cfb3688226de5158ee0dc72d0bf3a086dfb8
                      • Instruction Fuzzy Hash: 38018C30908A0E9FEB48EF64C0456BA77A1FF58385F5004BAD40EC2194CF36A551CB48
                      Function 00007FF848E72E21 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 672adf1bfc187ec2b5c54610c94237c731282cc8369a3bae41e9545f9f5752f5
                      • Instruction ID: 2ca3a13b768007f2d673ed0f29fca507c425469059787e96b6e45815922939f1
                      • Opcode Fuzzy Hash: 672adf1bfc187ec2b5c54610c94237c731282cc8369a3bae41e9545f9f5752f5
                      • Instruction Fuzzy Hash: 93018B30D1D64E8FEB52FB2484486A97BE0FF19380F0115B6D40DC61A2EF38E4848704
                      Function 00007FF848E72E99 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction ID: 05411d82e007968f98aeffd7ea6e89a72a68db3022e96ace70077ea547f7c4ca
                      • Opcode Fuzzy Hash: f10e62ae5f9aea48cdffeb5e4a412d75786702850c685784d4e43385fd100387
                      • Instruction Fuzzy Hash: AC017C3095D6895FE742FB3888495A97BF0FF4A350F0549F2D40DC70A3EB38A4448714
                      Function 00007FF848E71C05 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction ID: 9581290d8e236c89c99c761ede2a83102100fb16ae82c054bfff9004e7384628
                      • Opcode Fuzzy Hash: aec4ece8031bc33beb44908fabe26504ec912b108f8b3bb7a185c742d0f7b517
                      • Instruction Fuzzy Hash: 0201817090DB8E8FEB9DEF6484596B97BA0FF55341F5400BAD808C7192DB369590C744
                      Function 00007FF848E8839D Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b96ceda3c7f144462f1213a242b6cb6f919bc54ac1901e17385910b59e4682a
                      • Instruction ID: 48d2c37366748c9eefb32fb0e0f83ead80d0e3979ae48c2ffd45dbc8fa416ef7
                      • Opcode Fuzzy Hash: 1b96ceda3c7f144462f1213a242b6cb6f919bc54ac1901e17385910b59e4682a
                      • Instruction Fuzzy Hash: 5301B13094D64A8FEB4AEB2488592BE7BA0FF19385F4004BED409C7192DF35A551C740
                      Function 00007FF848E88329 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0cf8a8bd7d6d992788118856ab1c666304c3d19e551daddb8b618fe57ff7f52
                      • Instruction ID: c9f8a24e69bf8bc60b555c8f35dd5c1c414036a63546cdfcde21b04f8c3ce871
                      • Opcode Fuzzy Hash: d0cf8a8bd7d6d992788118856ab1c666304c3d19e551daddb8b618fe57ff7f52
                      • Instruction Fuzzy Hash: B1019E3095D6898FEB49EB2488692BD7BB0FF19380F4504FED809C7192DF39A541D701
                      Function 00007FF848E727FD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction ID: dbe062344ee56f21153e397b8c87f7c8ae4f199234164363b3c07376f8f299f5
                      • Opcode Fuzzy Hash: 34859dd991c978d7e3bb947c311c1017ac891db54ddfc06b2b13fa8c04696a80
                      • Instruction Fuzzy Hash: 8901787091D64A8FF751FB2888896A97BE0FF19380F4545BAD409C60A2EF39E4448704
                      Function 00007FF848E87D79 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08b1895df3e0d5b5f9cdfdae71f61c0e1b238c385a51dd5d94594ae9756bbaba
                      • Instruction ID: 3d2ddb4136559fc4329905fd84c7c3bea0c1fd06f64d6d2d9e577978bcff787f
                      • Opcode Fuzzy Hash: 08b1895df3e0d5b5f9cdfdae71f61c0e1b238c385a51dd5d94594ae9756bbaba
                      • Instruction Fuzzy Hash: B0017C3095E6899FE742BB3488595BD7BE0FF5A340F5508F2D008C70A2EF38A4448B15
                      Function 00007FF848E70608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction ID: cb8b71d4fa4e2ba85a6b2288200b2681ef7e4a9c9dc8e3a5804420c1bd55df03
                      • Opcode Fuzzy Hash: 7109b5c39c791fdab87c5945ff2004e0cf4f60350da3fff6a6d6cc7c0d919966
                      • Instruction Fuzzy Hash: BC01693091860E9EEB48FF2485592BA72A1FF18345F5008BEE81FC6192DF35A150C604
                      Function 00007FF848E70610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction ID: 3441a8a0a44c128208eb6d910a646e9078c753c09f393d9c78a732a709af7252
                      • Opcode Fuzzy Hash: 4a2850972b3a6fc256faf87289c7133376aaf583af808039d524d2709025d661
                      • Instruction Fuzzy Hash: 1E01463091990E9EEB48FB3484592BA72A1FF18345F5008BEE80BC2192DF39A590CB14
                      Function 00007FF848E7BC39 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4650e0e5e428ff8878068960cfcd963a5e0ea264e0f31a4afa0a1afac9fb7351
                      • Instruction ID: 9df6068bf0969c3c974be8bcd5556121cd46052670cd43f9c0a778c402a2860e
                      • Opcode Fuzzy Hash: 4650e0e5e428ff8878068960cfcd963a5e0ea264e0f31a4afa0a1afac9fb7351
                      • Instruction Fuzzy Hash: A6019770D1891D9EEBA5EB18C855BECB6F1FB98341F4045BAD40EE2292DF346980CF54
                      Function 00007FF848E87AE1 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 06274ab7f6d2a27e2a8c696fea23b00d05ab4267934a264c4ee446df3c70c218
                      • Instruction ID: a65cf14fb4cda5d755b90c9c869198ada3435d683db476365f76ff0a5f5f3938
                      • Opcode Fuzzy Hash: 06274ab7f6d2a27e2a8c696fea23b00d05ab4267934a264c4ee446df3c70c218
                      • Instruction Fuzzy Hash: F3F04470D1D68A8EEB91BB7888482BE7AB0FF15381F4009B6D818C60A2EB3891948745
                      Function 00007FF848E711D0 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction ID: 3fc7e5cc97b47b776425056b953d2895a28b811d8d2d84f4c866b7b9a5b9a84a
                      • Opcode Fuzzy Hash: 3ffe10437de60c155d6f08c0c25d2e2d7ad9310c154769b39448720e61c68e95
                      • Instruction Fuzzy Hash: 09F0AF30D1DA9E8EEB98AA6888283FA7BE4FF15385F00047AD41EC20C1EF3455509605
                      Function 00007FF848E7AF2A Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff0ac0e5febe51e5d4c7cb56ba982ca35baabe78d05886562ac7eeeb74f0b969
                      • Instruction ID: 2d63a5a5651824f65cbf7231e7309520336cd893e90a2049c10246d52c6e54d4
                      • Opcode Fuzzy Hash: ff0ac0e5febe51e5d4c7cb56ba982ca35baabe78d05886562ac7eeeb74f0b969
                      • Instruction Fuzzy Hash: E5F0A974D1C90E9FE754FB3888492B97AE0FF08380F0108B6E40CC30A2EF34A4909604
                      Function 00007FF848E705D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction ID: 629d1030a7e3504414357978be06efe68e6c6a2ac25f4e8b38475da503b842aa
                      • Opcode Fuzzy Hash: c4f8abc1ca25e95056b542d6e50d40db46504277b34a83f38a82391e591d9224
                      • Instruction Fuzzy Hash: 5BF0CD3080EA4E9FEB4CEE6484462FA77A0FF09384F40047AE80DC2181CB36A560CB88
                      Function 00007FF848E7C26E Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction ID: 8082f6df51c2869d4071892669792638ee28b8900fa8b82b4d6011a5d5fb8a2c
                      • Opcode Fuzzy Hash: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction Fuzzy Hash: 8001C071D0864ACFDB08EF89C8909FDB7B5FB5D350F20052AD40AB2291DB386940CB69
                      Function 00007FF848E8332B Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction ID: ec1ac209b118a63ed62ef9beb7a4603d394e33b17393fc99597a557c1fc42db1
                      • Opcode Fuzzy Hash: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction Fuzzy Hash: AF011630E0C2598FEB54EB98C8447ECB3B2FB84341F40427AC009A3295CF38A985CB59
                      Function 00007FF848E7278D Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction ID: 77d9a63d44715073f8ca7a0d8039a0498b2a8f83b25d9b3431596eceeaf438d4
                      • Opcode Fuzzy Hash: 2f37c769118794d0285ea489b91001189a9c77f75abcf6a7eca1e18c34a22f75
                      • Instruction Fuzzy Hash: E9F0B430C0D78E8FEB59AF3488152B93BA0FF06341F4404BEE80AC61D2EB38A450C701
                      Function 00007FF848E72719 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction ID: a8e310d27b4c0a6490317e0a02b6ca4d31f5a37a657cd9aec8c3b290397e1167
                      • Opcode Fuzzy Hash: 6c57d409464c80956dbc8265d85688b7f058500b9d9eda45d8735bc6e9420cc8
                      • Instruction Fuzzy Hash: 61F0C23080E3894FEB5AAF3088292A93BB0FF06340F4405BAD80AC61D3DB789454C301
                      Function 00007FF848E7BCE0 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E79000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e79000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1e806f54afea612b74fd8879f6e8f39ae94c5a9d6da71c64ee34fb2bed56554
                      • Instruction ID: e67f07cfa9cd0c455b4c3230a414de57aa9c4f16b6541ca250d618483bb4ea70
                      • Opcode Fuzzy Hash: e1e806f54afea612b74fd8879f6e8f39ae94c5a9d6da71c64ee34fb2bed56554
                      • Instruction Fuzzy Hash: 71F0F970D1892A9EEBA4FF18C445BA9B3B1FF68740F1046FAC40DE3156DB35AA819F44
                      Function 00007FF848E81430 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70c47cd5f0985953916415279320b88190e2507b4871ce040217f33f36a22fbe
                      • Instruction ID: d282c3e7d0f83222f7a166ad86084de38325252c89a08faa4ba5a77f6dbd2fcd
                      • Opcode Fuzzy Hash: 70c47cd5f0985953916415279320b88190e2507b4871ce040217f33f36a22fbe
                      • Instruction Fuzzy Hash: 04F0F870D18A4ECEEF84EF6898083FE76A4FF19345F80093AE82DD2191DB3465548644
                      Function 00007FF848E716C0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e70000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 03fc9a6113d5c347a2dd79660478c04db12532e2162860a140adc2184049cd19
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 96E0ED20E0DA474EEB6876598485674A1D1BF44394FB88675F02DCA2E1EB3AEC86D309
                      Function 00007FF848E7FAC2 Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e7f000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae5e50527d3b2c365b42a4148820420542b0e70988698cf6d0a529651a422c0d
                      • Instruction ID: 684837757c74a6672d5a3b6850c68bbdec87b8b23d8c507775a23d1f0beb5da5
                      • Opcode Fuzzy Hash: ae5e50527d3b2c365b42a4148820420542b0e70988698cf6d0a529651a422c0d
                      • Instruction Fuzzy Hash: C0F01570C0956D8FEBA4EF28C8497AAB7F6FB58344F1001E5A44CE3282DB305D819F44
                      Function 00007FF848E8193E Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 716b365ef1ff19c5a3de64b68d6f583db6026905f4ee1c7f72522c46e290dbcf
                      • Instruction ID: 0feaf110f79148fadf4a16766f506d1c15aebcc0585f4adbb4048f60d15ed26a
                      • Opcode Fuzzy Hash: 716b365ef1ff19c5a3de64b68d6f583db6026905f4ee1c7f72522c46e290dbcf
                      • Instruction Fuzzy Hash: B6E0BD70C0D21A8AEB28AE90D4543EDB7A0BB01340F90553AD04D2B2D0DBBA2A48DB54
                      Function 00007FF848E81E8B Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E81000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E81000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e81000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9212f30504755f3aee7a5d32cfe9e6b95c0e8c750514e285ca7346557cf05570
                      • Instruction ID: 6fffb49aad988d0ad2ab530a82c54c2e9d1ffdeccc1c14cf026aa579d8de4f1d
                      • Opcode Fuzzy Hash: 9212f30504755f3aee7a5d32cfe9e6b95c0e8c750514e285ca7346557cf05570
                      • Instruction Fuzzy Hash: ECD0C974D0D2598FD7199F6089587ED7BA0FF41340F1410BEE04D5B2E6DBB81548DB29

                      Non-executed Functions

                      Function 00007FF848E7F272 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000020.00000002.2331190310.00007FF848E7F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_32_2_7ff848e7f000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: '$2$J$[
                      • API String ID: 0-2410032399
                      • Opcode ID: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction ID: 9307ea2fa49f9cc9d592b7a0e93341c49c93d64e255a61aa2a98fc789892303b
                      • Opcode Fuzzy Hash: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction Fuzzy Hash: EF318270D0826A8FEB68EF64D8987EDB6B1BF48345F4041EAD44D66281CB782AC5CF54

                      Executed Functions

                      Function 00007FF848E635EA Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f73b8c172fdc07601453395d33f6a84be48ffc58108e78bd34f6567e17e2e003
                      • Instruction ID: ac638aa64154c08011c4037e454e8100ebc080c5cf88fea85f8226dd0570edb2
                      • Opcode Fuzzy Hash: f73b8c172fdc07601453395d33f6a84be48ffc58108e78bd34f6567e17e2e003
                      • Instruction Fuzzy Hash: D151A371E1C9498FE758EB6CD8153EDABE1FB963A4F9401B9C00DD32C6DBB424068B51
                      Function 00007FF848E6F81D Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E6F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e6f000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0$d
                      • API String ID: 0-1612544101
                      • Opcode ID: ce569ae3562b190846425801cdc093973cf367b3e717b7c691c3e29b76091560
                      • Instruction ID: 0721ecffa9c7f2a74e07df13d130ee980af13fb489b8223f499ff8b66bb18bb3
                      • Opcode Fuzzy Hash: ce569ae3562b190846425801cdc093973cf367b3e717b7c691c3e29b76091560
                      • Instruction Fuzzy Hash: 93512B70D18A2D8FDBA8EB189C957A9B7B1FF58341F5041EAD41DE3282DF342A818F45
                      Function 00007FF848E61658 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2EH
                      • API String ID: 0-17899816
                      • Opcode ID: 297a7681e2f9d84c59124616f974d007ce42bd7545908ea2aeac06ff35edc81d
                      • Instruction ID: 74dafbb35ee935a5964040ff5b2547b1947481d6ed0b89916a6843aa0b2b4312
                      • Opcode Fuzzy Hash: 297a7681e2f9d84c59124616f974d007ce42bd7545908ea2aeac06ff35edc81d
                      • Instruction Fuzzy Hash: 5581AF31E0CA498FDB4AEE1C88555B977E2FF98754F54017AE44EE3286CE35EC028785
                      Function 00007FF848E6CCD3 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: %{w
                      • API String ID: 0-3323597317
                      • Opcode ID: c9e92a6d628cdb4af8f0e4a8b03ccd0317d7b9082b64b2e2a0087cb79196fbda
                      • Instruction ID: 1c1e701b907fe93b1a8a0135e281c313b58b7bd6746f4ca513f1c5a5d219c997
                      • Opcode Fuzzy Hash: c9e92a6d628cdb4af8f0e4a8b03ccd0317d7b9082b64b2e2a0087cb79196fbda
                      • Instruction Fuzzy Hash: 42512467A4CA26AEE7147B6DF8051F9B760FF813B1F184137D64CCA082DB24744987E8
                      Function 00007FF848E6CC7D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: ;xN
                      • API String ID: 0-1977848942
                      • Opcode ID: b9c2eae137c889bcf6430ddffb5a0bf3dacc2ad06dbaeaf5947da95b2f52f30e
                      • Instruction ID: d8cd65048bfde81d4178f6ecc8b7b2b0fc508ae32e1210542b2fd2bdd13b48ca
                      • Opcode Fuzzy Hash: b9c2eae137c889bcf6430ddffb5a0bf3dacc2ad06dbaeaf5947da95b2f52f30e
                      • Instruction Fuzzy Hash: 36511367A4C6AABEE315777DF8040F97B60FF812B1F184177D24CDA092DB24744986A8
                      Function 00007FF848E739B8 Relevance: .5, Instructions: 485COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 577225aad11cc5fed54aa9a8ed00de8cece7f459a805fba3745cb93b8146cc32
                      • Instruction ID: 8229eba26489a855d83a4963b8ef02845d0e42d1dc12c9c613e8074a606178ea
                      • Opcode Fuzzy Hash: 577225aad11cc5fed54aa9a8ed00de8cece7f459a805fba3745cb93b8146cc32
                      • Instruction Fuzzy Hash: 6C31A121C0E6CA9FE792E77888591B57FB0FF16640F4904F7C448CB0A7DA38A9448316
                      Function 00007FF848E74215 Relevance: .3, Instructions: 335COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4aaa67357a17a4d909adde879d596c2bb5ba78e788eacd49d5cde6d059e1a375
                      • Instruction ID: 2981dfe7af7810969a8c5f9c5e87be14ae66ce64f7d4d0716dbb581371bd151b
                      • Opcode Fuzzy Hash: 4aaa67357a17a4d909adde879d596c2bb5ba78e788eacd49d5cde6d059e1a375
                      • Instruction Fuzzy Hash: 62D1A170D18A2D8EEBA4EB58C8957ECB7B1FF58345F5041BAD00DE3291DB346A848F09
                      Function 00007FF848E61C8D Relevance: .2, Instructions: 193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 77b6e9ef476804b921fb1ce481f1fbafd79cf493b41157390ae5fbaea21f17e1
                      • Instruction ID: e8b213e5ba8154e5d6b6196f598ff0ee123636ebbc9b6a45b5cfb5b1bdc5cf0f
                      • Opcode Fuzzy Hash: 77b6e9ef476804b921fb1ce481f1fbafd79cf493b41157390ae5fbaea21f17e1
                      • Instruction Fuzzy Hash: C951F131A0CA8A8FDB4DEE1888545BA77E2FF98741F14017ED44AD3282CE35E802C785
                      Function 00007FF848E6CD70 Relevance: .2, Instructions: 152COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 78a0f03df207d94d406fed2932f0d146adb63bc55f154e30eec6e3b5bb6b1cf6
                      • Instruction ID: 8570500248af74fa595777ce4d04e9647c6c4807683755156058096cb0c29e90
                      • Opcode Fuzzy Hash: 78a0f03df207d94d406fed2932f0d146adb63bc55f154e30eec6e3b5bb6b1cf6
                      • Instruction Fuzzy Hash: 1F410172E4C96AAEE719B7ADE8040FD3BA0FF513A1F584177D50CD6082CF28784586A8
                      Function 00007FF848E620A5 Relevance: .1, Instructions: 145COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3e6c4bc969563e63f91e01277e5fa4ebb9952b75a8f31da1d1ec31820ecfad6b
                      • Instruction ID: 8a9addb0379738b401e70115e41ee0da79865a2e07316536044e3f2e20aa73bb
                      • Opcode Fuzzy Hash: 3e6c4bc969563e63f91e01277e5fa4ebb9952b75a8f31da1d1ec31820ecfad6b
                      • Instruction Fuzzy Hash: C0412231E0DA8A5FE395EB3898591B9BBE0FF96390F8441BAD408D3193DF38B8418355
                      Function 00007FF848E63105 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6345e59187c6ba8847b242b7c251659510bc6bf91149c4bf4d97e5b6d2651411
                      • Instruction ID: bc5bdc5a911febbe30d8d7a8cb5adb712b62639cb67a0a65721d7e4a8167b54d
                      • Opcode Fuzzy Hash: 6345e59187c6ba8847b242b7c251659510bc6bf91149c4bf4d97e5b6d2651411
                      • Instruction Fuzzy Hash: 0B512570D0D50E8FEB54EBA8C8586EDB7F1FF59350F90017AD009E7296DB38A8468B54
                      Function 00007FF848E75997 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 91ddc99c455ceb67d84feb2517a59001fd77701ec8c6b5ac3642926e2730326e
                      • Instruction ID: 097764f0bc27c4c92c360605d98717674c6b3a9217fcee00dedfac1108a705b8
                      • Opcode Fuzzy Hash: 91ddc99c455ceb67d84feb2517a59001fd77701ec8c6b5ac3642926e2730326e
                      • Instruction Fuzzy Hash: FF41DA70D1891D9FEF94EBA8D899AACB7F1FF59340F50016AD00DE7256DB3468858B40
                      Function 00007FF848E740FA Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ad8aa77f73ac6132fbc31e70ee945cef69a30131ee13debe0f662e1e0cb43b4
                      • Instruction ID: 7e8ea42aef34222d10d0f9493cb6566a4e612c7b1614cffcf05241db47e10a53
                      • Opcode Fuzzy Hash: 1ad8aa77f73ac6132fbc31e70ee945cef69a30131ee13debe0f662e1e0cb43b4
                      • Instruction Fuzzy Hash: 35412632A0CA559FE715FBACE8945E9BBA0FF163A5F0404BBC548CB043DB34A444C794
                      Function 00007FF848E72E1D Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f89be08b06bc637c7924504e90bc383ba6d70dc6c2e8f4072f07fd1258f57c75
                      • Instruction ID: 608456a53ce24c4755f05816799779072f410c4596f8e6da710c6882dc5890f5
                      • Opcode Fuzzy Hash: f89be08b06bc637c7924504e90bc383ba6d70dc6c2e8f4072f07fd1258f57c75
                      • Instruction Fuzzy Hash: 10413D70E19A1D9FEB88EBA8D8556EDB7B1FF48340F54017AD009E3296CF346841CB55
                      Function 00007FF848E6C6E5 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85345dbda5eb11ea59560e148a28dc8df166455c75a63619c8f567b9d6459422
                      • Instruction ID: 3b8339c2b30049aa6849af43ef60cfa47f91a3b1414afd79e583f972f889eb5f
                      • Opcode Fuzzy Hash: 85345dbda5eb11ea59560e148a28dc8df166455c75a63619c8f567b9d6459422
                      • Instruction Fuzzy Hash: 9D31C471E1C91D8EEB94EB689895AACB7F1FFA8340F801129D40DE7282DF3478418B04
                      Function 00007FF848E731D1 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 90a85bfbc95cfb404a0e91b44d959c53d517a1755732f7c0d36a907cf50d7e58
                      • Instruction ID: dd4d68a6b4a0bd3d6bd3f6f76062ca34eff4ac0b78e22439b2d97055983ba1f2
                      • Opcode Fuzzy Hash: 90a85bfbc95cfb404a0e91b44d959c53d517a1755732f7c0d36a907cf50d7e58
                      • Instruction Fuzzy Hash: 93418270E1891D8EEBA4FB58C8597ECB7B1FB58340F9041BAD01DE3291DF74A9858B44
                      Function 00007FF848E7307B Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e2b8ae3fd3883a43002f9ac41c2177a77219d3b1ec874afd614bb4be9168499
                      • Instruction ID: 25de404967cad6d1edacc172983508cabe69f6f7c48d53a58aab7eb34bfaf68b
                      • Opcode Fuzzy Hash: 2e2b8ae3fd3883a43002f9ac41c2177a77219d3b1ec874afd614bb4be9168499
                      • Instruction Fuzzy Hash: E041F370E186299FEB58EBA8C8957EDB7B1FF48340F604179D00DA3292CF7469418F54
                      Function 00007FF848E6B35D Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0a85033d2e589f3efe7617c22d08f81ded5f220fe7d9ed34808458724adaa5eb
                      • Instruction ID: fd14b41603fa17ba51342d15dab0c4cc190fb09f87fec3dbe22d3403c095e6cc
                      • Opcode Fuzzy Hash: 0a85033d2e589f3efe7617c22d08f81ded5f220fe7d9ed34808458724adaa5eb
                      • Instruction Fuzzy Hash: D321CE61E5C94B8FE744FB3888591A97BE0FF96390F8845B6C018E6092EF74B4028344
                      Function 00007FF848E6C1D9 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1de7e42677f5737c4bcac513a82f0120a96c6dc311ff13ee95f9376fa8874cfc
                      • Instruction ID: 27219171fd7e1c65343ebc6f66658cc8df55937f10d4f7bb989fc56e11a7e6b8
                      • Opcode Fuzzy Hash: 1de7e42677f5737c4bcac513a82f0120a96c6dc311ff13ee95f9376fa8874cfc
                      • Instruction Fuzzy Hash: C731147090DA4D8FDB58EBA8D8646ED7BB1FF59340F50017ED40AE7292CB386844CB69
                      Function 00007FF848E6A9D1 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7441b560b8265e6ce1315e3bf4d28c35768e4959e2e2d3de437d0110a98b85a6
                      • Instruction ID: d05fb448a8bc5b050237699238a63baaf7379c443e8b241c377064afea93f0dc
                      • Opcode Fuzzy Hash: 7441b560b8265e6ce1315e3bf4d28c35768e4959e2e2d3de437d0110a98b85a6
                      • Instruction Fuzzy Hash: 88215C7091864D8FDB88EF18C899AED3BF0FF68345F0101AAE809D7251DB34E4A1CB80
                      Function 00007FF848E632F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5099fd867968c4b9181df924fe18b161dcf1d590dd66242c1525633413c86c14
                      • Instruction ID: 9ae4f14604554744783672e5d5faaad0e8871af5e329d5d64b1079577f6458c3
                      • Opcode Fuzzy Hash: 5099fd867968c4b9181df924fe18b161dcf1d590dd66242c1525633413c86c14
                      • Instruction Fuzzy Hash: 43219A3084D78A8FE742AB7888585A97FF0FF1B350F4905EBD058CB0A3DA38A446C711
                      Function 00007FF848E72D80 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 002b087a331c847567af1aa020496afa1dfbf4145c21cb90f303cad2a1dcf955
                      • Instruction ID: c08b77af6dda32550213513053077fcfea7fb9e2617a0f1807e3fb8d807fb8ae
                      • Opcode Fuzzy Hash: 002b087a331c847567af1aa020496afa1dfbf4145c21cb90f303cad2a1dcf955
                      • Instruction Fuzzy Hash: 02219A3184D68A8FDB4AAB3088692A93FF0FF16244F1604FED40ACB0A3DB796855C711
                      Function 00007FF848E77471 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b39e04b6b2230fbf5bb9a9d7af2c4b2deecaf608170ba21c2e2c2236ec74c098
                      • Instruction ID: 13b2ec4f1a469bb50e672c1e4ae43191f5b501d53772eed3b3b0529ad7737cda
                      • Opcode Fuzzy Hash: b39e04b6b2230fbf5bb9a9d7af2c4b2deecaf608170ba21c2e2c2236ec74c098
                      • Instruction Fuzzy Hash: E6117F3090DA4E9FEB99FF6888592B97FB0FF68341F0405BAD409C6192DB38A544C745
                      Function 00007FF848E60A01 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9a659917cad51383bea67901037bb73e2f55d226fcf6571d060f803c60bf327
                      • Instruction ID: daf21d6192242d39605669bc881e89c15214da88b009cbbaeb1c4a3a00a3d5a7
                      • Opcode Fuzzy Hash: c9a659917cad51383bea67901037bb73e2f55d226fcf6571d060f803c60bf327
                      • Instruction Fuzzy Hash: D9116D30E1C55E9FE790FB6888492B977E0FF59390F8005B6D408E61A6EF38B8448744
                      Function 00007FF848E74DE5 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38edf7edaa7e131ecb469f4ee12624370944aa79bf3c4cbd07322dfa91413f1b
                      • Instruction ID: 6bb32422e93eba4e28e0fe16c5e96145f1f9d2945ac7eb34a18abce35473ba36
                      • Opcode Fuzzy Hash: 38edf7edaa7e131ecb469f4ee12624370944aa79bf3c4cbd07322dfa91413f1b
                      • Instruction Fuzzy Hash: 9C116A3090DA4E9FEB99EF2884592B97BA0FF68355F1005BAD419C6192DB38A490C741
                      Function 00007FF848E73859 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eea1d59008b5acdec9de7c0d864c991b8def3983ec1b313a7c769b4fd282f530
                      • Instruction ID: bbcc55f452a977054e8617feecd182eeff2ee391912d1a4a66c4703442749747
                      • Opcode Fuzzy Hash: eea1d59008b5acdec9de7c0d864c991b8def3983ec1b313a7c769b4fd282f530
                      • Instruction Fuzzy Hash: 5B11B13090E68A9FF782EB78C8596EA7BF0FF1A341F0445F6D448C71A2DA389548C761
                      Function 00007FF848E77515 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 302f714449c4a525fdc90e3aefe8dfe17f7d45b16933d4c3c6c6b36112385d9e
                      • Instruction ID: 0d3a739ef9671a78e455d66ac54e4fe68bfbd2d6706564cde7a54ec2d3429e54
                      • Opcode Fuzzy Hash: 302f714449c4a525fdc90e3aefe8dfe17f7d45b16933d4c3c6c6b36112385d9e
                      • Instruction Fuzzy Hash: 52117F70D0C68E9FEB98EF6888592BD7BA1FF58341F5005BAD409C3192DB35A444CB41
                      Function 00007FF848E61F59 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 483954c00878cb0261f8b68b20096e96ffe2499071a10e615188537f2d256b97
                      • Instruction ID: 300bcbe5ee4a5a00d1e07850680f21582cf3b3c4be4549a3257df065662bafd8
                      • Opcode Fuzzy Hash: 483954c00878cb0261f8b68b20096e96ffe2499071a10e615188537f2d256b97
                      • Instruction Fuzzy Hash: E0115E1180E6C65EEB53777918650616FE06F132A4F6D45FBD0D8DA0E3DA2A6489C306
                      Function 00007FF848E6C25F Relevance: .1, Instructions: 66COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction ID: 3115619a577b68e7c4721e19e1b9258729f3005c8def4fdf9a0d048d631b575d
                      • Opcode Fuzzy Hash: 5198c1fb7898974b1e2c2ecaa136b666318daed78ce0c81feac32b75bcd57afa
                      • Instruction Fuzzy Hash: AB21A070D0861E8FEB54EFD5D8946EDB7F1BF48341F90052AE819B6291CB386984CB68
                      Function 00007FF848E72B61 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 53cf230e0cb8881776ecf67d6e3cbc4456aaea625493ba2c90f92aa3c655e4b1
                      • Instruction ID: 2556f6e2d14e9a555ab1dce0bca5d0e1bb1df175f2809f886e93d79f5e43978e
                      • Opcode Fuzzy Hash: 53cf230e0cb8881776ecf67d6e3cbc4456aaea625493ba2c90f92aa3c655e4b1
                      • Instruction Fuzzy Hash: 47118B7091C6498FDB48EF18C4955F97BF1FF99354F1106BEE80A83282CB38A450CB85
                      Function 00007FF848E74D49 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 549013ad9ddf9ee9f145ad2b83b172451f13c5d72e0c54138ec8ba572491f3fd
                      • Instruction ID: 7175d376e69ec3ab393435b60350e5bb5b928602bc8cb385bad619e86c46c2e7
                      • Opcode Fuzzy Hash: 549013ad9ddf9ee9f145ad2b83b172451f13c5d72e0c54138ec8ba572491f3fd
                      • Instruction Fuzzy Hash: E5218C3090DA8E9FEB99EF2884692B97BA0FF69345F0401FAD409C71A6DB38A444C745
                      Function 00007FF848E75305 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7ef23802360033db65dad877afb85008d027e3a684ac8e921d2876eb29499f8b
                      • Instruction ID: fba133b01db7e1e58c69b2ce3a3d109c84162d60a69186af2d476e47d5b3f171
                      • Opcode Fuzzy Hash: 7ef23802360033db65dad877afb85008d027e3a684ac8e921d2876eb29499f8b
                      • Instruction Fuzzy Hash: 0411CE31D0DA8D9FEB89EB3498A92B83BA0FF14340F0405BED00DC21A6DF796440C606
                      Function 00007FF848E63481 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 53cf2e385b7559d79fa744ba5a4236d4f1ed925c3d35eff0bd0ff510c6fef537
                      • Instruction ID: 8b2e0ab101beb24acaa954b347e6d8db5ca21247b3e5978695e17a536ebec892
                      • Opcode Fuzzy Hash: 53cf2e385b7559d79fa744ba5a4236d4f1ed925c3d35eff0bd0ff510c6fef537
                      • Instruction Fuzzy Hash: 0F115A30D1D68E8FDB5AEB28C8582B9BBA0FF19341F8404BED419E6192DB79A541CB04
                      Function 00007FF848E72F71 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8017dc526acbdb9938d1779d051c951b849476ac18fc8afd3113f1caee1856b6
                      • Instruction ID: 7d11133f2784d8742a4ce88c65d83310897eae918808b3aace0f9c0074a08fdb
                      • Opcode Fuzzy Hash: 8017dc526acbdb9938d1779d051c951b849476ac18fc8afd3113f1caee1856b6
                      • Instruction Fuzzy Hash: FE115B3091C55E9FE785FB7888486F97BE0FF59341F0409B6D419D7056EB38A1858744
                      Function 00007FF848E77639 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b3e1d3e19e400f376d5209c13b3ded611fc3f4f8977ca55d8f307f4f459efec
                      • Instruction ID: e00b0bea3e108ca49ba0aed90aee8e72bf4f40a7d8fe1c477a7c5e9ba0c74cd4
                      • Opcode Fuzzy Hash: 9b3e1d3e19e400f376d5209c13b3ded611fc3f4f8977ca55d8f307f4f459efec
                      • Instruction Fuzzy Hash: 8911D07090DA898FEB59EA6888692B83BA0FF15340F0500FEC019C61AADF396414C706
                      Function 00007FF848E6CDD7 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43b5085245d28d001ec45511a975fc95bb4326eb060939cb4dcee4cad9aa2640
                      • Instruction ID: c8a24579560f599f7f03c92879872929ee09c8b84ed61db96335ab6287542292
                      • Opcode Fuzzy Hash: 43b5085245d28d001ec45511a975fc95bb4326eb060939cb4dcee4cad9aa2640
                      • Instruction Fuzzy Hash: FA11E031D0D79A8EEB56AF6998142FA7BB0FF06351F4404BBD848DA0A2DB346844C794
                      Function 00007FF848E77BF1 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 949d399924b96773c9c03ef37d8910faa39b08bc1a44ad6a2e26ee89bbaebb15
                      • Instruction ID: 1403fb171ea3c4cc00e316315280f48f9de5f15542016dac9396a1b65c5bae79
                      • Opcode Fuzzy Hash: 949d399924b96773c9c03ef37d8910faa39b08bc1a44ad6a2e26ee89bbaebb15
                      • Instruction Fuzzy Hash: 03113C3090D54A9FEB41FB788C896AA7BF4FF1E341F0405B6D419C7061DB38A584C755
                      Function 00007FF848E776CD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0404edd581d0af9ff748ca282c31f751b96c18525801a9074a29a3ea8be166fb
                      • Instruction ID: 44a14164e2ad35ef7bdedaf3254ebfa4002e85105b9608008153db7d6a43b1d3
                      • Opcode Fuzzy Hash: 0404edd581d0af9ff748ca282c31f751b96c18525801a9074a29a3ea8be166fb
                      • Instruction Fuzzy Hash: 5E11913090E64E8FEB49FF2888592B97BA1FF59381F4405BAD819C3196DF39A454C781
                      Function 00007FF848E75679 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7dd3504f6528e38c2ddecefa9d11239563b4545e58c6eabfdecfd640cbf86d7f
                      • Instruction ID: 82d317345703294381328c1d7a578601d01f84ed752059fb9b266f4500a6fa63
                      • Opcode Fuzzy Hash: 7dd3504f6528e38c2ddecefa9d11239563b4545e58c6eabfdecfd640cbf86d7f
                      • Instruction Fuzzy Hash: AF118B7090DA8A8FEB89EB6488692B97BF0FF19340F4404BBC419C61A2DF38A4408B51
                      Function 00007FF848E7542D Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7eccc743bcb3918340b26123d88b961dd5bad2c473ea550b1022dc2d14d87fc4
                      • Instruction ID: 00f94e80bd5e98061a7b6d12fa4e70cc7482b33dbb1f5a584598bc4c2c4c5d70
                      • Opcode Fuzzy Hash: 7eccc743bcb3918340b26123d88b961dd5bad2c473ea550b1022dc2d14d87fc4
                      • Instruction Fuzzy Hash: AF118C30D0D94E9FEB58EB2488592BD7BF0FF28342F0405BAD40AC2292EF38A5408B51
                      Function 00007FF848E611BD Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0875dec91947cdbd58c35416c0e2b7ed9117b34992cd0e66c495d7aab85c0327
                      • Instruction ID: 6a95fb39ac1681ced8263800fdccf496db1e6e86fe03a78f4d797a8ad0802ee2
                      • Opcode Fuzzy Hash: 0875dec91947cdbd58c35416c0e2b7ed9117b34992cd0e66c495d7aab85c0327
                      • Instruction Fuzzy Hash: 74119030D0D58A8EEB9AEB2888692B97BE0FF19341F4004BEC019D7092EF396440C714
                      Function 00007FF848E6C155 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44a1390271efd7b1272217f44812b3a5c064cbdde99f31e33f966b35c01a4eeb
                      • Instruction ID: f78321bb1af24042c381b5ceabaa5a66ebaf5f3b4fa2ebec1cd6d245faeade98
                      • Opcode Fuzzy Hash: 44a1390271efd7b1272217f44812b3a5c064cbdde99f31e33f966b35c01a4eeb
                      • Instruction Fuzzy Hash: AF11397091864E8FEB88EF68C4592BD7BB0FF18341F9005BAD419D6191DB35A5408B44
                      Function 00007FF848E76719 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b3a7c597315f1330b1a1a2c94870085f1424ec7f50794a0b14a2b48a304bacc
                      • Instruction ID: e176cf42e08eb993eaddbc1c54ca5e78cab5971e6c980828ac1b12140a4fcc7c
                      • Opcode Fuzzy Hash: 4b3a7c597315f1330b1a1a2c94870085f1424ec7f50794a0b14a2b48a304bacc
                      • Instruction Fuzzy Hash: 8C118C70D0D68A9FE781FB2488596B97BF0FF19385F0405F6D808C71A2EF38A5448711
                      Function 00007FF848E71411 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5c5805f549fd8e0631c491aa7a87480fd27146c6f944e873723185f60e527969
                      • Instruction ID: a38f5ec7e793ddeeff03a4da53fb5684243d1f07f4905a408120a25746bca0fc
                      • Opcode Fuzzy Hash: 5c5805f549fd8e0631c491aa7a87480fd27146c6f944e873723185f60e527969
                      • Instruction Fuzzy Hash: 45113930919A4E9FEB85EB28C8592BDBBE0FF19345F4004BED419D6192EF36A5808744
                      Function 00007FF848E755ED Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9218ae0c5a87925b91e7f562f9f8eb724d4e6a7c4394b1be493c143651543f62
                      • Instruction ID: fb2bbe5f17019742bf1d0befedb5efa0c41672853817f5c25bd51f2286f7b71c
                      • Opcode Fuzzy Hash: 9218ae0c5a87925b91e7f562f9f8eb724d4e6a7c4394b1be493c143651543f62
                      • Instruction Fuzzy Hash: AE119A3090DA8E8FEB88FF6488596B97BB1FF18341F0404BAD42DC6192DF38A544CB41
                      Function 00007FF848E60F40 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 90e94cca812405104d0ca34b7be345667e1f987bab255980eec7518a2d6ee94c
                      • Instruction ID: 857e8b1b745a69482fb1c4a01b3e0333c6f96d545259e159866785787b068bbc
                      • Opcode Fuzzy Hash: 90e94cca812405104d0ca34b7be345667e1f987bab255980eec7518a2d6ee94c
                      • Instruction Fuzzy Hash: 9711FB30A099198FEB54FB58C844BEDB3B1FB58344F5042B5D00AF7295DF38B9458B98
                      Function 00007FF848E77AE1 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 138ec8b33cba7ad9a5721da33ea5afa06c3bda60f542ac2c5f0eb0bce9a2d12c
                      • Instruction ID: 7ccf834cad549389c7b8438adafc34e97c94fe0cf2a77d7c0cad53b4596f9098
                      • Opcode Fuzzy Hash: 138ec8b33cba7ad9a5721da33ea5afa06c3bda60f542ac2c5f0eb0bce9a2d12c
                      • Instruction Fuzzy Hash: 48012970D1D64E8EEB41FB6888486B97BF1FF19381F4105B6D418C70A2EB34E5948744
                      Function 00007FF848E6DB3D Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f18c6136dfbc1dce9866ef27e95614a5a43b4401fbdf240065bc869e4fab8df
                      • Instruction ID: a2ef72ea0f4d064bd0a4a9098ba7a2e6423597eeb2e43f3044147c06d21abd7e
                      • Opcode Fuzzy Hash: 1f18c6136dfbc1dce9866ef27e95614a5a43b4401fbdf240065bc869e4fab8df
                      • Instruction Fuzzy Hash: E1117C70A1C68D8FEB84FB6488582BD7BE0FF29341F8404BAD419D6196DF35A580C740
                      Function 00007FF848E729F1 Relevance: .1, Instructions: 52COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cdddc5bc14de80fe62aed990de26dceb9afac482fc3277fa5f5a70fe7842b2d8
                      • Instruction ID: 66b54b87bc48f66f38ddc4e195ab0486e76350cf4d4aa458f005786b4a609787
                      • Opcode Fuzzy Hash: cdddc5bc14de80fe62aed990de26dceb9afac482fc3277fa5f5a70fe7842b2d8
                      • Instruction Fuzzy Hash: 37019A3090D6498FEB68EF2488596B97BA0FF19340F0108BED40AD6093EF39E540C740
                      Function 00007FF848E6C989 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed9aca64e6230b28668a25dc21f532b04a3833edb016a37bedb962c28bd4291e
                      • Instruction ID: 7705ee76d74cbfdd49fb508537b88b0a22344e1972168935d976082c47040edd
                      • Opcode Fuzzy Hash: ed9aca64e6230b28668a25dc21f532b04a3833edb016a37bedb962c28bd4291e
                      • Instruction Fuzzy Hash: 2311CB3090D68ECFDB4AEF28C4592B97BB1FF69340F9440BED409D6096DB39A550C785
                      Function 00007FF848E6BF05 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e9938b1382e90668c750f26c591e1d5298eddb1d5f47affb24de8b93eb72315
                      • Instruction ID: 84b93a765a4284322e45384787a97853acefc7e7339a088ffb8af7d537780e9f
                      • Opcode Fuzzy Hash: 5e9938b1382e90668c750f26c591e1d5298eddb1d5f47affb24de8b93eb72315
                      • Instruction Fuzzy Hash: 2A018C3091C64E4FE791FB2488496A97BE0FF59340F8144B6D408D70A2EF34B5908B05
                      Function 00007FF848E605D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 84409fb2db0a5cac5d059fa40f07405c3b295b37a1629fff83d455380bdf30e8
                      • Instruction ID: 92ba73daad68299c29e97893e48f4ab1c33655448146864c46d52c97c9853760
                      • Opcode Fuzzy Hash: 84409fb2db0a5cac5d059fa40f07405c3b295b37a1629fff83d455380bdf30e8
                      • Instruction Fuzzy Hash: F3018C3090890E9FEB49EF24C0556BE77A1FF58385F90047AD40ED2191CF36B550CB48
                      Function 00007FF848E62E21 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1ca102e2aa52001420d2c01f8a2d799cd61cb0811968ce22164d2cca85747a3
                      • Instruction ID: 6f566ceda987cf983b7a3ab0b2182a69c83501830b74c54960e2dde18405bfae
                      • Opcode Fuzzy Hash: d1ca102e2aa52001420d2c01f8a2d799cd61cb0811968ce22164d2cca85747a3
                      • Instruction Fuzzy Hash: 02018B30E1D60E8FEB42FB2484492A97BE4FF19380F4105B6D40CD60A2EF38F0408704
                      Function 00007FF848E7839D Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb06eeadf6cd0eed1d09fbfb514c2d4426a3168c173286662d30d7bdf55bdc9e
                      • Instruction ID: 3ed8959ec1fb7ed43a3c7865c3f841fc46848b70562fa60c9c86ef14d2a786f3
                      • Opcode Fuzzy Hash: fb06eeadf6cd0eed1d09fbfb514c2d4426a3168c173286662d30d7bdf55bdc9e
                      • Instruction Fuzzy Hash: 4401B13090D64A9FEB49EB3888592BA7BA0FF29345F0004BED009C7192DF35A551C755
                      Function 00007FF848E62E99 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4604063581d675318cc3b823d3565349f96aa9312cd486ab881fe0aaed64220e
                      • Instruction ID: ed9dbf0b9ff585bed77042941846bc393a472234fb9920f6dc7c906159f64db6
                      • Opcode Fuzzy Hash: 4604063581d675318cc3b823d3565349f96aa9312cd486ab881fe0aaed64220e
                      • Instruction Fuzzy Hash: 6D015630D1D6499FEB42FB2888496A97BE0FF4A390F8549B2D418D70A3EB38A4448715
                      Function 00007FF848E61C05 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 300d9b450d82eadffc46d61c22a64f619a36b67c6cc3010c61ed75b8d7f08305
                      • Instruction ID: 8c2ba59c0923b990d27f00932b689c7d9d6c8d64311593fd9f1392629d7917e7
                      • Opcode Fuzzy Hash: 300d9b450d82eadffc46d61c22a64f619a36b67c6cc3010c61ed75b8d7f08305
                      • Instruction Fuzzy Hash: 3501863090D68E8FEB5DEF2484596BD7BA1FF55341F8400BED808C6192DB36E550C744
                      Function 00007FF848E78329 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d79b0acccd1e8c8645f9fa54e2c20d11c9b26515200d377f0f082185a254cec
                      • Instruction ID: db59dc26e9e828f16dde87928ad6dd2eea0d753c46f3851b997caf50713d6a46
                      • Opcode Fuzzy Hash: 2d79b0acccd1e8c8645f9fa54e2c20d11c9b26515200d377f0f082185a254cec
                      • Instruction Fuzzy Hash: D7019E3094D6899FEB49EB2888692BD7BB0FF29340F0504FED409C7192DF39A541C715
                      Function 00007FF848E627FD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0043cce8e97bda274ce83097db88085f3d96db7ef540e2d77c3a538004ae53a7
                      • Instruction ID: a59cfc57229210021e4fed6a875e5149949721b1e768430e73625f3f06b66415
                      • Opcode Fuzzy Hash: 0043cce8e97bda274ce83097db88085f3d96db7ef540e2d77c3a538004ae53a7
                      • Instruction Fuzzy Hash: 69017C7091D64D8FE751FB6488496B97BE0FF69341F8545B6D408D60A2EF38B4548704
                      Function 00007FF848E77D79 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49f2fedd3cc51249dca5373ef45f00829ce5291734d462e22fca1875a0c2896c
                      • Instruction ID: c0e206bbdb52343a44bf7e9eacd935d0efd060ffe6a602e1fe7cc310bb40769a
                      • Opcode Fuzzy Hash: 49f2fedd3cc51249dca5373ef45f00829ce5291734d462e22fca1875a0c2896c
                      • Instruction Fuzzy Hash: E101783090E68A9FE752FB3888596B97BE0FF5A380F1508F2D508C70A2EF38A4448715
                      Function 00007FF848E60608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b0f57d3ea6b08d9437189df6d532044198d66d4e4d9fc8e443138f657d1a28f8
                      • Instruction ID: 0c2f651bb015b7eb159cd488b4feb68d18f7c429eb0bafaf2089b7bedaeebf93
                      • Opcode Fuzzy Hash: b0f57d3ea6b08d9437189df6d532044198d66d4e4d9fc8e443138f657d1a28f8
                      • Instruction Fuzzy Hash: A001693091860E9EEB48FF248458ABA76A1FF18355F9008BEE81EE61D2DF35B150C604
                      Function 00007FF848E60610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31d29ea3d782545ce8efd06b8f49af75b925c3c49c0ca4bc2b23f251fdb85d6c
                      • Instruction ID: 89a0d4cf9f4492ddf110206139432ea43214b6ada80464592620a7f2844f226c
                      • Opcode Fuzzy Hash: 31d29ea3d782545ce8efd06b8f49af75b925c3c49c0ca4bc2b23f251fdb85d6c
                      • Instruction Fuzzy Hash: 18016D3091950D9EEB48FB24C4586BA72A1FF18355F9008BEE81ED21D2DF35B590C614
                      Function 00007FF848E6BC39 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 811f98d9bc4177e33a895d77d7fb43d6e5e3f8b41a038fdb6cb3ea6c5c1fa3cd
                      • Instruction ID: 81101237cca7ea54cbc883817fbd050efdeb438563873835d1b05a546ccf8a98
                      • Opcode Fuzzy Hash: 811f98d9bc4177e33a895d77d7fb43d6e5e3f8b41a038fdb6cb3ea6c5c1fa3cd
                      • Instruction Fuzzy Hash: 38019730D1991D9EEBA5EB28C854BECB6B1FB98341F8045BAD40DF2296DF346980CF54
                      Function 00007FF848E6AF2A Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0457251b36ba40e831aff470cb40832f5e52f5dc421f63b1d7fefc4f97199d99
                      • Instruction ID: c8e807e1318ef6cd330fff9ca273fbce35ae1692569f7ead65bd876aa10aceb8
                      • Opcode Fuzzy Hash: 0457251b36ba40e831aff470cb40832f5e52f5dc421f63b1d7fefc4f97199d99
                      • Instruction Fuzzy Hash: 38F08770D1C50A9EE750FB3888492B97AE0FF19380F8108B6E418D30A2EE34B4A08606
                      Function 00007FF848E611D0 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b98f6aad73b7deb44180a896c1d579574ba4069856e941503a61e36d62e4b1cb
                      • Instruction ID: 80327f3e90c9780ae45a596bd3ee27f04c05402be781a4c47359e5a3ea66f562
                      • Opcode Fuzzy Hash: b98f6aad73b7deb44180a896c1d579574ba4069856e941503a61e36d62e4b1cb
                      • Instruction Fuzzy Hash: 43F0AF30D0D99E8EEF99AB6888192FA77E4FF15385F40147AD41DE20D1EF3464508645
                      Function 00007FF848E605D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1880435236a021e214821b228b8498e40ba037b3cd3561bdda180b7fb1fe2117
                      • Instruction ID: 9acde84d93b60c9a6a78028e2522f08bc31140d61997565f9e95ad20ef28020b
                      • Opcode Fuzzy Hash: 1880435236a021e214821b228b8498e40ba037b3cd3561bdda180b7fb1fe2117
                      • Instruction Fuzzy Hash: 4BF0AF3080DA4E9FEB49EE2484552FE77A0FF05384F80047AE80DD2191CB36A550CA88
                      Function 00007FF848E6C26E Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction ID: f797c09ddd072ee3886c2495f1fe62b17bd2beb927febbd0c0a8299c3aab8ab4
                      • Opcode Fuzzy Hash: 64e439a6761654bbae7ceea18766cfc5e82bfb63258a2c38c6db9646200d3d91
                      • Instruction Fuzzy Hash: 5701C071D0860ACFDB08EF89C8909FDB7F5FB5D350F60152AD80AB2291CB386940CB69
                      Function 00007FF848E7332B Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction ID: 5c679d13b2449903df4f613cd571f28f7759626ad5a07478b9656b693a642a1c
                      • Opcode Fuzzy Hash: 72fcebccfde72c5442c965145d11e3c2ec9ebbece6abdb7887cab1f915147e8d
                      • Instruction Fuzzy Hash: 77012830E0C2198FEB94EB99C8447ECB3B2FF84351F804279C009A3291CF78A985CB59
                      Function 00007FF848E6278D Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 497f76f4a064b2d0ce3073866d9b3a7fa2ccd0be6c36d132b90ba00de38617c5
                      • Instruction ID: 370760242822b3833245b91ff50c81fedc198d25b58a316d9a2a5d36c299c63e
                      • Opcode Fuzzy Hash: 497f76f4a064b2d0ce3073866d9b3a7fa2ccd0be6c36d132b90ba00de38617c5
                      • Instruction Fuzzy Hash: E9F09030D0D68A8FEB59BF3488192B93BA1FF16391F8404BEE809C61D2EB39B450C701
                      Function 00007FF848E62719 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a97c38aa53bfd9265ac36b25c72876c8b479eae2e1a63dde43f8c9876f31a155
                      • Instruction ID: f8aa0bfc319f5e1f9875590ab311111d93495411e8115bd68e12da8c7aa8c79d
                      • Opcode Fuzzy Hash: a97c38aa53bfd9265ac36b25c72876c8b479eae2e1a63dde43f8c9876f31a155
                      • Instruction Fuzzy Hash: FAF0C23080E3C94FEB5AAF3488291A93FA0FF06350F8405BAD809C61D3DB78B414C301
                      Function 00007FF848E6BCE0 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e69000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5679f31da3ce4df805c0f68bb06e8eebc3edcfed9ed4dadb08c5be5461509145
                      • Instruction ID: 0bbfab6cc0091481355841cd8eeed543a717762d39ee8b1dcd7d0699ce67680e
                      • Opcode Fuzzy Hash: 5679f31da3ce4df805c0f68bb06e8eebc3edcfed9ed4dadb08c5be5461509145
                      • Instruction Fuzzy Hash: 68F0FF30D1951A9EDBA4FF18C445BA9B3B1FF54740F5042EAC40DE7156DB34A9819F44
                      Function 00007FF848E71430 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cfd4ced1c1a9e50b0ffe310b28ac6658172d8d78bc881da42238c7784d79e06b
                      • Instruction ID: e8b427f0f696f479cba64cf70351fa22244eb5acb9da3e3b5cc03dcd481eb6cb
                      • Opcode Fuzzy Hash: cfd4ced1c1a9e50b0ffe310b28ac6658172d8d78bc881da42238c7784d79e06b
                      • Instruction Fuzzy Hash: 13F0F830D18A4EDEEB84EF6898093FE76A4FF19345F40053AE82DD2191EB3465548644
                      Function 00007FF848E616C0 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e60000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 74ec17838b56e42aa1fbb9e25ba891077f0d86f556b96acbe52962385abda74d
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 44E0ED20E0D4064EEA6576598485675A1D1BF44394FF8C675F02DD62E1EB3AFC82D209
                      Function 00007FF848E7193E Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 58e0cdf44b9d12e05ecc7c8f41b78d9469ae422e996746c88cf0f02a7f225b17
                      • Instruction ID: 048d8b4f23b389c95ab17518ae8e6e1b415592efef0aa6b0ede01f9e7f7ecf0f
                      • Opcode Fuzzy Hash: 58e0cdf44b9d12e05ecc7c8f41b78d9469ae422e996746c88cf0f02a7f225b17
                      • Instruction Fuzzy Hash: 75E0BD70C0D31A8AEB28AE90D4543EDB6A0BB01340F10553AD0492A2D0DBB92A48EB54
                      Function 00007FF848E71E8B Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E71000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E71000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e71000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 90b7fc1f82d0908454c7cb09b2bccacb592411e2d197f732ed3a2767ee01afea
                      • Instruction ID: d94f5c6bc92fad44866c212162eb51fa9bcdc68421c389c694807bf1a824d8d1
                      • Opcode Fuzzy Hash: 90b7fc1f82d0908454c7cb09b2bccacb592411e2d197f732ed3a2767ee01afea
                      • Instruction Fuzzy Hash: 03D0C974D0D2598FD7199F6089587E97AA0FF41340F1410BAE04D5B2E6DBB81548DB29

                      Non-executed Functions

                      Function 00007FF848E6F272 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000021.00000002.2335794380.00007FF848E6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E6F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_33_2_7ff848e6f000_wininit.jbxd
                      Similarity
                      • API ID:
                      • String ID: '$2$J$[
                      • API String ID: 0-2410032399
                      • Opcode ID: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction ID: a1c19a473aa8e67b5bcd75b0cba20f23d23f4ec4db49735acaee3edf3ad65200
                      • Opcode Fuzzy Hash: 08972ae7a902bdf9b69a06f04f960fcfe4327ee24b825283ea349b95fb56822a
                      • Instruction Fuzzy Hash: C031A370C0822ACEEB68EF64D8987EDB6B1BF48345F5041EAD44D76281CB782AC5CF54